This page describes the API access control options available to you in
Cloud Endpoints.
Overview
Endpoints uses
Identity and Access Management (IAM)
to control access to your API. You can grant access to your API at the project
level and at the individual Endpoints service level. For example,
you can:
Grant access to principals on a per-service basis.
Grant permission to a user or service account to deploy an updated
Endpoints configuration.
Grant access to your API users so they can enable your API in their own
Google Cloud project.
Roles that control access to services
You can grant the following roles for a specific service on the Endpoints >
Services page in the Google Cloud console, by using the API, or by
using the Google Cloud CLI.
IAM role name
Role title
Description
roles/servicemanagement.serviceConsumer
Service Consumer
Permissions for a principal to view and enable the API in their own
project. You can grant the Service Consumer role only to Google
Accounts, Google Groups, or service accounts.
roles/servicemanagement.serviceController
Service Controller
Permissions to make calls to the check and
report methods in the
Service Infrastructure
API during runtime. This role is usually granted to service accounts. See
the Service Management API access control
topic for information about this role.
roles/servicemanagement.configEditor
Service Config Editor
Permission to deploy Endpoints configurations. This role is
more restrictive than the Project Editor role granted on a service.
roles/servicemanagement.admin
Service Management Administrator
All Service Config Editor permissions and permissions to manage
access to the API. Comparable to the Project Owner role granted on
a service.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-02 UTC."],[[["Cloud Endpoints utilizes Identity and Access Management (IAM) to manage API access, allowing permissions to be set at both the project and individual service levels."],["The Service Consumer role permits principals to view and enable an API within their own Google Cloud project, and can only be granted to Google Accounts, Google Groups, or service accounts."],["The Service Controller role grants permission to invoke the `check` and `report` methods in the Service Infrastructure API during runtime, and is typically assigned to service accounts."],["The Service Config Editor role enables the deployment of Endpoints configurations, offering more restricted permissions compared to the Project Editor role at the service level."],["The Service Management Administrator role includes all permissions of the Service Config Editor, and grants the ability to manage API access, resembling the Project Owner role at a service level."]]],[]]
