Configuring IAM correctly is a prerequisite part of security and identity management for your Fleet Engine system. Use IAM roles to tailor access to different operations and data to meet the requirements of drivers, consumers, and fleet operators.
What are service accounts and IAM roles?
You set up service accounts in Google Cloud Console to authenticate and authorize access to data in Fleet Engine. Fleet Engine has a set of predetermined IAM roles that you assign to a service account to determine which data that account has access to. For details, see Service accounts overview in the Google Cloud documentation.
Fleet Engine uses IAM roles and policies to manage authorization for Fleet Engine API methods and resources. For more information, see Roles overview in the Google Cloud documentation. Use only the Fleet Engine service account roles described in the following sections.
For more general information about granting IAM roles, see Grant an IAM role by using the Google Cloud console.
Fleet Engine service account roles
The Mobility service you choose for your Fleet Engine installation determines the roles and permissions that are included.
The following roles illustrate how permissions work with Fleet Engine roles:
The ondemandAdmin and deliveryAdmin roles can perform all operations in Fleet Engine. Only use these roles in trusted environments, such as communications between your backend server and Fleet Engine.
The driverSdkUser and consumerSdkUser roles are only allowed to get details for assigned trips and update or receive vehicle location. These types of roles typically used by clients in low-trust environments, such as driver, consumer, or monitoring apps.
The roles and permissions granted for on-demand trips and scheduled tasks are described in the following tables.
On-demand trips
Role | Permission |
---|---|
Fleet Engine On-demand Admin
|
Grants read and write permission for all vehicle and trips resources. Principals with this role don't need to use JWTs and should instead use Application Default Credentials whenever possible. This role ignores custom JWT claims. Restrict use of this role to trusted environments such as your backend server. |
Fleet Engine Driver SDK User
|
Update vehicle locations and routes, and retrieve information about vehicles and trips. Use JWTs with custom claims created with this role for authentication and authorization from driver apps for ridesharing or delivery. |
Fleet Engine Consumer SDK User
|
Search for vehicles and retrieve information about vehicles and trips. Use JWTs with custom claims created with this role for consumer apps for ridesharing or delivery . |
Scheduled tasks
Role | Permission |
---|---|
Fleet Engine Delivery Admin
|
Grants read and write permission for delivery resources. Principals with this role don't need to use JWTs and should instead use Application Default Credentials. Ignores custom JWT claims. Restrict use of this role to trusted environments such as your backend server. |
Fleet Engine Delivery Fleet Reader
|
Grants permission to read delivery vehicles and tasks and to search for tasks using a tracking ID. Tokens issued by a service account with this role are typically used from a delivery fleet operator's web browser. |
Fleet Engine Delivery Untrusted Driver User
|
Grants permission to update delivery vehicle location. Tokens issued by a service account with this role are typically used from your delivery driver's mobile device. Note: Untrusted refers to a driver's device that is not managed by corporate IT, but instead provided by the driver and typically without appropriate IT security controls. Organizations with Bring Your Own Device policies should opt for the safety of this role and only rely on the mobile app to send vehicle location updates to Fleet Engine. All other interactions should originate from your backend servers. |
Fleet Engine Delivery Consumer User
|
Grants permission to search for tasks using a tracking ID, and to read but not update task information. Tokens issued by a service account with this role are typically used from a delivery consumer's web browser. |
Fleet Engine Delivery Trusted Driver User
|
Grants permission to create and update delivery vehicles and tasks, including updating the delivery vehicle location and task status or outcome. Tokens issued by a service account with this role are typically used from your delivery driver's mobile devices or from your backend servers. Note: Trusted refers to a driver's device managed by corporate IT that has appropriate security controls. Organizations that furnish these devices can choose to integrate Fleet Engine interactions into the mobile app. |
How to use IAM roles and service accounts with Fleet Engine
To use service accounts for authentication and authorization in Fleet Engine, follow these general steps:
Create service accounts in the Google Cloud Console for each role you need. You need service accounts to authenticate driver, consumer, fleet monitoring, and fleet management applications and websites--any software that needs access to Fleet Engine data. Software that needs the same permissions can use the same service account.
Assign a Fleet Engine IAM policy role to each service account. Select the Fleet Engine-specific IAM policy role that provides the appropriate permissions to access or update your data in Fleet Engine.
Use the appropriate service accounts in your apps and software to authenticate their connection to Fleet Engine, and authorize access the resources granted by the assigned role.
For details on how service account roles fit in to Fleet Engine security, see Security overview. For a full explanation of service account roles, see Understanding IAM roles in the Google Cloud documentation.
What's next
- Read about JSON Web Tokens to understand their use in Fleet Engine.
- For an overview of Fleet Engine security, see the Security overview.
- For a full explanation of Google Cloud Console service account roles, see Understanding IAM roles