Overview of API Access

This page describes the API access control options available to you in Google Cloud Endpoints.


Cloud Endpoints uses Google Cloud Identity and Access Management (IAM) for API access control.

In Cloud Endpoints, API access control can be configured at the project level and at the individual API level. For example, you can:

  • Grant access on a per-API basis, rather than for the whole Cloud project.
  • Grant access to your API users so they can enable the API in their own Cloud project.
  • Grant access to all Cloud Endpoints APIs within a project to a group of developers.

For a detailed description of IAM and its features, see the Google Cloud Identity and Access Management Documentation.


The following roles can be granted for an API.

IAM Role Name Role Title Description
roles/servicemanagement.serviceConsumer Service Consumer Permissions for a non-project member to view and enable the API in API Manager in the Cloud Platform Console in their own project.
roles/servicemanagement.serviceController Service Controller Permissions to make check and report calls to Service Control during runtime. This is usually given to Service Accounts.
roles/viewer Viewer Permissions for a project member to view the service configuration.
roles/editor Editor All viewer permissions and permissions for a project member to deploy the service configuration.
roles/owner Owner All editor permissions and permissions for a project member to manage access.

Note the following:

  • The Service Consumer role is restricted to only Google account emails, Google Groups, and service accounts.

  • When you grant someone the Owner, Editor, or Viewer role for an API, you must also grant them the Project Viewer role (or a Project role with a higher-level of access) on your Cloud project.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Endpoints Frameworks for App Engine