Stay organized with collections
Save and categorize content based on your preferences.
This page describes the API access control options available to you in
Cloud Endpoints.
Overview
Endpoints uses
Identity and Access Management (IAM)
to control access to your API. You can grant access to your API at the project
level and at the individual Endpoints service level. For example,
you can:
Grant access to principals on a per-service basis.
Grant permission to a user or service account to deploy an updated
Endpoints configuration.
Grant access to your API users so they can enable your API in their own
Google Cloud project.
Roles that control access to services
You can grant the following roles for a specific service on the Endpoints >
Services page in the Google Cloud console, by using the API, or by
using the Google Cloud CLI.
IAM role name
Role title
Description
roles/servicemanagement.serviceConsumer
Service Consumer
Permissions for a principal to view and enable the API in their own
project. You can grant the Service Consumer role only to Google
Accounts, Google Groups, or service accounts.
roles/servicemanagement.serviceController
Service Controller
Permissions to make calls to the check and
report methods in the
Service Infrastructure
API during runtime. This role is usually granted to service accounts. See
the Service Management API access control
topic for information about this role.
roles/servicemanagement.configEditor
Service Config Editor
Permission to deploy Endpoints configurations. This role is
more restrictive than the Project Editor role granted on a service.
roles/servicemanagement.admin
Service Management Administrator
All Service Config Editor permissions and permissions to manage
access to the API. Comparable to the Project Owner role granted on
a service.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-02 UTC."],[[["This page outlines how Cloud Endpoints uses Identity and Access Management (IAM) to control access to APIs at both the project and individual service levels."],["You can grant specific roles such as Service Consumer, Service Controller, Service Config Editor, and Service Management Administrator to manage different aspects of API access and configuration."],["The Service Consumer role allows principals to view and enable the API, while the Service Controller role provides permissions for runtime calls to the Service Infrastructure API."],["The Service Config Editor role enables the deployment of Endpoints configurations, and the Service Management Administrator role provides full control over API access and configuration."],["The recommended practice is to primarily use the provided list of roles to manage your API access, though others are available at the service level."]]],[]]
