Grant access to project resources

An Application Operator can add other Application Operators to the project through the GDC console and access to project resources.

Before you begin

Permissions are required to set up or remove role bindings. Ask your Project IAM Admin or Organization IAM Admin to grant you the Project IAM Admin role.

Set up role bindings

Work through the following steps to set up role bindings:

Console

  1. Sign in to the GDC air-gapped appliance console. For example, the following image signs in to the GDC console for an organization named org-1:
  2. Click Select project in the menu bar. Select one of the existing projects you want to set up the role binding in, then click Open. The selected project displays after your org name in the menu bar. The following example shows the selected iam-test project:
  3. In the navigation menu, click Identity & Access and Access.
  4. Click Add member.
  5. In the Identity provider dropdown menu, select an identity provider.
  6. After Member type, choose whether you want to add individual users with User, or groups with Group. The following example shows User selected:
  7. In the Username or group alias field, enter the username, email address, or alias.
  8. In the Roles drop-down list, select the role that you want to assign to the user or group, such as Project Viewer. You can bind the selected user or group with multiple roles at a time by clicking Add Another Role.
  9. Click Add.

gdcloud

  1. Ensure you have the gdcloud CLI installed.

  2. Sign in using the gdcloud auth login command to authenticate with your identity provider. For more information, see the gdcloud CLI authentication.

  3. Set up role bindings for a project:

    gdcloud projects add-iam-policy-binding PROJECT \
  --member=USER_ACCOUNT \
  --role=ROLE

    Replace the following variables:

    • PROJECT: the name of the project for which you're setting up the role binding.
    • USER_ACCOUNT: the user account to which you want to grant the role. This flag accepts either a user email address with the identity provider prefix (user:idpprefix-user@example.com) or a service account name with the service account project (serviceAccount:projectName:serviceAccountName).
    • ROLE: the name of the predefined or custom role you want to assign to the user.

Remove role bindings

When access is no longer required, remove a member and their associated roles, permissions, and access.

To remove members, work through the following steps:

Console

  1. Sign in to the GDC air-gapped appliance console.
  2. Click Select project in the menu bar. Select one of the existing projects you want to set up the role binding in, then click Open. The selected project displays after your org name in the menu bar.
  3. In the navigation menu, click Identity & Access and Access.
  4. In the authorized members list, select a member. You can remove multiple members at a time by selecting multiple members in the list.
  5. Click Remove All Access to remove all the role bindings associated with a member from your current project.
  6. When prompted, click Remove Member to confirm.

gdcloud

  1. Ensure you have the gdcloud CLI installed.

  2. Sign in using the gdcloud auth login command to authenticate with your identity provider. For more information, see the gdcloud CLI authentication.

  3. Remove role bindings for a project:

    gdcloud projects remove-iam-policy-binding PROJECT \
  --member=USER_ACCOUNT \
  --role=ROLE

    Replace the following variables:

    • PROJECT: the name of the project from which you're removing the role binding.
    • USER_ACCOUNT: the user account from which you want to remove the role. This flag accepts either a user email address with the identity provider prefix (user:idpprefix-user@example.com) or a service account name with the service account project (serviceAccount:projectName:serviceAccountName).
    • ROLE: the name of the predefined or custom role you want to remove from the user account.