Managing access to Compute Engine resources

This guide describes how you can exercise the principle of least privilege by granting access to specific Compute Engine resources instead of to a parent resource such as a project, folder, or organization.

You grant access to a resource by setting an Identity and Access Management (IAM) policy on the resource. The policy binds one or more members, such as a user or a service account, to one or more roles. Each role contains a list of permissions that let the member interact with the resource.

If you grant access to a parent resource (for example, to a project), you implicitly grant access to all its child resources (for example, to all VMs in that project). To limit access to resources, set IAM policies on lower-level resources when possible, instead of at the project level or above.

For general information about how to grant, change, and revoke access to resources unrelated to Compute Engine, for example, to grant access to a Google Cloud project, see the IAM documentation for Granting, changing, and revoking access to resources.

Before you begin

If you want to use the command-line examples in this guide, do the following:
1. Install or update to the latest version of the Google Cloud CLI.
2. Set a default region and zone.
If you want to use the API examples in this guide, set up API access.
Review the IAM overview.
Read the Compute Engine access control overview.
Familiarize yourself with IAM roles for Compute Engine .

Supported resources

Compute Engine resources that support resource-level access control include the following:

For a full list of supported resources on Google Cloud , see Resource types that accept IAM policies.

For other Compute Engine resources that don't support resource-level access control, you must manage access to those resources at the project, folder, or organization levels. For information about organizations, folders, or projects, see Resource hierarchy.

Granting access to Compute Engine resources

Before you grant an IAM role to a user for a resource, check which roles are available to grant on a particular resource. For more information, see Viewing the grantable roles on resources.

To grant users permission to access specific Compute Engine resources, set an IAM policy on the resource.

Permissions required for this task

To perform this task, you must have the following permissions:

Use compute.resource-type.getIamPolicy for the resource-type to view the current IAM policy on the resource. For example, if you are granting access to a VM instance, you would need compute.instance.getIamPolicy permission.
Use compute.resource-type.setIamPolicy for the resource-type to update the IAM policy on the resource. For example, if you are granting access to a VM instance, you would need compute.instance.setIamPolicy permission.

Console

In the Google Cloud console, go to the respective resource page for which you want to add permissions.
- For instances, go to the VM instances page.
- For zonal and regional disks, go to the Disks page.
- For snapshots, go to the Snapshots page.
- For images, go to the Images page.
- For instance groups, go to the Instance groups page.
- For instance templates, go to the Instance templates page.
- For sole-tenant nodes, go to the Sole-tenant nodes page.
Select the checkboxes next to the resources you want to update.
Click Show info panel to expand the permissions column.
In the Add members field, add one or more members.
In the Select a role list, select one or more roles.
Click Add to save your changes.

gcloud

To grant a role to a member on a resource, use the resource's add-iam-policy-binding subcommand with the --member and --role flags.

gcloud compute resource-type add-iam-policy-binding resource-name \
    --member='member' \
    --role='role'

Replace the following:

resource-type: The type of resource. Valid values include:
- disks
- images
- instances
- instance-templates
- regionDisks
- sole-tenancy node-groups
- sole-tenancy node-templates
- snapshots
resource-name: The name of the resource. For example, my_instance.
member: A valid identity to which you want to grant the role. Must be of the form user|group|serviceAccount:email or domain:domain. For example:
- user:test-user@gmail.com
- group:admins@example.com
- serviceAccount:test123@example.domain.com
- domain:example.domain.com
role: The role to assign this identity.

If you are granting access to a resource that is currently in beta, use a gcloud beta compute command instead.

API

To modify an IAM policy through the API, do the following:

Read the existing policy with the resource's respective getIamPolicy method. For example, the following HTTP request reads the IAM policy of a VM:
```
POST https://compute.googleapis.com/compute/v1/projects/project-id/zones/zone/instances/instance:getIamPolicy
```
Replace the following:
- project-id: Project ID this VM belongs to.
- zone: The zone of the VM. For regional or global resources, replace zones/zone with regions/region or global.
- instance: The name of the VM instance.
Compute Engine returns the current policy in the response.
Edit the policy with a text editor to add or remove members and their associated roles. For example, to grant the compute.admin role to email@example.com, add the following new binding to policy:
```
{
  "members": [
    "user:email@example.com"
  ],
  "role":"roles/compute.admin"
}
```
Write the updated policy with setIamPolicy():
```
POST https://compute.googleapis.com/compute/v1/projects/project-id/zones/zone/instances/instance:setIamPolicy
```
Replace the following:
- project-id: Project ID this VM belongs to.
- zone: The zone of the VM. For regional or global resources, replace zones/zone with regions/region or global.
- instance: The name of the VM instance.
In the body of the request, provide the updated IAM policy from the previous step.

Revoking access to resources

As a best practice, after members no longer need access to your Compute Engine resources, revoke their access.

Permissions required for this task

To perform this task, you must have the following permissions:

Use compute.resource-type.getIamPolicy for the resource-type to view the current IAM policy on the resource. For example, if you are granting access to a VM instance, you would need compute.instance.getIamPolicy permission.
compute.resource-type.setIamPolicy for the resource-type to update the IAM policy on the resource. For example, if you are granting access to a VM instance, you would need compute.instance.setIamPolicy permission,

Console

In the Google Cloud console, go to the respective resource page for which you want to add permissions.
- For instances, go to the VM instances page.
- For zonal and regional disks, go to the Disks page.
- For snapshots, go to the Snapshots page.
- For images, go to the Images page.
- For instance groups, go to the Instance groups page.
- For instance templates, go to the Instance templates page.
- For sole-tenant nodes, go to the Sole-tenant nodes page.
Select the checkboxes next to the resources you want to update.
Click Show info panel to expand the permissions column.
Click the role card for the resource from which you want to remove members. This expands the card and shows members with that role for that resource.
Click Delete to remove a member from that role.

gcloud

To remove a role from a member for a resource, use the resource's remove-iam-policy-binding subcommand with the --member and --role flags.

gcloud compute resource-type remove-iam-policy-binding resource-name \
    --member='member' \
    --role='role'

Replace the following:

resource-type: Type of resource. Valid values include:
- disks
- images
- instances
- instance-templates
- regionDisks
- sole-tenancy node-groups
- sole-tenancy node-templates
- snapshots
resource-name: Name of the resource. For example, my_instance.
member: The identity you want to remove. Must be of the form user|group|serviceAccount:email or domain:domain. For example:
- user:test-user@gmail.com
- group:admins@example.com
- serviceAccount:test123@example.domain.com
- domain:example.domain.com
role: Role from which you want to remove the identity.

If you are revoking access to a resource that is currently in beta, use a gcloud beta compute command instead.

API

To modify an IAM policy directly through the API, do the following:

Read the existing policy with the resource's respective getIamPolicy method. For example, the following HTTP request reads the IAM policy of a VM:
```
POST https://compute.googleapis.com/compute/v1/projects/project-id/zones/zone/instances/instance:getIamPolicy
```
Replace the following:
- project-id: The project ID for this VM instance.
- zone: The zone of the VM. For regional or global resources, replace zones/zone with regions/region or global.
- instance: The name of the VM instance.
Compute Engine returns the current policy in the response.
Edit the policy with a text editor to remove members from the associated roles. For example, remove email@example.com from the compute.admin role:
```
{
  "members": [
    "user:owner@example.com"
  ],
  "role":"roles/compute.admin"
}
```
Write the updated policy with setIamPolicy():
```
POST https://compute.googleapis.com/compute/v1/projects/project-id/zones/zone/instances/instance:setIamPolicy
```
Replace the following:
- project-id: Project ID this VM belongs to.
- zone: The zone of the VM. For regional or global resources, replace zones/zone with regions/region or global.
- instance: The name of the VM instance.
In the body of the request, provide the updated IAM policy from the previous step.

Testing whether a caller has permissions

If you don't know what permissions an identity has, use the testIamPermissions API method to check which permissions are available to an identity.

The method takes a resource URL and a set of permissions as input parameters, and returns the set of permissions that the caller is allowed. You can use this method on any of the supported resources.

Typically, testIamPermissions is intended for integration with your proprietary software, such as a customized graphical user interface. You typically don't call testIamPermissions if you're using Google Cloud directly to manage permissions.

For example, if you are building a GUI on top of the Compute Engine API and your GUI has a "start" button that starts an instance, you could call compute.instances.testIamPermissions() to determine whether the button should be enabled or disabled.

Permissions required for this task

To perform this task, you must have the following permissions:

Use compute.resource-type.getIamPolicy for the resource-type to view the current IAM policy on the resource.

To test whether a caller has specific permissions on a resource:

Send a request to the resource and include in the request body a list of permissions to check for.

For example, on an instance, you might check for compute.instances.start, compute.instances.stop, and compute.instances.delete.

POST https://compute.googleapis.com/compute/v1/projects/project-id/zones/zone/instances/instance-name/testIamPermissions
    {
      "permissions": [
        "compute.instances.start",
        "compute.instances.stop",
        "compute.instances.delete"
       ]
    }

The request returns the permissions that are enabled for the caller.

{
  "permissions": [
    "compute.instances.start",
    "compute.instances.stop"
  ]
}

Modifying resource access for multiple members

If you want to modify access to Compute Engine resources for multiple members simultaneously, review recommendations on how to modify an IAM policy programmatically.

What's next

Learn how to manage access to custom images with IAM.
Learn more about Service accounts.
Learn more about Compute Engine IAM roles.
Learn more about the permissions that are included in predefined Compute Engine IAM roles.
Learn how to create and manage custom roles.