If an API requires an API key
or any sort of authentication, then users of your API must enable it in their
own Cloud projects before they can call it. This page shows you how to control
who can enable your API.
By default, a Google Cloud Endpoints service is private to the project that it
was created in. Only the Cloud project members can see it in the APIs list on
the Endpoints dashboard. Additionally, only keys from that same project can be
used for those API methods that require a key. When you grant someone who is not
a project member access to your API, they can enable your service in
their own project and generate an API key, if one is needed.
Granting Access
Cloud Endpoints uses the Google Cloud Identity and Access Management (IAM)
Service Consumer role to allow someone who is not a member of
your Cloud project to enable your API in their own Cloud project. (In previous
versions of Cloud Endpoints, the "Share an API" feature did not use
IAM.) You can grant access using the GCP Console or the command
line.
Console
- In the GCP Console, go to the Endpoints dashboard for
your project.
Endpoints Dashboard
- Click the name of the API you want to grant access to.
- If the Permissions side panel is not open, click +Permissions.
- In the Add members field, enter the email address of the person you want
to grant access to, or enter the name of the
Google Group that contain the members
you want to grant access to.
- In the Select a role drop-down, select Service Consumer, which maps
to the IAM role roles/servicemanagement.serviceConsumer.
- Repeat adding members and selecting the role, as needed.
- Click Add to add the member(s) to the IAM role.
- Contact the users or groups that you added and let them know they can
enable the API in their projects. See
Enable an API in Your Cloud Project
for information on how to enable a service in APIs & services.
Command Line
- Open Cloud Shell, or if you have the Cloud SDK installed, open a terminal window.
- If you are granting access to an individual user, invoke the following:
gcloud endpoints services add-iam-policy-binding [SERVICE-NAME] \
--member='user:[EMAIL-ADDRESS]' \
--role='roles/servicemanagement.serviceConsumer'
|
For example:
gcloud endpoints services add-iam-policy-binding example-service-name \
--member='user:example-user@gmail.com' \
--role='roles/servicemanagement.serviceConsumer'
|
- If you are granting access to a Google Group, invoke the following:
gcloud endpoints services add-iam-policy-binding [SERVICE-NAME] \
--member='group:[GROUP-NAME]@googlegroups.com' \
--role='roles/servicemanagement.serviceConsumer'
|
For example:
gcloud endpoints services add-iam-policy-binding example-service-name \
--member='group:example-group@googlegroups.com' \
--role='roles/servicemanagement.serviceConsumer'
|
- Contact the users or groups that you added and let them know they can enable
the API in their projects. See
Enable an API in Your Cloud Project
for information on how to enable a service in APIs & services.
Revoking Access
You revoke access to your API by removing the IAM Service Consumer role from a
user or group that previously had the role. After you revoke someone's access,
they will no longer be able to find and enable your API.
Important: If someone has already activated your API, revoking access will
not prevent them from calling your API. Although there is no easy way to to
prevent these calls post-activation, you could
restrict access by API key
and then add logic that disallows calls from that consumer's API key.
You can revoke access using the console or the command line.
Console
- In the GCP Console, go to the Endpoints dashboard for
your project.
Endpoints Dashboard
- Click the name of the API you want to revoke access to.
- If the Permissions side panel is not open, click +Permissions.
- Click on the Role card that the member belongs to. Alternatively, you can
search for the member by using Search members field
- Hover over the member and click the trash can to remove the member from the
role.
Command Line
- If you are revoking access for an individual user, invoke the following:
gcloud endpoints services remove-iam-policy-binding [SERVICE-NAME] \
--member='user:[EMAIL-ADDRESS]' --role='[ROLE-NAME]'
|
For example:
gcloud endpoints services remove-iam-policy-binding example-service-name \
--member='user:example-user@gmail.com' \
--role='roles/servicemanagement.serviceConsumer'
|
- If you are revoking access for a Google Group, invoke the following:
gcloud endpoints services remove-iam-policy-binding [SERVICE-NAME] \
--member='group:[GROUP-NAME]@googlegroups.com' \
--role='[ROLE-NAME]'
|
For example:
gcloud endpoints services remove-iam-policy-binding example-service-name \
--member='group:example-group@googlegroups.com' \
--role='roles/servicemanagement.serviceConsumer'
|
