Grant an IAM role by using the Google Cloud console

Learn how to use the Google Cloud console to grant IAM roles to principals at the project level.

See the following video for a quick walkthrough:

A video showing how to grant IAM roles to principals using the
Google Cloud console.


To follow step-by-step guidance for this task directly in the Google Cloud console, click Guide me:

Guide me


Before you begin

Create a Google Cloud project

For this quickstart, you need a new Google Cloud project.

  1. In the Google Cloud console, go to the project selector page.

    Go to project selector

  2. Click Create project.

  3. Name your project. Make a note of your generated project ID.

  4. Edit the other fields as needed.

  5. Click Create.

Ensure that you have the required roles

    Make sure that you have the following role or roles on the project: Project IAM Admin

    Check for the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Grant access.
    4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.

    5. In the Select a role list, select a role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.

Enable the APIs

Enable the IAM and Resource Manager APIs.

Enable the APIs

Grant an IAM role

Grant a principal the Logs Viewer role on the project.

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM

  2. Select your new project.

  3. Click Grant access.

  4. Enter an identifier for the principal. For example, my-user@example.com.

  5. From the Select a role drop-down menu, search for Logs Viewer, then click Logs Viewer.

  6. Click Save.

  7. Verify that the principal and the corresponding role are listed in the IAM page.

You have successfully granted an IAM role to a principal.

Observe the effects of IAM roles

Verify that the principal you granted a role to can access the expected Google Cloud console pages by doing the following:

  1. Send the following URL to the principal to whom you granted the role in the preceding step:

    https://console.cloud.google.com/logs?project=PROJECT_ID
    

    This URL takes the principal to the Logs Explorer page for your project.

  2. Verify that the principal is able to access and view the URL.

If the principal tries to access a different Google Cloud console page that they don't have access to, they see an error message.

Grant additional roles to the same principal

Grant the principal the App Engine Viewer role in addition to their Logs Viewer role.

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM

  2. Locate the row that contains the principal to whom you want to grant another role, and click Edit principal in that row.

  3. In the Edit permissions pane, click Add another role.

  4. From the Select a role drop-down menu, search for App Engine Viewer, then click App Engine Viewer. Click Save.

  5. Click Save.

The principal now has a second IAM role.

Revoke IAM roles

Revoke the roles you granted to the principal in the preceding steps by doing the following:

  1. Locate the row that contains the principal that you granted roles to and click Edit principal in that row.

  2. In the Edit permissions pane, click the delete icon next to the Logs Viewer and App Engine Viewer roles.

  3. Click Save.

You have now removed the principal from both of the roles. If they try to view the Logs Explorer page, they see the following error message:

You don't have permissions to view logs.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

Clean up by deleting the project that you created for this quickstart.

  1. In the Google Cloud console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

What's next