This page describes different ways to configure access for users who need to manage your Compute Engine resources or configure access for instances to automate management of your Compute Engine resources.
Access control for users
To control who has the ability to create and manage your Compute Engine resources, you can add users as project team members, add users with specific Identity and Access Management (IAM) roles, or add Linux user accounts to your instances.
Project team members: A user can be added as a project team member, such as an Owner, Viewer, or Editor. Each role has different levels of access; a viewer has read-only access to Compute Engine resources, while an editor has read-write access. To learn more about project team members, read the Project Team Members documentation.
IAM roles: A user can be added with one or more IAM roles that determine which API methods the user has access to and for which resources. For example, you can add a user as an
compute.instanceAdminrole so the user has read-write access to create and manage instances; the user cannot manage other resources. To read more about Compute Engine IAM roles, read the IAM Roles documentation.
Adding and removing SSH keys: You can manage SSH access to your instances by adding or removing SSH keys in your project metadata or instance metadata. If you want to give a user SSH access to only a specific virtual machine instance and do not want to give that user the ability to create or manage anything in your project, add an SSH key to the metadata for a specific instance.
Access control for virtual machine instances
If you run application code on instances and the application needs to authenticate to other Google Cloud Platform APIs, create service accounts and give service accounts specific access scopes and IAM roles to authenticate to other Cloud Platform APIs on your behalf.
To learn more about service accounts, read the Service Accounts documentation.