Granting Access to the API

Controlling who has access to an API is an integral part of development. For example, as you test your API, you might need to allow other team members to deploy new service configurations. By default, only the project owner can manage the access to an API. This page shows you how to change this default behavior to grant other team members access to help manage the API.

Granting access to team members or groups

Cloud Endpoints uses the Google Cloud Identity and Access Management (IAM) roles to grant API access to your team members. You can grant access using the GCP Console or the command line.

Console

  1. In the GCP Console, go to the Endpoints > Services page for your project.

    Endpoints Services

  2. To change the access to an API, click the name of the API.
  3. If the Permissions side panel is not open, click +Permissions.
  4. To grant access to a user, enter the email address of the user in the Add members field. To grant access to a group, enter the name of the Google Group in the Add members field.
  5. In the Select a role drop-down, click Project, and select one of the following roles:
    • Viewer: Grant this role to a team member who only requires view access to the service configuration. Examples of this role are a developer who only needs access to the API definition to perform development tasks, or someone who is an auditor for your team.
    • Editor: Grant this role to a team member who is allowed to deploy the service configuration. This role has all Viewer permissions as well. Examples of this role are the lead developer or a team member responsible for devops.
    • Owner: Grant this role to a team member who is allowed to manage access control to the API. This role has all Editor permissions as well. Examples of this role are the lead developer or a manager.
  6. Repeat adding members and selecting the role, as needed.
  7. Click Add to add the member or members to the specified IAM role.
  8. If the people who you have just added are not members of the GCP project, you must grant them the Project Viewer role or a higher role on the project. The Project Viewer role grants read access to members to the GCP Console. See Granting, Changing, and Revoking Access to Project Members for details.

Command Line

  1. Open Cloud Shell, or if you have the Cloud SDK installed, open a terminal window.
    • If you are granting access to a team member, invoke the following:
      gcloud endpoints services add-iam-policy-binding [SERVICE-NAME] \
            --member='user:[EMAIL-ADDRESS]' \
            --role='[ROLE]'
      

      For the role, specify one of the following IAM roles:

      • roles/viewer: Grant this role to a team member who only requires view access to the service configuration. Examples of this role are a developer who only needs access to the API definition to perform their development tasks, or someone who is an auditor for your team.
      • roles/editor: Grant this role to a team member who is allowed to deploy the service configuration. This role has all roles/viewer permissions as well. Examples of this role are the lead developer or a team member responsible for devops.
      • roles/owner: Grant this role to a team member who is allowed to manage access control to the API. This role has all roles/editor permissions as well. Examples of this role are the lead developer or a manager.

      For example:

      gcloud endpoints services add-iam-policy-binding example-service-name \
            --member='user:example-user@gmail.com' \
            --role='roles/editor'
      
    • If you are granting access to a Google Group, invoke the following:
      gcloud endpoints services add-iam-policy-binding [SERVICE-NAME] \
            --member='group:[GROUP-NAME]@googlegroups.com' \
            --role='[ROLE]'
      

      For example:

      gcloud endpoints services add-iam-policy-binding example-service-name \
            --member='group:example-group@googlegroups.com' \
            --role='roles/viewer'
      
    • If the people who you have just added are not members of the GCP project, you must grant them the Project Viewer role or a higher role on the project. The Project Viewer role allows members read access to the GCP Console. See Granting, Changing, and Revoking Access to Project Members for details.

Revoking access to team members or groups

To revoke access to your API, remove the IAM role from a team member or group that previously had the role. You can revoke access using the console or the command line.

Console

  1. In the GCP Console, go to the Endpoints > Services page for your project.

    Endpoints Services

  2. To remove the access from an API, click the name of the API.
  3. If the Permissions side panel is not open, click +Permissions.
  4. Click on the Role card that the member belongs to. Alternatively, use theSearch members field
  5. you can search for the member by using the
  6. Hover over the member and click the trash can to remove the member from the role.

Command Line

  1. Open the Cloud Shell, or, if you have the Cloud SDK installed, open a terminal window.
    • If you are revoking access for a team member, invoke the following:
      gcloud endpoints services remove-iam-policy-binding [SERVICE-NAME] \
            --member='user:[EMAIL-ADDRESS]' --role='[ROLE-NAME]'
      

      For example:

      gcloud endpoints services remove-iam-policy-binding example-service-name \
            --member='user:example-user@gmail.com' \
            --role='roles/editor'
      
    • If you are revoking access for a Google Group, invoke the following:
      gcloud endpoints services remove-iam-policy-binding [SERVICE-NAME] \
            --member='group:[GROUP-NAME]@googlegroups.com' \
            --role='[ROLE-NAME]'
      

      For example:

      gcloud endpoints services remove-iam-policy-binding example-service-name \
            --member='group:example-group@googlegroups.com' \
            --role='roles/viewer'
      
  2. If you also want to revoke access to your GCP project, see Granting, Changing, and Revoking Access to Project Members for details.
Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Endpoints with OpenAPI