This page describes the API access control options available to you in Cloud Endpoints.
Overview
Cloud Endpoints uses Cloud Identity and Access Management (Cloud IAM) for API access control.
In Cloud Endpoints, API access control can be configured at the project level and at the individual service level. For example, you can:
- Grant access to project members on a per-service basis.
- Grant access to your API users so they can enable your API in their own Cloud project.
Roles that control access to services
The following roles can be granted for a specific service on the Endpoints >
Services page in the Google Cloud Platform (GCP) Console, by using the
API, or by using the gcloud command-line tool.
| Cloud IAM Role Name | Role Title | Description |
| roles/servicemanagement.serviceConsumer | Service Consumer | Permissions for a non-project member to view and enable the API in API Manager in their own project. Additionally, if you have created a portal for your API, this role allows your API users to access the portal. See the Service Management Access Control topic for information about this role. |
| roles/servicemanagement.serviceController | Service Controller | Permissions to make check and report calls to Service Control during runtime. This role is usually granted to service accounts. See the Service Management Access Control topic for information about this role. |
| roles/servicemanagement.configEditor | Service Config Editor | Permission to deploy service configurations. This role is much more restrictive than the Editor role granted on a service. |
| roles/servicemanagement.admin | Service Management Administrator | All Service Config Editor permissions and permissions to manage access to the API. Comparable to the Owner role granted on a service. |
| roles/viewer | Viewer | Includes permissions for a project member to view the service configuration. |
| roles/editor | Editor | All viewer permissions plus permissions to deploy the service configuration. |
| roles/owner | Owner | All editor permissions plus permissions to manage access to the service. |
Notes:
-
The Service Consumer role can only be granted to Google accounts, Google Groups, or service accounts.
-
If you have granted someone the Viewer, Editor, or Owner role on an Endpoints service, and they are not members of the GCP project, you must grant them the Project Viewer role or a higher role on the project. The Project Viewer role allows members read access to the GCP Console. See Granting, Changing, and Revoking Access to Project Members for more information.
Cloud Endpoints Portal permissions
The Endpoints Portal Admin role, which is a project-level role, contains all of the following permissions.
| Permission | Description |
| endpoints.portals.listCustomDomains | Permission to access the Endpoints > Developer Portal page in the GCP Console. Project members granted the Project Viewer role also have this permission. |
| endpoints.portals.attachCustomDomain | Permission to add a custom domain on the Endpoints > Developer Portal page in the GCP Console. Project members granted the Project Editor role also have this permission. |
| endpoints.portals.detachCustomDomain | Permission to delete a custom domain on the Endpoints > Developer Portal page in the GCP Console. Project members granted the Project Editor role also have this permission. |
| endpoints.portals.update | On the portal created for an API, permission to access the Site Wide tab on the Settings page to change things such as the color and logo used on the portal. To access the API tab on the Settings page, a project member must be granted the Editor role on the API. See Controlling API Access of Project Members for information on how to assign these roles. |
