Data Integration Elastic Administration > Data Integration Elastic on Google Cloud > Security
  

Security

Different forms of security protect the data that is used for processing, including access to the account and the data that you hold with your cloud provider.

Permissions for a custom role

To use a Google Cloud service account, define roles with the necessary permissions.
Google Cloud Storage has predefined roles and permissions. For more information about IAM permissions and roles, see Google Cloud documentation. You can create a custom role and assign permissions.

Service account permissions for a Secure Agent

The following table lists the minimum required permissions for a Secure Agent role linked to a Google Cloud service account:
Operations
Permissions
  • - Create an external static IP address
  • - Delete or release an IP address

compute.addresses.create
compute.addresses.delete
compute.addresses.get
compute.addresses.list
compute.addresses.use
  • - Create a target pool
  • - Get details for a target pool
  • - Delete a target pool

compute.targetPools.addInstance
compute.targetPools.create
compute.targetPools.delete
compute.targetPools.get
compute.targetPools.list
compute.targetPools.removeInstance
compute.targetPools.update
compute.targetPools.use
  • - Create a forwarding rule
  • - Get details for a rule creation
  • - Delete a forwarding rule

compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.forwardingRules.list
compute.forwardingRules.setTarget
compute.forwardingRules.update
  • - Create an instance template
  • - Get details for an instance template
  • - Delete an instance template
  • - Add a disk to an instance

compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.list
compute.instanceTemplates.useReadOnly
compute.disks.create
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.disks.update
compute.disks.use
  • - Create a regional and zonal group
  • - Get details or description of regional instance groups
  • - Delete a regional instance group

compute.addresses.create
compute.addresses.delete
compute.addresses.get
compute.addresses.list
compute.addresses.use

compute.instanceGroupManagers.create
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use
compute.instances.addAccessConfig
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.detachDisk
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.list
compute.instances.osAdminLogin
compute.instances.osLogin
compute.instances.reset
compute.instances.resume
compute.instances.setDiskAutoDelete
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateNetworkInterface
compute.instances.updateSecurity
compute.instances.use
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.subnetworks.get
  • - Delete, upload, and list Google Cloud Storage metadata and logs

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
storage.buckets.get
  • - Create, use, and delete a resource within a VPC and subnet
compute.subnetworks.get
compute.subnetworks.use
compute.subnetworks.useExternalIp
  • - Work with a project
resourcemanager.projects.get
  • - Use a service account
iam.serviceAccounts.actAs
To create a private cluster, the Secure Agent role needs the following additional permissions:
Operations
Permissions
  • - Create, use, and delete an internal IP address
compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.useInternal
  • - Create, use, and delete a regional backend service
compute.regionBackendServices.create
compute.regionBackendServices.delete
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionBackendServices.update
compute.regionBackendServices.use
  • - Create, use, and delete a regional health check
compute.regionHealthChecks.create
compute.regionHealthChecks.delete
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionHealthChecks.update
compute.regionHealthChecks.use
compute.regionHealthChecks.useReadOnly
To allow the Secure Agent to create a VPC network and subnets, the Secure Agent role needs the following additional permissions:
Operations
Permissions
  • - Create, use, and delete a VPC network
compute.networks.access
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.list
compute.networks.use
  • - Create, use, and delete a subnetwork
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.update
compute.subnetworks.use
compute.subnetworks.useExternalIp
  • - Create, use, and delete a Cloud Router
compute.routers.create
compute.routers.delete
compute.routers.get
compute.routers.list
compute.routers.use
  • - Create, use, and delete a firewall rule
  • - Add a firewall rule to a VPC network
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.networks.updatePolicy

Service account permissions for a master and worker node

The Secure Agent service account is the default account.
The following table lists the permissions for a master or worker role in elastic configurations linked to a Google Cloud service account:
Account type
Reason
Permissions
Master service account
Add permissions for cluster auto-scaling to scale up or down an instance group for worker nodes.

compute.regions.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use
compute.instanceGroups.get
Worker service account
Add permissions if you use an initialization script for the following reasons:
  • - Upload initialization script notification to the staging location
  • - Upload logs to the log location

storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
A Google Cloud service account is always linked to a Google Cloud project. Make sure that you use only one set of credentials for both the source and target when you run an elastic job.

Data encryption

Encryption protects the data that is used to process elastic jobs. You can use encryption to protect data at rest, temporary data, and data in transit.
Encryption is available for the following types of data:
Data at rest
By default, Google Cloud Storage encrypts staging data and log files. For more information, refer to the Google Cloud documentation.
For information about encrypting source and target data, see the help for the appropriate connector in the Data Integration help.
Temporary data
Temporary data includes cache data and shuffle data that the Spark engine generates on cluster nodes.
To encrypt temporary data, enable encryption in the elastic configuration. If you enable encryption, temporary data is encrypted using the HMAC-SHA1 algorithm by default. To use a different algorithm, contact Informatica Global Customer Support.
Data in transit
By default, Google Cloud Storage uses the Transport Layer Security (TLS) protocol to encrypt data in transit to and from Google Cloud Storage, including staging data and log files.