Access control for API Keys

API Keys uses Identity and Access Management to manage access to the keys. This page explains the IAM roles and permissions related to API Keys and how to use them to control access.

IAM permissions

The following table shows the required permissions for each API Keys API method. This information is also documented in the API Reference.

Method Required Permission(s)
projects.locations.keys.clone apikeys.keys.create
apikeys.keys.get
projects.locations.keys.create apikeys.keys.create
projects.locations.keys.delete apikeys.keys.delete
projects.locations.keys.get/code> apikeys.keys.get
projects.locations.keys.getKeyString apikeys.keys.getKeyString
projects.locations.keys.list apikeys.keys.list
projects.locations.keys.patch apikeys.keys.update
projects.locations.keys.undelete apikeys.keys.undelete
operations.get serviceusage.operations.get
keys.lookupKey apikeys.keys.undelete

IAM roles

With Identity and Access Management, permissions are granted by binding users to roles. For more information about roles and permissions see Understanding Roles.

The following table lists the predefined roles that apply to API Keys.

Role Permissions
roles/viewer apikeys.keys.get
apikeys.keys.lookup
apikeys.keys.list
apikeys.keys.getKeyString
roles/editor and
roles/owner
apikeys.keys.get
apikeys.keys.lookup
apikeys.keys.list
apikeys.keys.getKeyString
apikeys.keys.create
apikeys.keys.delete
apikeys.keys.undelete
apikeys.keys.update
serviceusage.operations.get
roles/serviceusage.apiKeysViewer apikeys.keys.get
apikeys.keys.lookup
apikeys.keys.list
apikeys.keys.getKeyString
roles/serviceusage.apiKeysAdmin apikeys.keys.get
apikeys.keys.lookup
apikeys.keys.list
apikeys.keys.getKeyString
apikeys.keys.create
apikeys.keys.delete
apikeys.keys.undelete
apikeys.keys.update
serviceusage.operations.get