Controlling who can enable your API

API keys are associated with the Google Cloud Platform (GCP) in which they have been created. If your API requires an API key, you either have to give your API users a key from the project that you created the Cloud Endpoints service in, or you can let users enable your API in their own GCP project and create an API key. This page shows you how to grant the permission that users need to enable your API.

Granting access

Endpoints uses the Cloud Identity and Access Management (Cloud IAM) Service Consumer role to allow someone who isn't a member of your GCP project to enable your API in their own GCP project. This section shows you how to grant access using the GCP Console or the gcloud command-line tool.

GCP Console

  1. In the GCP Console, go to the Endpoints > Services page for your project.

    Endpoints Services

  2. If you have more than one API, click the name of the API that you want to grant access to.
  3. If the Permissions side panel isn't open, click +Permissions.
  4. In the Add members field, enter the email address of the person or Google Group that you want to grant access to.
  5. In the Select a role drop-down, select Service Management > Service Consumer.
  6. Click Add to add the member to the role.
  7. Repeat adding members and selecting the role, as needed.
  8. Contact the users or groups that you added and let them know they can enable the API in their GCP projects. See Enable an API in your GCP project for information on how to enable a service in APIs & services.

gcloud

  1. Open Cloud Shell, or if you have the Cloud SDK installed, open a terminal window.
    • If you are granting access to an individual user:
      gcloud endpoints services add-iam-policy-binding [SERVICE-NAME] \
            --member='user:EMAIL-NAME@gmail.com' \
            --role='roles/servicemanagement.serviceConsumer'
      
    • If you are granting access to a Google Group:
      gcloud endpoints services add-iam-policy-binding [SERVICE-NAME] \
            --member='group:GROUP-NAME@googlegroups.com' \
            --role='roles/servicemanagement.serviceConsumer'
      
  2. Contact the users or groups that you added and let them know they can enable the API in their GCP projects. See Enable an API in your GCP project for information on how to enable a service in APIs & services.

Revoking access

You revoke access to your API by removing the Service Consumer role from a user or group that previously had the role. After you revoke someone's access, they won't be able to enable your API.

This section shows you how to revoke access using the GCP Console or the gcloud command-line tool.

GCP Console

  1. In the GCP Console, go to the Endpoints > Services page for your GCP project.

    Endpoints Services

  2. If you have more than one API, click the name of the API that you want to revoke access to.
  3. If the Permissions side panel isn't open, click +Permissions.
  4. Click the Role card that the member belongs to.
  5. Click Delete delete.

gcloud

  • If you are revoking access for an individual user:
    gcloud endpoints services remove-iam-policy-binding [SERVICE-NAME] \
          --member='user:'EMAIL-NAME@gmail.com' --role='roles/servicemanagement.serviceConsumer'
    
  • If you are revoking access for a Google Group:
    gcloud endpoints services remove-iam-policy-binding [SERVICE-NAME] \
          --member='group:GROUP-NAME@googlegroups.com' \
          --role='roles/servicemanagement.serviceConsumer'
    

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Endpoints with gRPC
Need help? Visit our support page.