Controlling who can enable your API

API keys are associated with the Google Cloud project in which they have been created. If your API requires an API key, you either have to give your API users a key from the project that you created the Cloud Endpoints service in, or you can let users enable your API in their own Google Cloud project and create an API key. This page shows you how to grant the permission that users need to enable your API.

Granting access

Endpoints uses the Identity and Access Management (IAM) Service Consumer role to allow someone who isn't a member of your Google Cloud project to enable your API in their own Google Cloud project. This section shows you how to grant access using the Google Cloud console or the Google Cloud CLI.

Google Cloud console

  1. In the Google Cloud console, go to the Endpoints > Services page for your project.

    Go to the Endpoints Services page

  2. If you have more than one API, click the name of the API that you want to grant access to.
  3. If the Permissions side panel isn't open, click Show Permissions Panel.
  4. In the Add Principal field, enter the email address of the person or Google Group that you want to grant access to.
  5. In the Select a role drop-down menu, select Service Management > Service Consumer.
  6. Click Save.
  7. Repeat adding members and selecting the role, as needed.
  8. Contact the users or groups that you added and let them know they can enable the API in their Google Cloud projects. See Enable an API in your Google Cloud project for information on how to enable a service in APIs & services.

gcloud

  1. Open Cloud Shell, or if you have the Google Cloud CLI installed, open a terminal window.
    • If you are granting access to an individual user:
      gcloud endpoints services add-iam-policy-binding [SERVICE-NAME] \
            --member='user:EMAIL-NAME@gmail.com' \
            --role='roles/servicemanagement.serviceConsumer'
      
    • If you are granting access to a Google Group:
      gcloud endpoints services add-iam-policy-binding [SERVICE-NAME] \
            --member='group:GROUP-NAME@googlegroups.com' \
            --role='roles/servicemanagement.serviceConsumer'
      
  2. Contact the users or groups that you added and let them know they can enable the API in their Google Cloud projects. See Enable an API in your Google Cloud project for information on how to enable a service in APIs & services.

Revoking access

You revoke access to your API by removing the Service Consumer role from a user or group that previously had the role. After you revoke someone's access, they won't be able to enable your API.

This section shows you how to revoke access using the Google Cloud console or the Google Cloud CLI.

Google Cloud console

  1. In the Google Cloud console, go to the Endpoints > Services page for your Google Cloud project.

    Go to the Endpoints Services page

  2. If you have more than one API, click the name of the API that you want to revoke access to.
  3. If the Permissions side panel isn't open, click Permissions.
  4. Click the Role card that the member belongs to.
  5. Click Delete .

gcloud

  • If you are revoking access for an individual user:
    gcloud endpoints services remove-iam-policy-binding [SERVICE-NAME] \
          --member='user:'EMAIL-NAME@gmail.com' --role='roles/servicemanagement.serviceConsumer'
    
  • If you are revoking access for a Google Group:
    gcloud endpoints services remove-iam-policy-binding [SERVICE-NAME] \
          --member='group:GROUP-NAME@googlegroups.com' \
          --role='roles/servicemanagement.serviceConsumer'
    

What's next