Access control with IAM

API Keys uses Identity and Access Management to manage access to the keys. This page explains the IAM roles and permissions related to API Keys and how to use them to control access.

IAM permissions

The following table shows the required permissions for each API Keys API method. This information is also documented in the API Reference.

Method	Required Permission(s)
`projects.locations.keys.create`	`apikeys.keys.create`
`projects.locations.keys.delete`	`apikeys.keys.delete`
`projects.locations.keys.get`	`apikeys.keys.get`
`projects.locations.keys.getKeyString`	`apikeys.keys.getKeyString`
`projects.locations.keys.list`	`apikeys.keys.list`
`projects.locations.keys.patch`	`apikeys.keys.update`
`projects.locations.keys.undelete`	`apikeys.keys.undelete`
`operations.get`	`serviceusage.operations.get`
`keys.lookupKey`	`apikeys.keys.undelete`

IAM roles

With Identity and Access Management, permissions are granted by binding users to roles. For more information about roles and permissions see Understanding Roles.

The following table lists the predefined roles that apply to API Keys.

Role	Permissions
`roles/viewer`	apikeys.keys.get apikeys.keys.lookup apikeys.keys.list apikeys.keys.getKeyString
`roles/editor` and `roles/owner`	apikeys.keys.get apikeys.keys.lookup apikeys.keys.list apikeys.keys.getKeyString apikeys.keys.create apikeys.keys.delete apikeys.keys.undelete apikeys.keys.update serviceusage.operations.get
`roles/serviceusage.apiKeysViewer`	apikeys.keys.get apikeys.keys.lookup apikeys.keys.list apikeys.keys.getKeyString
`roles/serviceusage.apiKeysAdmin`	apikeys.keys.get apikeys.keys.lookup apikeys.keys.list apikeys.keys.getKeyString apikeys.keys.create apikeys.keys.delete apikeys.keys.undelete apikeys.keys.update serviceusage.operations.get