Grant permissions to applications

You can configure application access by assigning user roles on your management project. To do this, use the following approaches:

Grant access to all applications

To grant access to all applications from the management project, assign an IAM role to a principal on the management project.

Google Cloud console

  1. Go to the IAM page.

    Go to IAM

  2. From the project picker in the Google Cloud console, select the management project.

  3. Click Grant access.

  4. Enter an identifier for the principal. For example, user@example.com.

  5. From the Select a role drop-down menu, search for the role you want to assign and click it.

  6. Click Save.

  7. Verify that the principal and the corresponding role are listed in the IAM page.

You have successfully granted an IAM role to a principal.

gcloud CLI

Run the following gcloud CLI command. For example, you can use Cloud Shell:

gcloud projects add-iam-policy-binding MANAGEMENT_PROJECT_ID \
   --member=USER_EMAIL \
   --role=ROLE

Replace the following:

  • MANAGEMENT_PROJECT_ID: the management project ID, such as google-mpf-123456789.
  • USER_EMAIL: the email address of the user that must get access to all applications in the management project, such as user@example.com.
  • ROLE: the role that you want to provide to the user, such as roles/apphub.editor.

Grant access to individual applications

To grant access to individual applications in the management project, assign an IAM role to the principal on the application resource. Run the following gcloud CLI command. For example, you can use Cloud Shell:

gcloud apphub applications set-iam-policy APPLICATION_NAME \
   --project=MANAGEMENT_PROJECT_ID \
   --location=REGION \
   POLICY_FILE

Replace the following:

  • APPLICATION_NAME: the name of your application. The name must include only lowercase alphanumeric characters without spaces, such as my-application.
  • MANAGEMENT_PROJECT_ID: the management project ID, such as google-mpf-123456789.
  • REGION: the region of the application.
  • POLICY_FILE: the name of the policy file that grants the role to the user, such as my-policy.yaml.

The following example policy file grants the roles/apphub.editor role to the user user@example.com:

# policyfile.yaml
bindings:
- role: roles/apphub.editor
  members:
  - user:user@example.com