This page describes the API access control options available to you in Cloud Endpoints.
Overview
Endpoints uses Identity and Access Management (IAM) to control access to your API. You can grant access to your API at the project level and at the individual Endpoints service level. For example, you can:
- Grant access to principals on a per-service basis.
- Grant permission to a user or service account to deploy an updated Endpoints configuration.
- Grant access to your API users so they can enable your API in their own Google Cloud project.
Roles that control access to services
You can grant the following roles for a specific service on the Endpoints > Services page in the Google Cloud console, by using the API, or by using the Google Cloud CLI.
| IAM role name | Role title | Description |
|---|---|---|
roles/servicemanagement.serviceConsumer |
Service Consumer | Permissions for a principal to view and enable the API in their own project. You can grant the Service Consumer role only to Google Accounts, Google Groups, or service accounts. |
roles/servicemanagement.serviceController |
Service Controller | Permissions to make calls to the check and
report methods in the
Service Infrastructure
API during runtime. This role is usually granted to service accounts. See
the Service Management API access control
topic for information about this role. |
roles/servicemanagement.configEditor |
Service Config Editor | Permission to deploy Endpoints configurations. This role is more restrictive than the Project Editor role granted on a service. |
roles/servicemanagement.admin |
Service Management Administrator | All Service Config Editor permissions and permissions to manage access to the API. Comparable to the Project Owner role granted on a service. |