This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

create custom roles for application integration service accounts

Posted on 03-05-2025 11:54 AM
dareenhamdy
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

I want to create a custom role with only required permissions, and that I don’t want to use wild roles like Connectors.admin or SQL admin for the following connectors Pub/sub , cloud sql , and Cloud storage.

what are the list of ONLY actually needed permissions not the generic full list as mentioned in the documentation ?

dareenhamdy_0-1741204008643.pngdareenhamdy_1-1741204101868.png

dareenhamdy_2-1741204275246.png

https://cloud.google.com/integration-connectors/docs/connectors/cloudstorage/configure
https://cloud.google.com/integration-connectors/docs/connectors/cloudsqlforsqlserver/configure
https://cloud.google.com/integration-connectors/docs/connectors/pubsub/configure

0 4 552
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
AldoMeneses86
Staff
Reply posted on --/--/---- --:-- AM

Hello @dareenhamdy 

You can create a custom role: https://cloud.google.com/integration-connectors/docs/connectors-access-permissions#iam-roles-for-int...

You can learn more in this excellent article from my colleague @kurtkanaskie. Is for apigee but can applies for Application Integration.

Best.

0 Likes

Posted on --/--/---- --:-- AM
dareenhamdy
Bronze 5
Bronze 5
In response to AldoMeneses86
Reply posted on --/--/---- --:-- AM

thank you for refencing to that but that still does not list the permissions specific list.
that's not my part , Devops team would like a specific roles list,

0 Likes

Posted on --/--/---- --:-- AM
vpagar
Staff
Reply posted on --/--/---- --:-- AM

Hello @dareenhamdy 
Could you please provide clarity on which specific entities or actions you intend to use for these connectors
Pub/sub , cloud sql , and Cloud storage ?

0 Likes

Posted on --/--/---- --:-- AM
vpagar
Staff
Reply posted on --/--/---- --:-- AM

Hi @dareenhamdy . Please follow the below information and let us know how it goes.
1] For the Pub/Sub connector, no specific role needs to be assigned explicitly. However, the permission pubsub.topics.publish is required to allow the connector to publish messages to the designated topic.

2] For the Cloud SQL – SQL Server connector, the permissions cloudsql.instances.connect and cloudsql.instances.get are essential. These enable the connector to establish a connection to the Cloud SQL instance and retrieve necessary instance metadata. With these permissions in place, the connector can execute custom queries and perform CRUD (Create, Read, Update, Delete) operations on the database.

3] In the case of the Cloud Storage connector, the following permissions are necessary: storage.buckets.list, storage.objects.get, storage.objects.create, storage.objects.delete. These permissions support various actions such as DownloadObject,UploadObject,CopyObject,MoveObject,DeleteObject,SignURL and entities[with CRUD] such as Bucket and Object.

0 Likes
Top Solution Authors
View all