Overview of API access

This page describes the API access control options available to you in Cloud Endpoints.

Overview

Endpoints uses Cloud Identity and Access Management (Cloud IAM) to control access to your API. You can grant access to your API at the project level and at the individual Endpoints service level. For example, you can:

Grant access to project members on a per-service basis.
Grant permission to a user or service account to deploy an updated Endpoints configuration.
Grant access to your API users so they can enable your API in their own Google Cloud project.

Roles that control access to services

You can grant the following roles for a specific service on the Endpoints > Services page in the Google Cloud Console, by using the API, or by using the gcloud command-line tool.

Cloud IAM role name	Role title	Description
`roles/servicemanagement.serviceConsumer`	Service Consumer	Permissions for a non-project member to view and enable the API in their own project. You can grant the Service Consumer role only to Google Accounts, Google Groups, or service accounts. If you have created a portal for your API, this role lets your API users access the portal. See the Service Management API access control topic for information about this role.
`roles/servicemanagement.serviceController`	Service Controller	Permissions to make calls to the `check` and `report` methods in the Service Infrastructure API during runtime. This role is usually granted to service accounts. See the Service Management API access control topic for information about this role.
`roles/servicemanagement.configEditor`	Service Config Editor	Permission to deploy Endpoints configurations. This role is more restrictive than the Project Editor role granted on a service.
`roles/servicemanagement.admin`	Service Management Administrator	All Service Config Editor permissions and permissions to manage access to the API. Comparable to the Project Owner role granted on a service.

Endpoints portal permissions

The Endpoints Portal Admin role, which is a project-level role, contains the following permissions.

Permission	Description
`endpoints.portals.listCustomDomains`	Permission to access the Endpoints portal page in the Cloud Console. Project members granted the Project Viewer role also have this permission.
`endpoints.portals.attachCustomDomain`	Permission to add a custom domain on the Endpoints portal page in the Cloud Console. Project members granted the Project Editor role also have this permission.
`endpoints.portals.detachCustomDomain`	Permission to delete a custom domain on the Endpoints portal page in the Cloud Console. Project members granted the Project Editor role also have this permission.
`endpoints.portals.update`	On the portal created for an API, permission to access the Site Wide tab on the Settings page to change settings such as the color and logo used on the portal.

What's next

Was this page helpful? Let us know how we did:

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated December 5, 2019.