When you set up Retail Cloud Connect, you will be asked to grant the application access to one or more Google Cloud projects when setting up your cloud connection. In the interest of security and transparency, we’ve written this knowledge base article to explain exactly what permissions we need and why we need them.
At Nimstrata, we want you to maintain full control of your data and settings. Other companies who leverage Google Cloud’s Retail API under their platforms often keep your catalog data in their own cloud environments and don’t give you access to the underlying catalog or Google Cloud platform settings.
Our intention with Retail Cloud Connect is to give you full access to the underlying platform and facilitate your adoption and onboarding of Google Cloud's Product Discovery AI solutions.
If you have any questions about how Google Cloud works, Nimstrata is a certified partner and always willing to help you set up your environment.
Service Account
When you create a Retail Cloud Connect retailer, we provision a unique Service Account in our environment so that you don’t have to worry about managing additional keys or credentials.
Service Accounts enable computers to talk to each other securely without the need to share user passwords. Because Nimstrata owns this Service Account, it can only access your Google Cloud environment if you give it permission to do so. Not only does this give you full control over your data security, it’s also very easy to remove our application's access if you decide to use a different solution.
You can see your full Service Account email address in your dashboard, it will look like this:
Required Permissions
Retail Cloud Connect requires several permissions to properly administer your Google Cloud retail catalog project. The permissions are included in two roles. Google Cloud roles are a set of one or more permissions.
1. Retail Cloud Connect Custom Role
First, we guide you through creating a Custom Role in your Google Cloud environment that grants our application permission to view the project that your retail catalog belongs to.
For advanced explanations of each permission in the role, click the links below:
1gcloud iam roles create retail_cloud_connect \\
2 --project="your-catalog" \\
3 --title="Permissions for Retail Connect via Shopify" \\
4 --description="Allows Retail Cloud Connect to manage Google Cloud Retail API" \\
5 --permissions=resourcemanager.projects.get,serviceusage.services.list
6
7gcloud projects add-iam-policy-binding your-catalog \\
8 --member=serviceAccount:your-sa@rc-sa-prod-00001.iam.gserviceaccount.com \\
9 --role=projects/your-catalog/roles/retail_cloud_connectNimstrata follows a data security best practice known as the principle of least privilege, by using a Custom Role to ensure that we don’t have any unnecessary privileges in your environment.
2. Retail Admin Role
The Retail Admin role contains a set of permissions that allows us to fully manage your catalog data. While you may prefer to assign the Retail Editor role instead, our tooling will not be able to purge catalogs which may be a necessary step when performing imports with new schemas.
(gcloud code will be hidden unless displayed)
1gcloud projects add-iam-policy-binding your-catalog \\
2 --member=serviceAccount:your-sa@rc-sa-prod-00001.iam.gserviceaccount.com \\
3 --role=roles/retail.adminGoogle Cloud Project
Nimstrata recommends using a single-purpose Google Cloud project for your retail catalog data. This allows you to provide tightly scoped access to Retail Cloud Connect and remove cross-configuration risk around other resources inside of Google Cloud.
For example, if you have an existing Google Cloud project with other resources in it such as your Google Analytics data in BigQuery or virtual machines running your ERP, other administrators inside of your company may accidentally alter or delete your retail catalog data.
If you’re a new Google Cloud user, this should not be a concern.
Removing Permissions
If you remove our app's permissions, Retail Cloud Connect will no longer be able to update your catalog or serve search results or recommendations on your website.
Please only remove permissions with a contingency plan and caution!
To remove Retail Connect’s access to your Google Cloud project:
Visit the Google Cloud IAM page for your retail catalog project
Click the Service Account edit (pencil) icon
Remove the two roles with the delete (trashcan) icon
Click the blue “Save” button
If you have any additional questions about Retail Cloud Connect security, please contact us.
