I have multiple memorystore clusters in my GCP project. I can define memorystore roles/permissions only at the project level, not at the instance/cluster level. However, I still want to limit access for individual memorystore clusters to a set of service accounts. Can I set up each memorystore in its own VPC and limit the VPC access to just the service accounts I want to access the memory store?
Any suggestions/recommendations on how I can limit memorystore access?
Thanks in advance
I ended up using the conditional role binding, that can be used to grant access to principals for resources whose resource names match a prefix,
For the principal that need to access a particular Memorystore I created an IAM conditional policy with
Condition type: Name
Operator: is (full match)
Value: projects/{PROJECT_ID}/locations/{REGION}/clusters/{MEMORYSTORE_NAME}
You can have a principal access multiple clusters by using a OR operator