This page describes the API access control options available to you in Google Cloud Endpoints.
Overview
Cloud Endpoints uses Google Cloud Identity and Access Management (IAM) for API access control.
In Cloud Endpoints, API access control can be configured at the project level and at the individual API level. For example, you can:
- Grant access on a per-API basis, rather than for the whole Cloud project.
- Grant access to your API users so they can enable the API in their own Cloud project.
- Grant access to all Cloud Endpoints APIs within a project to a group of developers.
For a detailed description of IAM and its features, see the Google Cloud Identity and Access Management Documentation.
Roles
The following roles can be granted for an API.
| IAM Role Name | Role Title | Description |
| roles/servicemanagement.serviceConsumer | Service Consumer | Permissions for a non-project member to view and enable the API in API Manager in the Cloud Platform Console in their own project. |
| roles/servicemanagement.serviceController | Service Controller | Permissions to make check and report calls to Service Control during runtime. This is usually given to Service Accounts. |
| roles/viewer | Viewer | Permissions for a project member to view the service configuration. |
| roles/editor | Editor | All viewer permissions and permissions for a project member to deploy the service configuration. |
| roles/owner | Owner | All editor permissions and permissions for a project member to manage access. |
Note the following:
-
The Service Consumer role is restricted to only Google account emails, Google Groups, and service accounts.
-
When you grant someone the Owner, Editor, or Viewer role for an API, you must also grant them the Project Viewer role (or a Project role with a higher-level of access) on your Cloud project.
