Assign Roles to the Google Service Account and Provide Access for GCP Resources

To use Google Cloud Platform (GCP) resources from an Autonomous Database instance, you or a Google Cloud Administrator must assign roles and privileges to the Google service account that your application accesses. In addition to assigning roles for the Google service account, for any GCP resources you want to use a Google Cloud administrator must add Google IAM principals.

As a prerequisite, first enable the Google service account on your Autonomous Database instance. See Enable Google Service Account and Find the GCP Service Account Name for more information.

  1. Open the Google Cloud Console for your account.
  2. Create roles with the specified permissions.
    1. From the navigation menu, select IAM & Admin.
    2. From the IAM & Admin navigator, select Roles.
    3. On the Roles page, click More Actions and select + CREATE ROLE.

    For example, you can create a role Object Store Read and Write to control the use of an Object Store bucket.

    Description of gcp_iam_roles_create.png follows
    Description of the illustration gcp_iam_roles_create.png
  3. On the Create Role page, click + ADD PERMISSIONS.
    1. Select filters to limit the list of permissions.

      For example, enter the filter Permission: Storage.Objects to show only the Object Store permissions.

      Description of gcp_iam_roles_add_permissions.png follows
      Description of the illustration gcp_iam_roles_add_permissions.png
    2. On the Add permissions dialog, click ADD.
  4. On the Create Role page, click CREATE.
  5. Add roles and principals for the resource you want to access.

    For example, if you want to access Google Cloud Storage using the role you just created, Object Store Read Write:

    1. From the navigator, select Cloud Storage and select Buckets.
    2. Select the bucket you want to use, and click PERMISSIONS.
    3. Click + ADD PRINCIPAL.
  6. On the Grant access to "bucketname" dialog, add roles and a principals for the selected resource.
    1. Under Add principals add the value of the gcp_service_account parameter from your Autonomous Database instance.
    2. On the Grant access to "bucketname" dialog, enter roles under Assign Roles and then click SAVE.

After you complete these steps the roles and principals are assigned. This allows your application running on the Autonomous Database instance to access the GCP resource with a Google service account.