Configuring access for project members

By default, only the creator of a Google Cloud project has access to the project and its resources. To grant other users access, you must add them as a project member or grant them permissions to a specific Cloud Build resource.

This page describes the ways you can add new users to your project and set access control for your Cloud Build resources.

Before you begin

Adding users

Console

  1. Open the IAM page in the Cloud Console:

    Open the IAM page

  2. Select your project, and click Continue.

  3. Click Add.

  4. Enter the team member's or service account's email address.

  5. Select the desired role from the drop-down menu. Cloud Build roles are under Cloud Build.

  6. Click Save.

gcloud

To grant a role to a member, run the add-iam-policy-binding command:

gcloud group add-iam-policy-binding resource \
    --member=member --role=role-id

Where:

  • group: The gcloud tool group for the resource you want to update. For example, you can use projects or organizations.

  • resource: The name of the resource.

  • member: An identifier for the member, which usually has the following form: member-type:id. For example, user:my-user@example.com. For a full list of the values that member can have, see the Policy Binding reference.

  • role-id: The name of the role.

For example, to grant the Cloud Build Viewer role to the user my-user@example.com for the project my-project:

gcloud projects add-iam-policy-binding my-project \
    --member=user:my-user@example.com --role=roles/cloudbuild.builds.viewer

Granting permissions to run gcloud commands

To run gcloud builds commands, users with only cloudbuild.builds.viewer or cloudbuild.builds.editor roles also require the serviceusage.services.use permission. To give this permission to the user, grant them the serviceusage.serviceUsageConsumer role.

User with roles/editor and roles/owner roles can run gcloud builds commands without the additional serviceusage.services.use permission.

Removing users

Console

  1. Open the IAM page in the Cloud Console:

    Open the IAM page

  2. Select your project, and click Continue.

  3. In the permissions table, locate the email ID of the member and click on the pencil icon.

  4. Delete the role that you want to revoke.

  5. Click Save.

gcloud

To revoke a role from a user, run the remove-iam-policy-binding command:

gcloud group remove-iam-policy-binding resource \
    --member=member --role=role-id

Where:

  • group: The gcloud tool group for the resource you want to update. For example, you can use projects or organizations.

  • resource: The name of the resource.

  • member: An identifier for the member, which usually has the following form: member-type:id. For example, user:my-user@example.com. For a full list of the values that member can have, see the Policy Binding reference.

  • role-id: The name of the role.

For example, to revoke the Cloud Build Viewer role from the user my-user@example.com for the project my-project:

gcloud projects remove-iam-policy-binding my-project \
    --member=user:my-user@example.com --role=roles/cloudbuild.builds.viewer

Viewing users

Console

  1. Open the IAM page in the Cloud Console:

    Open the IAM page

  2. Select your project, and click Continue.

  3. Under View by, click Roles.

  4. To view the members with a particular role, expand the role name.

gcloud

To view all users that are granted a particular role in a Cloud project, run the following command:

gcloud projects get-iam-policy project-id \
    --flatten="bindings[].members" \
    --format="table(bindings.members)" \
    --filter="bindings.role:role-id"

Where:

  • project-id is your project ID.

  • role-id is the name of the role for which you want to view the members.

For example, to view all members in a project that are granted the Cloud project Viewer role, run the following command:

gcloud projects get-iam-policy my-project \
    --flatten="bindings[].members" \
    --format="table(bindings.members)" \
    --filter="bindings.role:roles/cloudbuild.builds.viewer"

Creating IAM custom roles

For users that want to define their own roles containing bundles of permissions that they specify, IAM offers custom roles. For instructions on creating and using IAM custom roles, see Creating and Managing Custom Roles.

What's next