google-cloud-platformredis-clustergoogle-cloud-memorystore

What is the recommended way to limit access for GCP MemoryStore instance/cluster


I have multiple memorystore clusters in my GCP project. I can define memorystore roles/permissions only at the project level, not at the instance/cluster level. However, I still want to limit access for individual memorystore clusters to a set of service accounts. Can I set up each memorystore in its own VPC and limit the VPC access to just the service accounts I want to access the memory store?

Any suggestions/recommendations on how I can limit memorystore access?

Thanks in advance


Solution

  • I ended up using the conditional role binding, that can be used to grant access to principals for resources whose resource names match a prefix,

    For the principal that need to access a particular Memorystore I created an IAM conditional policy with

    Condition type: Name
    Operator: is (full match)
    Value: projects/{PROJECT_ID}/locations/{REGION}/clusters/{MEMORYSTORE_NAME}
    

    You can have a principal access multiple clusters by using a OR operator