Console
    Contact Us Start free

    Managing permissions between the Cloud Healthcare API and other Google Cloud products

    The Cloud Healthcare API does not have automatic access to other Google Cloud resources in your project, such as Cloud Storage buckets and BigQuery datasets. When accessing these resources, the Cloud Healthcare API uses a service agent called the Cloud Healthcare Service Agent .

    To perform operations such as notifying Pub/Sub topics of changes, importing data from Cloud Storage buckets, exporting data to BigQuery datasets, and so on, you must first grant the service account the Identity and Access Management (IAM) permissions necessary to access the resources outside of the Cloud Healthcare API. This page describes which permissions are required for various operations, and how to grant them.

    To learn more about using IAM to configure permissions within the Cloud Healthcare API, see Access control .

    The Cloud Healthcare Service Agent

    The Cloud Healthcare Service Agent service account is automatically created after you enable the Cloud Healthcare API. Its member name is service- PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com . To find the PROJECT_NUMBER for your Google Cloud project, see Identifying projects .

    You can view detailed information about the Cloud Healthcare Service Agentservice account, such as the roles it has been granted, on the Identity and Access Management page in Google Cloud console.

    To learn more about the Cloud Healthcare Service Agentand its interaction with Identity and Access Management (IAM) roles and permissions, see Access control .

    Dataset CMEK permissions

    You can use a customer-managed encryption key (CMEK) when creating a Cloud Healthcare API dataset . To let the Cloud Healthcare Service Agentservice account encrypt and decrypt objects using the CMEK key, grant the service account the CryptoKey Encrypter/Decrypter ( roles/cloudkms.cryptoKeyEncrypterDecrypter ) role.

    Console

    1. In the Google Cloud console, go to the IAMpage.

      Go to IAM

    2. Select the Include Google-provided role grantscheckbox.

    3. Ensure the View by principalstab is selected. Locate the row containing the Cloud Healthcare Service Agentservice account, and click Edit principalin that row. The Edit permissionspane is displayed.

    4. Click Add another role.

    5. From the Select a roledrop-down menu, search for and then click CryptoKey Encrypter/Decrypter.

    6. Click Save.

    DICOM, FHIR, and HL7v2 store Pub/Sub permissions

    Changes within DICOM, FHIR, and HL7v2 stores can be sent to a Pub/Sub topic. For more information, see Using Cloud Pub/Sub for Notifications .

    The methods within these stores require additional permissions on the Cloud Healthcare Service Agentservice account to publish changes to a Pub/Sub topic.

    Use the Google Cloud console or the gcloud CLI to add the pubsub.publisher role to your project's service account:

    Console

    1. Make sure that you have enabled the Cloud Healthcare API .
    2. On the IAM page in Google Cloud console, verify that the role Healthcare Service Agentappears in the Rolecolumn for the Cloud Healthcare Service Agentservice account. The service account identifier is service- PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com .
    3. In the Inheritancecolumn that matches the role, click the pencil icon. The Edit permissionspane opens.
    4. Click Add another roleand then search for the Pub/Sub Publisherrole.
    5. Select the role and then click Save. The pubsub.publisher role is added to the service account.

    gcloud

    To add the service account permissions, run the gcloud projects add-iam-policy-binding command. To find the PROJECT_ID and PROJECT_NUMBER , see Identifying projects .

    gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
 \ 
  
--role = 
roles/pubsub.publisher

    Configure Pub/Sub permissions between projects

    To publish Pub/Sub notifications to a topic in another project, grant the Cloud Healthcare Service Agentservice account the pubsub.publisher role on the topic. For more information, see Control access through the Google Cloud console and Control access through the IAM API .

    For an example of publishing Pub/Sub notifications between projects, see Sample use case: cross-project communication .

    DICOM store Cloud Storage permissions

    The projects.locations.datasets.dicomStores.import and projects.locations.datasets.dicomStores.export methods require additional permissions on the Cloud Healthcare Service Agentservice account to import data from and export data to Cloud Storage.

    Importing data from Cloud Storage

    You can use Google Cloud console or the gcloud CLI to add the required storage.objectViewer role to your project's service account.

    Console

    1. Make sure that you have enabled the Cloud Healthcare API .
    2. On the IAM page in Google Cloud console, verify that the role Healthcare Service Agentappears in the Rolecolumn for the Cloud Healthcare Service Agent service account. The service account identifier is service- PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com .
    3. In the Inheritancecolumn that matches the role, click the pencil icon. The Edit permissionspane opens.
    4. Click Add another roleand then search for the Storage Object Viewerrole.
    5. Select the role and then click Save. The storage.objectViewer role is then added to the service account.

    gcloud

    To add the service account permissions, run the gcloud projects add-iam-policy-binding command. To find the PROJECT_ID and PROJECT_NUMBER , see Identifying projects . 
    gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
 \ 
  
--role = 
roles/storage.objectViewer 

    Exporting data to Cloud Storage

    You can use Google Cloud console or the gcloud CLI to add the required storage.objectAdmin role to your project's service account:

    Console

    1. Make sure that you have enabled the Cloud Healthcare API .
    2. On the IAM page in Google Cloud console, verify that the role Healthcare Service Agentappears in the Rolecolumn for the Cloud Healthcare Service Agent service account. The service account identifier is service- PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com .
    3. In the Inheritancecolumn that matches the role, click the pencil icon. The Edit permissionspane opens.
    4. Click Add another roleand then search for the Storage Object Adminrole.
    5. Select the role and then click Save. The storage.objectAdmin role is then added to the service account.

    gcloud

    To add the service account permissions, run the gcloud projects add-iam-policy-binding command. To find the PROJECT_ID and PROJECT_NUMBER , see Identifying projects .

    gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
 \ 
  
--role = 
roles/storage.objectAdmin

    DICOM store BigQuery permissions

    The projects.locations.datasets.dicomStores.export method requires additional permissions on the Cloud Healthcare Service Agentservice account to export DICOM metadata to BigQuery. You must also grant WRITER access for the BigQuery dataset to the Cloud Healthcare Service Agent' service account.

    Granting permissions to the Cloud Healthcare Service Agent service account

    You can use the Google Cloud console or the gcloud CLI to add the required bigquery.dataEditor and bigquery.jobUser roles to your project's service account.

    Console

    1. Make sure that you have enabled the Cloud Healthcare API .
    2. On the IAM page in Google Cloud console, verify that the role Healthcare Service Agentappears in the Rolecolumn for the Cloud Healthcare Service Agent service account. The service account identifier is service- PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com .
    3. In the Inheritancecolumn that matches the role, click the pencil icon. The Edit permissionspane opens.
    4. Click Add another roleand then search for the BigQuery Data Editorand BigQuery Job Userroles.
    5. Select each role and then click Save. The bigquery.dataEditor and bigquery.jobUser roles are then added to the service account.

    gcloud

    To add the service account permissions, run the gcloud projects add-iam-policy-binding command. To find the PROJECT_ID and PROJECT_NUMBER , see Identifying projects .

    1. Grant the roles/bigquery.dataEditor role:

      Before using any of the command data below, make the following replacements:

      • PROJECT_ID : the ID of your Google Cloud project
      • PROJECT_NUMBER : the number of your Google Cloud project

      Execute the following command:

      Linux, macOS, or Cloud Shell

      gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
 \ 
  
--role = 
roles/bigquery.dataEditor

      Windows (PowerShell)

      gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 ` 
  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
 ` 
  
--role = 
roles/bigquery.dataEditor

      Windows (cmd.exe)

      gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
^  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
^  
--role = 
roles/bigquery.dataEditor

      You should receive a response similar to the following:

      Updated IAM policy for project [ PROJECT_ID 
].
bindings:
...
- members:
  - serviceAccount:service- NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com
  role: roles/bigquery.dataEditor
...
etag: ETAG 
version: VERSION

    2. Grant the roles/bigquery.jobUser role:

      Before using any of the command data below, make the following replacements:

      • PROJECT_ID : the ID of your Google Cloud project
      • PROJECT_NUMBER : the number of your Google Cloud project

      Execute the following command:

      Linux, macOS, or Cloud Shell

      gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
 \ 
  
--role = 
roles/bigquery.jobUser

      Windows (PowerShell)

      gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 ` 
  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
 ` 
  
--role = 
roles/bigquery.jobUser

      Windows (cmd.exe)

      gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
^  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
^  
--role = 
roles/bigquery.jobUser

      You should receive a response similar to the following:

      Updated IAM policy for project [ PROJECT_ID 
].
bindings:
...
- members:
  - serviceAccount:service- NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com
  role: roles/bigquery.jobUser
...
etag: ETAG 
version: VERSION

    Granting WRITER access to the BigQuery dataset

    If you have added the bigquery.dataEditor and bigquery.jobUser roles to your project's service account, you will have WRITER access for all BigQuery datasets. However, if you have not added these roles and you require WRITER access to a single BigQuery dataset, you can grant WRITER access just for that dataset. To grant WRITER access to a BigQuery dataset, complete the following steps:
    1. Navigate to Controlling access to a dataset .
    2. Using one of the available methods, grant the Cloud Healthcare Service Agent's email address WRITER access to the BigQuery dataset. (Look for the email address that ends in @gcp-sa-healthcare.iam.gserviceaccount.com ).

    For example, if your Cloud Healthcare Service Agent's email address is service-000000000000@gcp-sa-healthcare.iam.gserviceaccount.com , and if you are using the BigQuery web UI, you would:

    1. Follow the Console instructions.
    2. In the Add principalsfield, enter service-000000000000@gcp-sa-healthcare.iam.gserviceaccount.com and select the bigquery.dataEditor role.

    Exporting DICOM metadata across Google Cloud projects

    To export DICOM metadata from a DICOM store in one project to a BigQuery table in a different project, you must add the source project's Cloud Healthcare Service Agentservice account to the destination project and grant the service account the bigquery.dataEditor and bigquery.jobUser roles in the destination project.

    To find the source project's Cloud Healthcare Service Agentservice account, complete the following steps:

    1. Make sure that you have enabled the Cloud Healthcare API .
    2. On the IAM page in Google Cloud console, verify that the role Healthcare Service Agentappears in the Rolecolumn for the Cloud Healthcare Service Agentservice account. The service account identifier is service- PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com . Note this address in the source project, as it will be used in the following steps.

    Add the Cloud Healthcare Service Agentservice account from the source project to the destination project and grant the service account the required BigQuery permissions by completing the following steps:

    Console

    1. Open the destination project's IAM page in Google Cloud console.
    2. Click Add.
    3. In the New membersfield, enter the address of the source project's Cloud Healthcare Service Agentservice account.
    4. Click Add another roleand then search for the BigQuery Data Editorand BigQuery Job Userroles.
    5. Select the role and then click Save. The source project's Cloud Healthcare Service Agentservice account now has bigquery.dataEditor and bigquery.jobUser roles on the destination project.

    gcloud

    To add the Cloud Healthcare Service Agentservice account from the source project to the destination project and grant the service account the required BigQuery permissions, run the gcloud projects add-iam-policy-binding command. To find the project ID and project number for your source and destination projects, see Identifying projects .

    gcloud  
projects  
add-iam-policy-binding  
 DESTINATION_PROJECT_ID 
  
 \ 
  
--member = 
serviceAccount:service- SOURCE_PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
 \ 
  
--role = 
roles/bigquery.dataEditor
     
    gcloud  
projects  
add-iam-policy-binding  
 DESTINATION_PROJECT_ID 
  
 \ 
  
--member = 
serviceAccount:service- SOURCE_PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
 \ 
  
--role = 
roles/bigquery.jobUser

    Complete the steps in Granting WRITER access to the BigQuery dataset to allow the source project to write to the destination dataset.

    FHIR store Cloud Storage permissions

    The following sections describe FHIR methods that require additional permissions on the Cloud Healthcare Service Agentto read from or write to Cloud Storage.

    Importing FHIR resources from Cloud Storage

    The projects.locations.datasets.fhirStores.import method requires the following permissions on the Cloud Healthcare Service Agentservice account:

    • storage.objects.get
    • storage.objects.list

    These permissions are included in the predefined storage.objectViewer role.

    You can also add the permissions to a custom role , or they might be included in other basic roles .

    You can use Google Cloud console or the gcloud CLI to add the required storage.objectViewer role to your project's service account.

    Console

    1. Make sure that you have enabled the Cloud Healthcare API .
    2. On the IAM page in Google Cloud console, verify that the role Healthcare Service Agentappears in the Rolecolumn for the Cloud Healthcare Service Agent service account. The service account identifier is service- PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com .
    3. In the Inheritancecolumn that matches the role, click the pencil icon. The Edit permissionspane opens.
    4. Click Add another roleand then search for the Storage Object Viewerrole.
    5. Select the role and then click Save. The storage.objectViewer role is then added to the service account.

    gcloud

    To add the service account permissions, run the gcloud projects add-iam-policy-binding command. To find the PROJECT_ID and PROJECT_NUMBER , see Identifying projects . 
    gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
 \ 
  
--role = 
roles/storage.objectViewer 

    Exporting FHIR resources to Cloud Storage

    To use the projects.locations.datasets.fhirStores.export method requires the following permissions on the Cloud Healthcare Service Agentservice account:

    • storage.objects.create
    • storage.objects.delete
    • storage.objects.list

    These permissions are included in the predefined storage.objectAdmin role.

    You can also add the permissions to a custom role , or they might be included in other basic roles .

    To grant the service account the storage.objectAdmin role, follow these steps:

    Console

    1. Ensure you enabled the Cloud Healthcare API .
    2. On the IAM page in Google Cloud console, verify that the role Healthcare Service Agentappears in the Rolecolumn for the Cloud Healthcare Service Agent service account. The service account identifier is service- PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com .
    3. In the Inheritancecolumn that matches the role, click the pencil icon. The Edit permissionspane opens.
    4. Click Add another roleand then search for the Storage Object Creatorrole.
    5. Select the role and then click Save. The storage.objectAdmin role is then added to the service account.

    gcloud

    To add the service account permissions, run the gcloud projects add-iam-policy-binding command. To find the PROJECT_ID and PROJECT_NUMBER , see Identifying projects .

    gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
 \ 
  
--role = 
roles/storage.objectAdmin

    Read filter files from Cloud Storage

    The projects.locations.datasets.fhirStores.rollback method requires the following permissions on the Cloud Healthcare Service Agentservice account to read filter files from Cloud Storage:

    • storage.objects.get
    • storage.objects.list

    These permissions are included in the predefined storage.objectViewer role.

    You can also add the permissions to a custom role , or they might be included in other basic roles .

    To grant the storage.objectViewer role to the service account, follow these steps:

    Write output files to Cloud Storage

    The projects.locations.datasets.fhirStores.rollback method requires the following permissions on the Cloud Healthcare Service Agentservice account to write output files to Cloud Storage:

    • storage.objects.create
    • storage.objects.delete
    • storage.objects.get
    • storage.objects.list

    These permissions are included in the predefined storage.objectAdmin role.

    You can also add the permissions to a custom role , or they might be included in other basic roles .

    To grant the storage.objectAdmin role to the service account, follow these steps:

    FHIR store BigQuery permissions

    The projects.locations.datasets.fhirStores.export method requires additional permissions on the Cloud Healthcare Service Agentservice account to export FHIR resources to BigQuery. You must also grant WRITER access for the BigQuery dataset to the Cloud Healthcare Service Agent' service account.

    Granting permissions to the Cloud Healthcare Service Agent service account

    Console

    1. Make sure that you have enabled the Cloud Healthcare API .
    2. On the IAM page in Google Cloud console, verify that the role Healthcare Service Agentappears in the Rolecolumn for the Cloud Healthcare Service Agent service account. The service account identifier is service- PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com .
    3. In the Inheritancecolumn that matches the role, click the pencil icon. The Edit permissionspane opens.
    4. Click Add another roleand then search for the BigQuery Data Editorand BigQuery Job Userroles.
    5. Select each role and then click Save. The bigquery.dataEditor and bigquery.jobUser roles are then added to the service account.

    gcloud

    To add the service account permissions, run the gcloud projects add-iam-policy-binding command. To find the PROJECT_ID and PROJECT_NUMBER , see Identifying projects .

    1. Grant the roles/bigquery.dataEditor role:

      Before using any of the command data below, make the following replacements:

      • PROJECT_ID : the ID of your Google Cloud project
      • PROJECT_NUMBER : the number of your Google Cloud project

      Execute the following command:

      Linux, macOS, or Cloud Shell

      gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
 \ 
  
--role = 
roles/bigquery.dataEditor

      Windows (PowerShell)

      gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 ` 
  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
 ` 
  
--role = 
roles/bigquery.dataEditor

      Windows (cmd.exe)

      gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
^  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
^  
--role = 
roles/bigquery.dataEditor

      You should receive a response similar to the following:

      Updated IAM policy for project [ PROJECT_ID 
].
bindings:
...
- members:
  - serviceAccount:service- NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com
  role: roles/bigquery.dataEditor
...
etag: ETAG 
version: VERSION

    2. Grant the roles/bigquery.jobUser role:

      Before using any of the command data below, make the following replacements:

      • PROJECT_ID : the ID of your Google Cloud project
      • PROJECT_NUMBER : the number of your Google Cloud project

      Execute the following command:

      Linux, macOS, or Cloud Shell

      gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
 \ 
  
--role = 
roles/bigquery.jobUser

      Windows (PowerShell)

      gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 ` 
  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
 ` 
  
--role = 
roles/bigquery.jobUser

      Windows (cmd.exe)

      gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
^  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
^  
--role = 
roles/bigquery.jobUser

      You should receive a response similar to the following:

      Updated IAM policy for project [ PROJECT_ID 
].
bindings:
...
- members:
  - serviceAccount:service- NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com
  role: roles/bigquery.jobUser
...
etag: ETAG 
version: VERSION

    Granting WRITER access to the BigQuery dataset

    If you have added the bigquery.dataEditor and bigquery.jobUser roles to your project's service account, you will have WRITER access for all BigQuery datasets. However, if you have not added these roles and you require WRITER access to a single BigQuery dataset, you can grant WRITER access just for that dataset. To grant WRITER access to a BigQuery dataset, complete the following steps:
    1. Navigate to Controlling access to a dataset .
    2. Using one of the available methods, grant the Cloud Healthcare Service Agent's email address WRITER access to the BigQuery dataset. (Look for the email address that ends in @gcp-sa-healthcare.iam.gserviceaccount.com ).

    For example, if your Cloud Healthcare Service Agent's email address is service-000000000000@gcp-sa-healthcare.iam.gserviceaccount.com , and if you are using the BigQuery web UI, you would:

    1. Follow the Console instructions.
    2. In the Add principalsfield, enter service-000000000000@gcp-sa-healthcare.iam.gserviceaccount.com and select the bigquery.dataEditor role.

    HL7v2 store Cloud Storage permissions

    The projects.locations.datasets.hl7V2Stores.import and projects.locations.datasets.hl7V2Stores.export methods require additional permissions on the Cloud Healthcare Service Agentservice account to import HL7v2 messages from and export HL7v2 messages to Cloud Storage.

    Determine the permissions that the service account requires based on the actions that the application performs:

    • If the application imports HL7v2 messages from Cloud Storage to an HL7v2 store, the service account requires the storage.objects.get and storage.objects.list permissions, which are included in the storage.objectViewer role.
    • If the application exports HL7v2 messages from an HL7v2 store to Cloud Storage, the service account requires the storage.objects.create , storage.objects.delete , and storage.objects.list permissions, which are included in the storage.objectCreator role.

    Importing HL7v2 messages from Cloud Storage

    You can use Google Cloud console or the gcloud CLI to add the required storage.objectViewer role to your project's service account.

    Console

    1. Make sure that you have enabled the Cloud Healthcare API .
    2. On the IAM page in Google Cloud console, verify that the role Healthcare Service Agentappears in the Rolecolumn for the Cloud Healthcare Service Agent service account. The service account identifier is service- PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com .
    3. In the Inheritancecolumn that matches the role, click the pencil icon. The Edit permissionspane opens.
    4. Click Add another roleand then search for the Storage Object Viewerrole.
    5. Select the role and then click Save. The storage.objectViewer role is then added to the service account.

    gcloud

    To add the service account permissions, run the gcloud projects add-iam-policy-binding command. To find the PROJECT_ID and PROJECT_NUMBER , see Identifying projects . 
    gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
 \ 
  
--role = 
roles/storage.objectViewer 

    Exporting HL7v2 messages to Cloud Storage

    You can use Google Cloud console or the gcloud CLI to add the required storage.objectCreator role to your project's service account:

    Console

    1. Make sure that you have enabled the Cloud Healthcare API .
    2. On the IAM page in Google Cloud console, verify that the role Healthcare Service Agentappears in the Rolecolumn for the Cloud Healthcare Service Agent service account. The service account identifier is service- PROJECT_NUMBER @gcp-sa-healthcare.iam.gserviceaccount.com .
    3. In the Inheritancecolumn that matches the role, click the pencil icon. The Edit permissionspane opens.
    4. Click Add another roleand then search for the Storage Object Creatorrole.
    5. Select the role and then click Save. The storage.objectCreator role is then added to the service account.

    gcloud

    To add the service account permissions, run the gcloud projects add-iam-policy-binding command. To find the PROJECT_ID and PROJECT_NUMBER , see Identifying projects .

    gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
  
--member = 
serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-healthcare.iam.gserviceaccount.com  
 \ 
  
--role = 
roles/storage.objectCreator
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: