This page describes how to control access to Cloud Healthcare API datasets and data stores using Identity and Access Management (IAM) permissions. IAM lets you control who has access to your datasets and data stores. To learn more about IAM for the Cloud Healthcare API, see Access control.
Overview of IAM policies
Access to a resource is managed through an IAM policy. A
policy contains an array, called bindings
. This array contains a collection
of bindings, which are associations between principals, such as a user
account or service account, and a role. Policies are represented using JSON
or YAML.
The following sample policy shows user-1@example.com
that has been
granted the roles/healthcare.datasetAdmin
role and user-2@example.com
and
service-account-13@appspot.gserviceaccount.com
have been granted the
roles/healthcare.datasetViewer
role:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.datasetAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.datasetViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com" ] } ] }
To update a policy for a resource, use the read-modify-write pattern. There are no separate methods for creating, modifying, and revoking user access.
To update a policy, complete the following steps:
- Read the current policy by calling the resource's
getIamPolicy()
method. For example, to read a dataset's current policy, callprojects.locations.datasets.getIamPolicy
. - Edit the returned policy, either by using a text editor or programmatically, to add or remove any applicable principals and their role grants.
- Write the updated policy by calling the resource's
setIamPolicy()
method. For example, to write a dataset's updated policy, callprojects.locations.datasets.setIamPolicy
.
Using IAM with consent stores
The following sections show how to get, modify, and set a policy for a consent store. These sections use the following sample policy as a starting point:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.consentStoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.consentReader", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com" ] } ] }
Getting a policy
The following samples show how to read a consent store-level IAM
policy. For more information, see
projects.locations.datasets.consentStores.getIamPolicy
.
Console
To view the IAM policy for a consent store:
- In the Google Cloud console, go to the Datasets page.
- Click the ID of the dataset that contains the consent store and then select the consent store that you want to get a policy for.
- Click Show info panel.
- To view the principals assigned to a role, expand the role.
gcloud
To view the IAM policy for a consent store, run the
gcloud healthcare consent-stores get-iam-policy
command. Specify the consent store name, the dataset name, and the location.
gcloud healthcare consent-stores get-iam-policy CONSENT_STORE_ID \ --dataset=DATASET_ID \ --location=LOCATION
If the request is successful, the bindings are displayed.
bindings: - members: - user:user-1@example.com role: roles/healthcare.consentStoreAdmin - serviceAccount:service-account-13@appspot.gserviceaccount.com - user:user-2@example.com role: roles/healthcare.consentReader etag: bytes version: VERSION_NUMBER
Node.js
Python
curl
To read the IAM policy for a consent store, make a GET
request and
specify the name of the dataset, the name of the consent store, and an access
token.
The following sample shows a GET
request using curl
:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID:getIamPolicy"
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.consentStoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.consentReader", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com" ] } ] }
PowerShell
To read the IAM policy for a consent store, make a GET
request and
specify the name of the dataset, the name of the consent store, and an access
token.
The following sample shows a GET
request using Windows PowerShell:
$cred = gcloud auth application-default print-access-token $headers = @{ Authorization = "Bearer $cred" } Invoke-WebRequest ` -Method Get ` -Headers $headers ` -Uri "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID:getIamPolicy" | Select-Object -Expand Content
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.consentStoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.consentReader", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com" ] } ] }
Modifying a policy
The following samples grant a new user the roles/healthcare.consentReader
role. For more information, see projects.locations.datasets.consentStores.setIamPolicy
.
Setting a policy
Console
To set a consent store-level IAM policy, complete the following steps:
- In the Google Cloud console, go to the Datasets page.
- Click the ID of the dataset that contains the consent store and then select the consent store that you want to set a policy for.
- Click Show info panel.
- Click Add principal.
- In the New principals field, enter one or more identities that need access to the consent store.
- In the Select a role list, under Cloud Healthcare, select the permission that you want to grant. For example, Healthcare Consent Store Viewer.
- Click Save.
gcloud
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using
a text editor. The etag
value changes when the policy changes, so you must specify the
current value.
To grant a new user the role, append their email address to the members
array under the roles/healthcare.consentReader
binding:
{ "role":"roles/healthcare.consentReader", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, run the
appropriate set-iam-policy
command to make the changes. To set a consent
store-level policy, run the
gcloud healthcare consent-stores set-iam-policy
command. Specify the consent store name, the dataset name, the location, and the
path to the policy file that you created.
gcloud healthcare consent-stores set-iam-policy CONSENT_STORE_ID \ --dataset=DATASET_ID \ --location=LOCATION \ POLICY_FILE_NAME
If the request is successful, the consent store name and the bindings are displayed.
Updated IAM policy for consentStore [CONSENT_STORE_ID]. bindings: - members: - user:user-1@example.com role: roles/healthcare.consentStoreAdmin - serviceAccount:service-account-13@appspot.gserviceaccount.com - user:user-2@example.com - user:NEW_USER_EMAIL_ADDRESS role: roles/healthcare.consentReader etag: bytes version: VERSION_NUMBER
Node.js
Python
curl
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using
a text editor. The etag
value changes when the policy changes, so you must specify the
current value.
To grant a new user the role, append their email address to the members
array under the roles/healthcare.consentReader
binding:
{ "role":"roles/healthcare.consentReader", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, call
projects.locations.datasets.consentStores.setIamPolicy
to make the updates.
To set a consent store-level IAM policy, make a POST
request and specify the name of the dataset, the name of the consent store, the
policy, and an access token.
The following sample shows a POST
request using curl
to grant a new user the
existing roles/healthcare.consentReader
role:
Policy
.
curl -X POST \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ --data "{ 'policy': { 'bindings': [ { 'role':'roles/healthcare.consentStoreAdmin', 'members': [ 'user:user-1@example.com' ] }, { 'role':'roles/healthcare.consentReader', 'members': [ 'serviceAccount:service-account-13@appspot.gserviceaccount.com', 'user:user-2@example.com', 'user:NEW_USER_EMAIL_ADDRESS' ] } ] } }" "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID:setIamPolicy"
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.consentStoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.consentReader", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] } ] }
PowerShell
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using
a text editor. The etag
value changes when the policy changes, so you must specify the
current value.
To grant a new user the role, append their email address to the members
array under the roles/healthcare.consentReader
binding:
{ "role":"roles/healthcare.consentReader", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, call
projects.locations.datasets.consentStores.setIamPolicy
to make the updates.
To set a consent store-level IAM policy, make a POST
request and specify the name of the dataset, the name of the consent store, the
policy, and an access token.
The following sample shows a POST
request using Windows PowerShell to grant a
new user the existing roles/healthcare.consentReader
role:
Policy
.
$cred = gcloud auth application-default print-access-token $headers = @{ Authorization = "Bearer $cred" } Invoke-WebRequest ` -Method Post ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body "{ 'policy': { 'bindings': [ { 'role': 'roles/healthcare.consentStoreAdmin', 'members': [ 'user:user-1@example.com', ] }, { 'role': 'roles/healthcare.consentReader', 'members': [ 'serviceAccount:service-account-13@appspot.gserviceaccount.com', 'user:user-2@example.com', 'user:NEW_USER_EMAIL_ADDRESS' ] } ] } }" ` -Uri "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/consentStores/CONSENT_STORE_ID:setIamPolicy" | Select-Object -Expand Content
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.consentStoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.consentReader", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] } ] }
Using IAM with datasets
The following sections show how to get, modify, and set a policy for a dataset. These sections use the following sample policy as a starting point:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.datasetAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.datasetViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com" ] } ] }
Getting a policy
The following samples show how to read a dataset-level IAM
policy. For more information, see
projects.locations.datasets.getIamPolicy
.
curl
To read the IAM policy for a dataset, make a GET
request and
specify the name of the dataset and an access token.
The following sample shows a GET
request using curl
:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID:getIamPolicy"
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.datasetAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.datasetViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com" ] } ] }
PowerShell
To view the IAM policy for a dataset, make a GET
request and
specify the name of the dataset and an access token.
The following sample shows a GET
request using Windows PowerShell:
$cred = gcloud auth application-default print-access-token $headers = @{ Authorization = "Bearer $cred" } Invoke-WebRequest ` -Method Get ` -Headers $headers ` -Uri "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID:getIamPolicy" | Select-Object -Expand Content
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.datasetAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.datasetViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com" ] } ] }
Console
To view the IAM policy for a dataset:- In the Google Cloud console, go to the Datasets page.
- Select a dataset and then click Show info panel.
- To view the principals assigned to a role, expand the role.
gcloud
To view the IAM policy for a dataset, run the
gcloud healthcare datasets get-iam-policy
command. Specify the dataset name and the location.
gcloud healthcare datasets get-iam-policy DATASET_ID \ --location=LOCATION
If the request is successful, the bindings are displayed.
bindings: - members: - serviceAccount:service-account-13@appspot.gserviceaccount.com - user:user-2@example.com role: roles/healthcare.datasetViewer etag: bytes version: VERSION_NUMBER
Go
Java
Node.js
Python
Modifying a policy
The following samples grant a new user the roles/healthcare.datasetViewer
role:
Setting a policy
Console
To set a dataset-level IAM policy, complete the following steps:
- In the Google Cloud console, go to the Datasets page.
- Select the dataset that you want to set a policy for and then click Show info panel.
- Click Add principal.
- In the New principals field, enter one or more identities that need access to the dataset.
- In the Select a role list, under Cloud Healthcare, select the permission that you want to grant. For example, Healthcare Dataset Viewer.
- Click Save.
gcloud
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using
a text editor. The etag
value changes when the policy changes, so you must specify the
current value.
To grant a new user the role, append their email address to the members
array under the roles/healthcare.datasetViewer
binding:
{ "role":"roles/healthcare.datasetViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, run the
appropriate set-iam-policy
command to make the changes. To set a
dataset-level policy, run the
gcloud healthcare datasets set-iam-policy
command. Specify the dataset name, the location, and the path to the policy file that you created.
gcloud healthcare datasets set-iam-policy DATASET_ID \ --location=LOCATION \ POLICY_FILE_NAME
If the request is successful, the dataset name and the bindings are displayed.
Updated IAM policy for dataset [DATASET_ID]. bindings: - members: - serviceAccount:service-account-13@appspot.gserviceaccount.com - user:user-2@example.com role: roles/healthcare.datasetAdmin - user:user-1@example.com - user:NEW_USER_EMAIL_ADDRESS role: roles/healthcare.datasetViewer etag: bytes version: VERSION_NUMBER
curl
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using
a text editor. The etag
value changes when the policy changes, so you must specify the
current value.
To grant a new user the role, append their email address to the members
array under the roles/healthcare.datasetViewer
binding:
{ "role":"roles/healthcare.datasetViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, call
projects.locations.datasets.setIamPolicy
to make the updates.
To set a dataset-level IAM policy, make a POST
request and specify the name of the dataset, the policy, and an access
token.
The following sample shows a POST
request using curl
to grant a new user the
existing roles/healthcare.datasetViewer
role:
Policy
.
curl -X POST \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ --data "{ 'policy': { 'bindings': [ { 'role':'roles/healthcare.datasetAdmin', 'members': [ 'user:user-1@example.com' ] }, { 'role':'roles/healthcare.datasetViewer', 'members': [ 'serviceAccount:service-account-13@appspot.gserviceaccount.com', 'user:user-2@example.com', 'user:NEW_USER_EMAIL_ADDRESS' ] } ] } }" "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID:setIamPolicy"
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.datasetAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.datasetViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] } ] }
PowerShell
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using
a text editor. The etag
value changes when the policy changes, so you must specify the
current value.
To grant a new user the role, append their email address to the members
array under the roles/healthcare.datasetViewer
binding:
{ "role":"roles/healthcare.datasetViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, call
projects.locations.datasets.setIamPolicy
to make the updates.
To set a dataset-level IAM policy, make a POST
request and specify the name of the dataset, the policy, and an access
token.
The following sample shows a POST
request using Windows PowerShell to grant a
new user the existing roles/healthcare.datasetViewer
role:
Policy
.
$cred = gcloud auth application-default print-access-token $headers = @{ Authorization = "Bearer $cred" } Invoke-WebRequest ` -Method Post ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body "{ 'policy': { 'bindings': [ { 'role': 'roles/healthcare.datasetAdmin', 'members': [ 'user:user-1@example.com' ] }, { 'role': 'roles/healthcare.datasetViewer', 'members': [ 'serviceAccount:service-account-13@appspot.gserviceaccount.com', 'user:user-2@example.com', 'user:NEW_USER_EMAIL_ADDRESS' ] } ] } }" ` -Uri "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID:setIamPolicy" | Select-Object -Expand Content
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.datasetAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.datasetViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] } ] }
Go
Java
Node.js
Python
Using IAM with DICOM stores
The following sections show how to get, modify, and set a policy for a DICOM store. These sections use the following sample policy as a starting point:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.dicomStoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.dicomViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com" ] } ] }
Getting a policy
The following samples show how to read a DICOM store-level IAM
policy. For more information, see
projects.locations.datasets.dicomStores.getIamPolicy
.
Console
To view the IAM policy for a DICOM store:
- In the Google Cloud console, go to the Datasets page.
- Click the ID of the dataset that contains the DICOM store and then select the DICOM store that you want to get a policy for.
- Click Show info panel.
- To view the principals assigned to a role, expand the role.
gcloud
To view the IAM policy for a DICOM store, run the
gcloud healthcare dicom-stores get-iam-policy
command. Specify the DICOM store name, the dataset name, and the location.
gcloud healthcare dicom-stores get-iam-policy DICOM_STORE_ID \ --dataset=DATASET_ID \ --location=LOCATION
If the request is successful, the bindings are displayed.
bindings: - members: - user:user-1@example.com role: roles/healthcare.dicomStoreAdmin - serviceAccount:service-account-13@appspot.gserviceaccount.com - user:user-2@example.com role: roles/healthcare.dicomViewer etag: bytes version: VERSION_NUMBER
Go
Java
Node.js
Python
curl
To read the IAM policy for a DICOM store, make a GET
request and
specify the name of the dataset, the name of the DICOM store, and an access
token.
The following sample shows a GET
request using curl
:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/dicomStores/DICOM_STORE_ID:getIamPolicy"
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.dicomStoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.dicomViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com" ] } ] }
PowerShell
To read the IAM policy for a DICOM store, make a GET
request and
specify the name of the dataset, the name of the DICOM store, and an access
token.
The following sample shows a GET
request using Windows PowerShell:
$cred = gcloud auth application-default print-access-token $headers = @{ Authorization = "Bearer $cred" } Invoke-WebRequest ` -Method Get ` -Headers $headers ` -Uri "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/dicomStores/DICOM_STORE_ID:getIamPolicy" | Select-Object -Expand Content
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.dicomStoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.dicomViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com" ] } ] }
Modifying a policy
The following samples grant a new user the roles/healthcare.dicomViewer
role. For more information, see projects.locations.datasets.dicomStores.setIamPolicy
.
Setting a policy
Console
To set a DICOM store-level IAM policy, complete the following steps:
- In the Google Cloud console, go to the Datasets page.
- Click the ID of the dataset that contains the DICOM store and then select the DICOM store that you want to set a policy for.
- Click Show info panel.
- Click Add principal.
- In the New principals field, enter one or more identities that need access to the DICOM store.
- In the Select a role list, under Cloud Healthcare, select the permission that you want to grant. For example, Healthcare DICOM Store Viewer.
- Click Save.
gcloud
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using
a text editor. The etag
value changes when the policy changes, so you must specify the
current value.
To grant a new user the role, append their email address to the members
array under the roles/healthcare.dicomViewer
binding:
{ "role":"roles/healthcare.dicomViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, run the
appropriate set-iam-policy
command to make the changes. To set a DICOM
store-level policy, run the
gcloud healthcare dicom-stores set-iam-policy
command. Specify the DICOM store name, the dataset name, the location, and the
path to the policy file that you created.
gcloud healthcare dicom-stores set-iam-policy DICOM_STORE_ID \ --dataset=DATASET_ID \ --location=LOCATION \ POLICY_FILE_NAME
If the request is successful, the DICOM store name and the bindings are displayed.
Updated IAM policy for dicomStore [DICOM_STORE_ID]. bindings: - members: - user:user-1@example.com role: roles/healthcare.dicomStoreAdmin - serviceAccount:service-account-13@appspot.gserviceaccount.com - user:user-2@example.com - user:NEW_USER_EMAIL_ADDRESS role: roles/healthcare.dicomViewer etag: bytes version: VERSION_NUMBER
Go
Java
Node.js
Python
curl
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using
a text editor. The etag
value changes when the policy changes, so you must specify the
current value.
To grant a new user the role, append their email address to the members
array under the roles/healthcare.dicomViewer
binding:
{ "role":"roles/healthcare.dicomViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, call
projects.locations.datasets.dicomStores.setIamPolicy
to make the updates.
To set a DICOM store-level IAM policy, make a POST
request and specify the name of the dataset, the name of the DICOM store, the
policy, and an access token.
The following sample shows a POST
request using curl
to grant a new user the
existing roles/healthcare.dicomViewer
role:
Policy
.
curl -X POST \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ --data "{ 'policy': { 'bindings': [ { 'role':'roles/healthcare.dicomStoreAdmin', 'members': [ 'user:user-1@example.com' ] }, { 'role':'roles/healthcare.dicomViewer', 'members': [ 'serviceAccount:service-account-13@appspot.gserviceaccount.com', 'user:user-2@example.com', 'user:NEW_USER_EMAIL_ADDRESS' ] } ] } }" "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/dicomStores/DICOM_STORE_ID:setIamPolicy"
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.dicomStoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.dicomViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] } ] }
PowerShell
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using
a text editor. The etag
value changes when the policy changes, so you must specify the
current value.
To grant a new user the role, append their email address to the members
array under the roles/healthcare.dicomViewer
binding:
{ "role":"roles/healthcare.dicomViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, call
projects.locations.datasets.dicomStores.setIamPolicy
to make the updates.
To set a DICOM store-level IAM policy, make a POST
request and specify the name of the dataset, the name of the DICOM store, the
policy, and an access token.
The following sample shows a POST
request using Windows PowerShell to grant a
new user the existing roles/healthcare.dicomViewer
role:
Policy
.
$cred = gcloud auth application-default print-access-token $headers = @{ Authorization = "Bearer $cred" } Invoke-WebRequest ` -Method Post ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body "{ 'policy': { 'bindings': [ { 'role': 'roles/healthcare.dicomStoreAdmin', 'members': [ 'user:user-1@example.com', ] }, { 'role': 'roles/healthcare.dicomViewer', 'members': [ 'serviceAccount:service-account-13@appspot.gserviceaccount.com', 'user:user-2@example.com', 'user:NEW_USER_EMAIL_ADDRESS' ] } ] } }" ` -Uri "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/dicomStores/DICOM_STORE_ID:setIamPolicy" | Select-Object -Expand Content
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.dicomStoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.dicomViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] } ] }
Using IAM with FHIR stores
The following sections show how to get, modify, and set a policy for a FHIR store. These sections use the following sample policy as a starting point:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.fhirStoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.fhirResourceReader", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com" ] } ] }
Getting a policy
The following samples show how to read a FHIR store-level IAM
policy. For more information, see
projects.locations.datasets.fhirStores.getIamPolicy
.
Console
To view the IAM policy for a FHIR store:
- In the Google Cloud console, go to the Datasets page.
- Click the ID of the dataset that contains the FHIR store and then select the FHIR store that you want to get a policy for.
- Click Show info panel.
- To view the principals assigned to a role, expand the role.
gcloud
To view the IAM policy for a FHIR store, run the
gcloud healthcare fhir-stores get-iam-policy
command. Specify FHIR store name, the dataset name, and the location.
gcloud healthcare fhir-stores get-iam-policy FHIR_STORE_ID \ --dataset=DATASET_ID \ --location=LOCATION
If the request is successful, the bindings are displayed.
bindings: - members: - user:user-1@example.com role: roles/healthcare.fhirStoreAdmin - serviceAccount:service-account-13@appspot.gserviceaccount.com - user:user-2@example.com role: roles/healthcare.fhirResourceReader etag: bytes version: VERSION_NUMBER
Go
Java
Node.js
Python
curl
To read the IAM policy for a FHIR store, make a POST
request
and specify the name of the dataset, the name of the FHIR store, and an access
token.
The following sample shows a POST
request using curl
:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/fhirStores/FHIR_STORE_ID:getIamPolicy"
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.fhirStoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.fhirResourceReader", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com" ] } ] }
PowerShell
To read the IAM policy for a FHIR store, make a POST
request and
specify the name of the dataset, the name of the FHIR store, and an access
token.
The following sample shows a POST
request using Windows PowerShell:
$cred = gcloud auth application-default print-access-token $headers = @{ Authorization = "Bearer $cred" } Invoke-WebRequest ` -Method Post ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Uri "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/fhirStores/FHIR_STORE_ID:getIamPolicy" | Select-Object -Expand Content
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.fhirStoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.fhirResourceReader", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com" ] } ] }
Modifying a policy
The following samples grant a new user the roles/healthcare.fhirResourceReader
role. For more information, see projects.locations.datasets.fhirStores.setIamPolicy
.
Setting a policy
Console
To set a FHIR store-level IAM policy, complete the following steps:
- In the Google Cloud console, go to the Datasets page.
- Click the ID of the dataset that contains the FHIR store and then select the FHIR store that you want to set a policy for.
- Click Show info panel.
- Click Add principal.
- In the New principals field, enter one or more identities that need access to the FHIR store.
- In the Select a role list, under Cloud Healthcare, select the permission that you want to grant. For example, Healthcare FHIR Resource Reader.
- Click Save.
gcloud
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using
a text editor. The etag
value changes when the policy changes, so you must specify the
current value.
To grant a new user the role, append their email address to the members
array
under the roles/healthcare.fhirResourceReader
binding:
{ "role":"roles/healthcare.fhirResourceReader", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, run the
appropriate set-iam-policy
command to make the changes.
To set a FHIR store-level policy, run the
gcloud healthcare fhir-stores set-iam-policy
command. Specify the FHIR store name, the dataset name, the location, and the
path to the policy file that you created.
gcloud healthcare fhir-stores set-iam-policy FHIR_STORE_ID \ --dataset=DATASET_ID \ --location=LOCATION \ POLICY_FILE_NAME
If the request is successful, the FHIR store name and the bindings are displayed.
Updated IAM policy for fhirStore [FHIR_STORE_ID]. bindings: - members: - serviceAccount:service-account-13@appspot.gserviceaccount.com - user:user-2@example.com - user:NEW_USER_EMAIL_ADDRESS role: roles/healthcare.fhirResourceReader etag: bytes version: VERSION_NUMBER
Go
Java
Node.js
Python
curl
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using a text editor. Theetag
value changes when the policy changes, so you must specify the
current value.
To grant a new user the role, append their email address to the members
array
under the roles/healthcare.fhirResourceReader
binding:
{ "role":"roles/healthcare.fhirResourceReader", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, call
projects.locations.datasets.fhirStores.setIamPolicy
to make the updates.
To set a FHIR store-level IAM policy, make a POST
request and specify the name of the dataset, the name of the FHIR store, the
policy, and an access token.
The following sample shows a POST
request using curl
to grant a new user the
existing roles/healthcare.fhirResourceReader
role:
Policy
.
curl -X POST \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ --data "{ 'policy': { 'bindings': [ { 'role':'roles/healthcare.fhirStoreAdmin', 'members': [ 'user:user-1@example.com' ] }, { 'role':'roles/healthcare.fhirResourceReader', 'members': [ 'serviceAccount:service-account-13@appspot.gserviceaccount.com', 'user:user-2@example.com', 'user:NEW_USER_EMAIL_ADDRESS' ] } ] } }" "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/fhirStores/FHIR_STORE_ID:setIamPolicy"
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.fhirStoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.fhirResourceViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] } ] }
PowerShell
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using
a text editor. The etag
value changes when the policy changes, so you must specify the
current value.
To grant a new user the role, append their email address to the members
array
under the roles/healthcare.fhirResourceReader
binding:
{ "role":"roles/healthcare.fhirResourceReader", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, call
projects.locations.datasets.fhirStores.setIamPolicy
to make the updates.
To set a FHIR store-level IAM policy, make a POST
request and specify the name of the dataset, the name of the FHIR store, the
policy, and an access token.
The following sample shows a POST
request using Windows PowerShell to grant a
new user the existing roles/healthcare.fhirResourceReader
role:
Policy
.
$cred = gcloud auth application-default print-access-token $headers = @{ Authorization = "Bearer $cred" } Invoke-WebRequest ` -Method Post ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body "{ 'policy': { 'bindings': [ { 'role': 'roles/healthcare.fhirStoreAdmin', 'members': [ 'user:user-1@example.com', ] }, { 'role': 'roles/healthcare.fhirResourceReader', 'members': [ 'serviceAccount:service-account-13@appspot.gserviceaccount.com', 'user:user-2@example.com', 'user:NEW_USER_EMAIL_ADDRESS' ] } ] } }" ` -Uri "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/fhirStores/FHIR_STORE_ID:setIamPolicy" | Select-Object -Expand Content
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.fhirStoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.fhirResourceViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] } ] }
Using IAM with HL7v2 stores
The following sections show how to get, modify, and set a policy for an HL7v2 store. These sections use the following sample policy as a starting point:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.hl7V2StoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.hl7V2Consumer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com" ] } ] }
Getting a policy
The following samples show how to read an HL7v2 store-level IAM
policy. For more information, see
projects.locations.datasets.hl7V2Stores.getIamPolicy
.
Console
To view the IAM policy for an HL7v2 store:
- In the Google Cloud console, go to the Datasets page.
- Click the ID of the dataset that contains the HL7v2 store and then select the HL7v2 store that you want to get a policy for.
- Click Show info panel.
- To view the principals assigned to a role, expand the role.
gcloud
To view the IAM policy for an HL7v2 store, run the
hl7v2-stores get-iam-policy
command. Specify the HL7v2 store name, the dataset name, and the location.
gcloud healthcare hl7v2-stores get-iam-policy HL7V2_STORE_ID \ --dataset=DATASET_ID \ --location=LOCATION
If the request is successful, the bindings are displayed.
bindings: - members: - user:user-1@example.com role: roles/healthcare.hl7v2StoreAdmin - serviceAccount:service-account-13@appspot.gserviceaccount.com - user:user-2@example.com role: roles/healthcare.hl7v2Consumer etag: bytes version: VERSION_NUMBER
curl
To read the IAM policy for an HL7v2 store, make a GET
request and
specify the name of the dataset, the name of the HL7v2 store, and an access
token.
The following sample shows a GET
request using curl
:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/hl7V2Stores/HL7V2_STORE_ID:getIamPolicy"
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.hl7V2StoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.hl7V2Consumer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com" ] } ] }
PowerShell
To read the IAM policy for an HL7v2 store, make a GET
request and
specify the name of the dataset, the name of the HL7v2 store, and an access
token.
The following sample shows a GET
request using Windows PowerShell:
$cred = gcloud auth application-default print-access-token $headers = @{ Authorization = "Bearer $cred" } Invoke-WebRequest ` -Method Get ` -Headers $headers ` -Uri "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/hl7V2Stores/HL7V2_STORE_ID:getIamPolicy" | Select-Object -Expand Content
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.hl7V2StoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.hl7V2Consumer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com" ] } ] }
Go
Java
Node.js
Python
Modifying a policy
The following samples grant a new user the roles/healthcare.hl7V2Consumer
role. For more information, see projects.locations.datasets.hl7V2Stores.setIamPolicy
.
Setting a policy
Console
To set an HL7v2 store-level IAM policy, complete the following steps:
- In the Google Cloud console, go to the Datasets page.
- Click the ID of the dataset that contains the HL7v2 store and then select the HL7v2 store that you want to set a policy for.
- Click Show info panel.
- Click Add principal.
- In the New principals field, enter one or more identities that need access to the HL7v2 store.
- In the Select a role list, under Cloud Healthcare, select the permission that you want to grant. For example, Healthcare HL7v2 Message Consumer.
- Click Save.
gcloud
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using
a text editor. The etag
value changes when the policy changes, so you must specify the
current value.
To grant a new user the role, append their email address to the members
array
under the roles/healthcare.hl7V2Consumer
binding:
{ "role":"roles/healthcare.hl7V2Consumer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, run the
appropriate set-iam-policy
command to make the changes.
To set an HL7v2 store-level policy, run the
gcloud healthcare hl7v2-stores set-iam-policy
command. Specify the HL7v2 store name, the dataset name, the location, and the
path to the policy file that you created.
gcloud healthcare hl7v2-stores set-iam-policy HL7V2_STORE_ID \ --dataset=DATASET_ID \ --location=LOCATION \ POLICY_FILE_NAME
If the request is successful, the HL7v2 store name and the bindings are displayed.
Updated IAM policy for hl7v2Store [HL7V2_STORE_ID]. bindings: - members: - user:user-1@example.com role: roles/healthcare.hl7v2StoreAdmin - serviceAccount:service-account-13@appspot.gserviceaccount.com - user:user-2@example.com - user:NEW_USER_EMAIL_ADDRESS role: roles/healthcare.hl7v2Consumer etag: bytes version: VERSION_NUMBER
curl
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using
a text editor. The etag
value changes when the policy changes, so you must specify the
current value.
To grant a new user the role, append their email address to the members
array
under the roles/healthcare.hl7V2Consumer
binding:
{ "role":"roles/healthcare.hl7V2Consumer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, call
projects.locations.datasets.hl7V2Stores.setIamPolicy
to make the updates.
To set an HL7v2 store-level IAM policy, make a POST
request and specify the name of the dataset, the name of the HL7v2 store, the
policy, and an access token.
The following sample shows a POST
request using curl
to grant a new user the
existing roles/healthcare.hl7V2Consumer
role.
Policy
.
curl -X POST \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ --data "{ 'policy': { 'bindings': [ { 'role':'roles/healthcare.hl7V2StoreAdmin', 'members': [ 'user:user-1@example.com' ] }, { 'role':'roles/healthcare.hl7V2Consumer', 'members': [ 'serviceAccount:service-account-13@appspot.gserviceaccount.com', 'user:user-2@example.com', 'user:NEW_USER_EMAIL_ADDRESS' ] } ] } }" "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/hl7V2Stores/HL7V2_STORE_ID:setIamPolicy"
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.hl7V2StoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.hl7V2Consumer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] } ] }
PowerShell
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using
a text editor. The etag
value changes when the policy changes, so you must specify the
current value.
To grant a new user the role, append their email address to the members
array
under the roles/healthcare.hl7V2Consumer
binding:
{ "role":"roles/healthcare.hl7V2Consumer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, call
projects.locations.datasets.hl7V2Stores.setIamPolicy
to make the updates.
To set an HL7v2 store-level IAM policy, make a POST
request and specify the name of the dataset, the name of the HL7v2 store, the
policy, and an access token.
The following sample shows a POST
request using curl
to grant a new user the
existing roles/healthcare.hl7V2Consumer
role:
Policy
.
$cred = gcloud auth application-default print-access-token $headers = @{ Authorization = "Bearer $cred" } Invoke-WebRequest ` -Method Post ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body "{ 'policy': { 'bindings': [ { 'role': 'roles/healthcare.hl7V2StoreAdmin', 'members': [ 'user:user-1@example.com', ] }, { 'role': 'roles/healthcare.hl7V2Consumer', 'members': [ 'serviceAccount:service-account-13@appspot.gserviceaccount.com', 'user:user-2@example.com', 'user:NEW_USER_EMAIL_ADDRESS' ] } ] } }" ` -Uri "https://healthcare.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/datasets/DATASET_ID/hl7V2Stores/HL7V2_STORE_ID:setIamPolicy" | Select-Object -Expand Content
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.hl7V2StoreAdmin", "members": [ "user:user-1@example.com" ] }, { "role":"roles/healthcare.hl7V2Consumer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "user:user-2@example.com", "user:NEW_USER_EMAIL_ADDRESS" ] } ] }
Go
Java
Node.js
Python
Using IAM with the Healthcare Natural Language API
The following sections show how to get, modify, and set a policy for the Healthcare Natural Language API. These sections use the following sample policy as a starting point:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.nlpServiceViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com" ] } ] }
Getting a policy
The following samples show how to read a project-level IAM
policy. For more information, see the
projects.getIamPolicy
method.
curl
To read the IAM policy for a project, make a POST
request and
specify the name of the project and an access token.
The following sample shows a POST
request using curl
:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ "https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy"
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.nlpServiceViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com" ] } ] }
PowerShell
To view the IAM policy for a project, make a POST
request and
specify the name of the project and an access token.
The following sample shows a POST
request using Windows PowerShell:
$cred = gcloud auth application-default print-access-token $headers = @{ Authorization = "Bearer $cred" } Invoke-WebRequest ` -Method POST ` -Headers $headers ` -Uri "https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy" | Select-Object -Expand Content
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.nlpServiceViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com" ] } ] }
Console
To view the IAM policy for a project, complete the following steps:
- In the Google Cloud console, go to the IAM page.
- To view the principals assigned to a role, click Roles and then expand the role.
gcloud
To view the IAM policy for a project, run the
gcloud projects get-iam-policy
command. Specify the project name in the request.
gcloud projects get-iam-policy PROJECT_ID
If the request is successful, the bindings are displayed.
bindings: - members: - serviceAccount:service-account-13@appspot.gserviceaccount.com role: roles/healthcare.nlpServiceViewer etag: bytes version: VERSION_NUMBER
Modifying a policy
The following samples grant a service the roles/healthcare.nlpServiceViewer
role. For more information, see
projects.setIamPolicy
.
Setting a policy
Console
To set a project-level IAM policy, complete the following steps:
- In the Google Cloud console, go to the IAM page.
- Click the Edit button next to the principal or click Add principal and then, in the New principals field, enter one or more identities that need access to the project.
- In the Select a role list, under Cloud Healthcare, select Healthcare Natural Language Service Viewer.
- Click Save.
gcloud
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using
a text editor. The etag
value changes when the policy changes, so you must specify the
current value.
To grant a new service account the role, add the service account's email
address to the members
array under the roles/healthcare.nlpServiceViewer
binding:
{ "role":"roles/healthcare.nlpServiceViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "serviceAccount:NEW_SERVICE_ACCOUNT_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, run the
gcloud projects set-iam-policy
command to make the changes. Specify the project and the path to the policy file
that you created.
gcloud projects set-iam-policy PROJECT_STORE_ID \ POLICY_FILE_NAME
If the request is successful, the project name and the bindings are displayed.
Updated IAM policy for project [PROJECT_ID]. bindings: - members: - serviceAccount:service-account-13@appspot.gserviceaccount.com - serviceAccount:NEW_USER_EMAIL_ADDRESS role: roles/healthcare.nlpServiceViewer etag: bytes version: VERSION_NUMBER
curl
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using
a text editor. The etag
value changes when the policy changes, so you must specify the
current value.
To grant a new service account the role, add the service account's email
address to the members
array under the roles/healthcare.nlpServiceViewer
binding:
{ "role":"roles/healthcare.nlpServiceViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "serviceAccount:NEW_SERVICE_ACCOUNT_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, call
projects.setIamPolicy
to make the updates.
To set a project-level IAM policy, make a POST
request and specify the project name, the policy, and an access token.
The following sample shows a POST
request using curl
to grant a new user the
existing roles/healthcare.nlpServiceViewer
role:
Policy
.
curl -X POST \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ --data "{ 'policy': { 'bindings': [ { 'role':'roles/healthcare.nlpServiceViewer', 'members': [ 'serviceAccount:service-account-13@appspot.gserviceaccount.com' ] } ] } }" "https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy"
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.nlpServiceViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com" ] } ] }
PowerShell
Grant or revoke roles to users by modifying the policy that you retrieved, programmatically or using
a text editor. The etag
value changes when the policy changes, so you must specify the
current value.
To grant a new service account the role, add the service account's email
address to the members
array under the roles/healthcare.nlpServiceViewer
binding:
{ "role":"roles/healthcare.nlpServiceViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "serviceAccount:NEW_SERVICE_ACCOUNT_EMAIL_ADDRESS" ] }To revoke a principal's access, delete their email address from the
members
array. To
revoke access from the last principal that has a role, delete the bindings
array for
the role. You cannot have an empty bindings
array in your policy.
After you have modified the policy to grant the applicable roles, call
projects.setIamPolicy
to make the updates.
To set a project-level IAM policy, make a POST
request and specify the project name, the policy, and an access token.
The following sample shows a POST
request using curl
to grant a new user the
existing roles/healthcare.nlpServiceViewer
role:
Policy
.
$cred = gcloud auth application-default print-access-token $headers = @{ Authorization = "Bearer $cred" } Invoke-WebRequest ` -Method Post ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -Body "{ 'policy': { 'bindings': [ { 'role': 'roles/healthcare.nlpServiceViewer', 'members': [ 'serviceAccount:service-account-13@appspot.gserviceaccount.com', 'serviceAccount:NEW_USER_EMAIL_ADDRESS' ] } ] } }" ` -Uri "https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy" | Select-Object -Expand Content
The response is the following:
{ "etag":"bytes", "bindings": [ { "role":"roles/healthcare.nlpServiceViewer", "members": [ "serviceAccount:service-account-13@appspot.gserviceaccount.com", "serviceAccount:NEW_USER_EMAIL_ADDRESS" ] } ] }
What's next
- Read about the read-modify-write pattern using IAM policies.
- View the available Cloud Healthcare API roles.