Controlling API Access of Project Members

A common scenario when producing an API is to collaborate with other team members. By default, an API can only be managed by the project owner. This page shows you how to change this default behavior so other team members can help manage the API.

Granting Access

Cloud Endpoints uses the Google Cloud Identity and Access Management (IAM) roles to grant API access to your team members. You can grant access using the Cloud Platform Console or the command line.

Console

  1. In the Cloud Platform Console, go to the Endpoints dashboard for your project.

    Endpoints Dashboard

  2. Click the name of the API you want to grant access to.
  3. If the Permissions side panel is not open, click +Permissions.
  4. In the Add members field, enter the email address of the person you want to grant access to, or enter the name of the Google Group that contain the members you want to grant access to.
  5. In the Select a role drop-down, select one of the following roles:
    • Viewer: Grant this role to a team member who only requires view access to the service configuration. Examples of this role are a developer who only needs access to the API definition to perform development tasks, or someone who is an auditor for your team.
    • Editor: Grant this role to a team member who is allowed to deploy the service configuration. This role has all Viewer permissions as well. Examples of this role are the lead developer or a team member responsible for devops.
    • Owner: Grant this role to a team member who is allowed to manage access control to the API. This role has all Editor permissions as well. Examples of this role are the lead developer or a manager.
  6. Repeat adding members and selecting the role, as needed.
  7. Click Add to add the member(s) to the specified IAM role.
  8. If the people who you have just added are not members of the Cloud project, you must give them the IAM role Project > Viewer or higher. See Granting, Changing, and Revoking Access to Project Members for details.

Command Line

  1. Open Cloud Shell, or if you have the Cloud SDK installed, open a terminal window.
    • If you are granting access to an individual user, invoke the following:
      gcloud service-management add-iam-policy-binding [SERVICE-NAME] \
            --member='user:[EMAIL-ADDRESS]' \
            --role='[ROLE]'
      

      For the role, specify one of the following IAM roles:

      • roles/viewer: Grant this role to a team member who only requires view access to the service configuration. Examples of this role are a developer who only needs access to the API definition to perform their development tasks, or someone who is an auditor for your team.
      • roles/editor: Grant this role to a team member who is allowed to deploy the service configuration. This role has all roles/viewer permissions as well. Examples of this role are the lead developer or a team member responsible for devops.
      • roles/owner: Grant this role to a team member who is allowed to manage access control to the API. This role has all roles/editor permissions as well. Examples of this role are the lead developer or a manager.

      For example:

      gcloud service-management add-iam-policy-binding example-service-name \
            --member='user:example-user@gmail.com' \
            --role='roles/editor'
      
    • If you are granting access to a Google Group, invoke the following:
      gcloud service-management add-iam-policy-binding [SERVICE-NAME] \
            --member='group:[GROUP-NAME]@googlegroups.com' \
            --role='[ROLE]'
      

      For example:

      gcloud service-management add-iam-policy-binding example-service-name \
            --member='group:example-group@googlegroups.com' \
            --role='roles/viewer'
      
    • If the people who you have just added are not members of the Cloud project, you must give them the IAM role Project > Viewer or higher. See Granting, Changing, and Revoking Access to Project Members for details.

Revoking Access

You revoke access to your API by removing the IAM role from a user or group that previously had the role. You can revoke access using the console or the command line.

Console

  1. In the Cloud Platform Console, go to the Endpoints dashboard for your project.

    Endpoints Dashboard

  2. Click the name of the API that you want to remove access to.
  3. If the Permissions side panel is not open, click +Permissions.
  4. Click on the Role card that the member belongs to. Alternatively, you can search for the member by using Search members field
  5. Hover over the member and click the trash can to remove the member from the role.

Command Line

  1. Open Cloud Shell, or if you have the Cloud SDK installed, open a terminal window.
    • If you are revoking access for an individual user, invoke the following:
      gcloud service-management remove-iam-policy-binding [SERVICE-NAME] \
            --member='user:[EMAIL-ADDRESS]' --role='[ROLE-NAME]'
      

      For example:

      gcloud service-management remove-iam-policy-binding example-service-name \
            --member='user:example-user@gmail.com' \
            --role='roles/editor'
      
    • If you are revoking access for a Google Group, invoke the following:
      gcloud service-management remove-iam-policy-binding [SERVICE-NAME] \
            --member='group:[GROUP-NAME]@googlegroups.com' \
            --role='[ROLE-NAME]'
      

      For example:

      gcloud service-management remove-iam-policy-binding example-service-name \
            --member='group:example-group@googlegroups.com' \
            --role='roles/viewer'
      
  2. You may also want to revoke access to your Cloud project. See Granting, Changing, and Revoking Access to Project Members for details.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Cloud Endpoints with OpenAPI