Google Cloud Permissions

When Retail Cloud Connect is set up for the first time, the merchant grants the application access to one or more Google Cloud projects while configuring the cloud connection.

This FAQ page explains what permissions Retail Cloud Connect uses and why it uses them.

Service Account

When an organization creates a Retail Cloud Connect retailer, a unique Service Account is provisioned in Nimstrata's Google Cloud organization so the merchant does not need to manage additional keys or credentials.

Service Accounts enable computers to talk to each other securely without sharing user passwords. Because Nimstrata owns and controls this Service Account, it can only access the Google Cloud environment after the merchant grants permission. This gives the merchant full control over data and environment access, and makes it easy to remove Retail Cloud Connect access if the merchant decides to use a different solution.

The full Service Account email address is available in the Retail Cloud Connect dashboard and will look similar to this:

Required Permissions

Retail Cloud Connect requires several permissions to administer the Google Cloud retail catalog project. The permissions are included in two roles. Google Cloud IAM roles are a set of one or more permissions.

Retail Cloud Connect™ Custom Role

First, Retail Cloud Connect setup guides the merchant through creating a Custom Role in Google Cloud. This grants Retail Cloud Connect permission to view the project that contains the retail catalog:

gcloud iam roles create retail_cloud_connect \\
    --project="your-catalog" \\
    --title="Permissions for Retail Cloud Connect via Shopify" \\
    --description="Allows Retail Cloud Connect to manage Google Cloud Retail API" \\
    --permissions=resourcemanager.projects.get,serviceusage.services.list

gcloud projects add-iam-policy-binding your-catalog \\
    --member=serviceAccount:your-sa@rc-sa-prod-00001.iam.gserviceaccount.com \\
    --role=projects/your-catalog/roles/retail_cloud_connect

Nimstrata follows a data security best practice known as the principle of least privilege by using a Custom Role to avoid unnecessary privileges in the merchant environment.

Retail Admin Role

The Retail Admin role contains permissions that allow Retail Cloud Connect to fully manage catalog data. Merchants can grant the Retail Editor role instead to limit access, but Retail Cloud Connect will not be able to purge catalogs, which may be necessary when troubleshooting or performing imports with new schemas.

gcloud projects add-iam-policy-binding your-catalog \\
    --member=serviceAccount:your-sa@rc-sa-prod-00001.iam.gserviceaccount.com \\
    --role=roles/retail.admin

Google Cloud Project

Nimstrata recommends using a single-purpose Google Cloud project for retail catalog data. This allows tightly scoped access for Retail Cloud Connect and removes cross-configuration risk around other resources inside Google Cloud.

For example, an existing Google Cloud project may also contain Google Analytics data in BigQuery or virtual machines running an ERP. Other administrators inside the company could accidentally alter or delete retail catalog data in that shared project.

For merchants new to Google Cloud, this may not be an immediate concern. It becomes more important as Google Cloud usage scales. Nimstrata is a certified Google Cloud Services partner and offers environment security reviews to help organize Google Cloud projects around best practices.

Removing Permissions

To remove Retail Cloud Connect access to a Google Cloud project:

1. Visit the Google Cloud IAM page for the retail catalog project
2. Click the Service Account edit (pencil) icon
3. Remove the two roles with the delete (trashcan) icon
4. Click the Save button

Further Reading

For advanced explanations of each role's permissions, review the following Google Cloud documentation:

• resourcemanager.projects.get
• serviceusage.services.list
• roles/retail.admin