Granting, Changing, and Revoking Access to Project Members

This page describes how to grant, change, and revoke access to Project members. You can add team members to the projects you own, and grant the members different levels of access to the project's resources and APIs. To grant access to a project, a project owner can add new users and grant them specific IAM roles.

Before you begin

Granting access to team members

Project owners can grant access to team members to access project's resources and APIs by granting IAM roles to team members. You can grant a role to a team member using the Cloud Platform Console, the gcloud command-line tool, or the setIamPolicy() method.

The setIamPolicy() method allows you grant roles to users by attaching a Cloud IAM policy to a resource. The IAM policy is a collection of statements that define who has what access.

Read-Modify-Write: A common pattern for updating a resource's metadata, such as the Policy, is to read its current state, update the data locally, and then send the modified data for writing. This pattern could cause a conflict if two or more independent processes attempt the sequence simultaneously. For example, if two owners for a project try to make conflicting policy changes at the same time, some changes could fail. Cloud IAM solves this problem using an etag property in Cloud IAM policies. This property is used to verify if the policy has changed since the last request. When you make a request to Cloud IAM with an etag value, Cloud IAM compares the etag value in the request with the existing etag value associated with the policy. It writes the policy only if the etag values match.

When you update a policy, first get the policy using getIamPolicy(), update the policy, and then write the updated policy using setIamPolicy(). Use the etag value when setting the policy only if the corresponding policy in GetPolicyResponse contains an etag value.

Console

To add a team member and grant an IAM role to the member:

  1. Open the IAM page in the Cloud Platform Console

    Open the IAM page

  2. Click Select a project.

  3. Select a project and click Open.

  4. Click Add to add new members to the project and set their permissions. In the Select a role drop-down, click on a service name to find the roles that belong to that service.

To grant more than one role to the same project member:

  1. Open the IAM page in the Cloud Platform Console

    Open the IAM page

  2. Click Select a project.

  3. Select a project and click Open.

  4. Enter the email address of the member and select all the roles that you want to grant to the member. Click Add.

To grant a role to a member for more than one project:

  1. Open the IAM & Admin Projects page in the Cloud Platform Console.

    Open the IAM & Admin Projects page

  2. Select all the projects for which you want to grant permissions.

  3. In the IAM tab on the right pane, add the new member and select a role to grant the role for all selected projects.

API

The following code snippet sets the policy for a project:

Request:

POST https://cloudresourcemanager.googleapis.com/v1/projects/our-project-123:setIamPolicy

 {
   "policy": {
     "bindings": [
      {
        "role": "roles/owner",
        "members": [
          "user:email1@gmail.com",
          "user:email2@gmail.com",
          "user:email3@gmail.com"
         ]
      },
      {
        "role": "roles/editor",
        "members": [
          "serviceAccount:my-other-app@appspot.gserviceaccount.com"
         ]
      }
      ]
    }
}

Response:

{
  "bindings": [
   {
     "role": "roles/owner",
     "members": [
       "user:email1@gmail.com",
       "user:email2@gmail.com",
       "user:email3@gmail.com"
     ]
   },
   {
     "role": "roles/editor",
     "members": [
       "serviceAccount:my-other-app@appspot.gserviceaccount.com"
     ]
   }
   ]
 }

Java

The Java code snippet below follows the read-modify-write pattern to add the policy.

import com.google.api.services.cloudresourcemanager.model.Policy;
import com.google.api.services.cloudresourcemanager.model.SetIamPolicyRequest;
import com.google.api.services.cloudresourcemanager.model.GetIamPolicyRequest;
import com.google.api.services.cloudresourcemanager.model.Binding;
import java.util.LinkedList;
import java.util.Arrays;

...

String[] myViewers = new String[] {"user:testviewer1@gmail.com",
    "user:testviewer2@gmail.com"};

String targetRole = "viewers";

Policy policy =
    client.projects().getIamPolicy(projectId,
    new GetIamPolicyRequest()).execute();

Binding targetBinding = null;

// Make a local copy of the bindings for modifying
LinkedList<Binding> bindings =
    new LinkedList<Binding>(policy.getBindings());

// Search for the existing binding having role name of
// targetRole.
for (Binding binding : bindings) {
    if (binding.getRole().equals(targetRole)) {
        targetBinding = binding;
    break;
    }
}

// If no matching targetBinding is found, construct a new Binding object,
// and add it to the bindings list.
if (targetBinding == null) {
    targetBinding = new Binding();
targetBinding.setRole(targetRole);
bindings.add(targetBinding);
}

// Finally, set the list of members as the members of targetBinding.
targetBinding.setMembers(Arrays.asList(myViewers));

// Write the policy back into the project by calling SetIamPolicy.
SetIamPolicyRequest setIamPolicyRequest = new SetIamPolicyRequest();
    setIamPolicyRequest.setPolicy(policy);
client.projects().setIamPolicy(projectId,
    setIamPolicyRequest).execute();

...

gcloud

You can use either JSON or YAML files with the gcloud commands. This example uses JSON.

To set a project's Cloud IAM policy using the gcloud command:

  1. Get the policy that you want to modify, and write it to a JSON file:

    gcloud projects get-iam-policy PROJECT_ID --format json > iam.json
    
  2. The contents of the JSON file will look similar to the following. Note that the version field is read-only, so you won't need to supply it.

    {
        "bindings": [
        {
            "members": [
            "user:email1@gmail.com"
            ],
            "role": "roles/owner"
        },
        {
            "members": [
                "serviceAccount:our-project-123@appspot.gserviceaccount.com",
                "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
            ],
            "role": "roles/editor"
        }
        ],
        "etag": "BwUjMhCsNvY=",
        "version": 1
    }
    
  3. Using a text editor, add a new object to the bindings array that defines the group members and the role for those members. For example, to grant the role roles/viewer to the user email2@gmail.com, you would change the example shown above as follows:

    {
        "bindings": [
        {
            "members": [
                "user:email1@gmail.com"
            ],
            "role": "roles/owner"
        },
        {
            "members": [
                "serviceAccount:our-project-123@appspot.gserviceaccount.com",
                "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
            ],
            "role": "roles/editor"
        },
        {
            "members": [
                "user:email2@gmail.com"
            ],
            "role": "roles/viewer"
        }
        ],
        "etag": "BwUjMhCsNvY=",
     }
    
  4. Update the project's policy by running the following command:

    gcloud projects set-iam-policy PROJECT_ID iam.json
    
  5. The command outputs the updated policy:

    bindings:
    - members:
      - user:email1@gmail.com
        role: roles/owner
    - members:
      - serviceAccount:our-project-123@appspot.gserviceaccount.com
      - serviceAccount:123456789012-compute@developer.gserviceaccount.com
        role: roles/editor
    - members:
      - user:email2@gmail.com
        role: roles/viewer
    etag: BwUjMhXbSPU=
    version: 1
    

To add a single binding to an existing Cloud IAM policy:

    gcloud projects add-iam-policy-binding PROJECT_ID \
        --member user:email3@gmail.com --role roles/editor

The command outputs the updated policy:

    bindings:
    - members:
      - user:email1@gmail.com
        role: roles/owner
    - members:
      - serviceAccount:our-project-123@appspot.gserviceaccount.com
      - serviceAccount:123456789012-compute@developer.gserviceaccount.com
      - user:email3@gmail.com
        role: roles/editor
    - members:
      - user:email2@gmail.com
    role: roles/viewer
    etag: BwUm38GGAQk=
    version: 1

Changing team members' access

Console

  1. Open the IAM page in the Google Cloud Platform Console.

    Open the IAM page

  2. Click Select a project.

  3. Select a project and click Open.

  4. Locate the member for whom you want to change the access.

  5. In the Roles(s) drop-down in the member's row, uncheck the roles granted previously and check the new roles that you want to grant.

  6. Click Save.

API

To modify an existing policy:

  1. Get the existing policy by sending the following request:

    POST
    https://cloudresourcemanager.googleapis.com/v1beta1/projects/$our-project-123:getIamPolicy
    
  2. The command returns the policy in the response:

    {
        "bindings": [
        {
            "role": "roles/editor",
            "members": [
                "serviceAccount:my-other-app@appspot.gserviceaccount.com"
            ]
        },
        {
            "role": "roles/owner",
            "members": [
                "user:email1@gmail.com",
                "user:email2@gmail.com",
                "user:email3@gmail.com"
            ]
        }
        ]
    }
    
  3. Modify the policy.

  4. Write the policy using setIamPolicy():

    POST https://cloudresourcemanager.googleapis.com/v1/projects/$our-project-123:setIamPolicy
    
     {
         "policy": {
             "bindings": [
             {
                 "role": "roles/owner",
                 "members": [
                     "user:email1@gmail.com",
                     "user:email2@gmail.com",
                     "user:email3@gmail.com"
                 ]
             },
             {
                 "role": "roles/viewer",
                 "members": [
                     "serviceAccount:my-other-app@appspot.gserviceaccount.com"
                 ]
             }
             ]
         }
    }
    
  5. The setIamPolicy() request returns the policy in the response:

    {
        "bindings": [
        {
            "role": "roles/owner",
            "members": [
                "user:email1@gmail.com",
                "user:email2@gmail.com",
                "user:email3@gmail.com"
            ]
        },
        {
            "role": "roles/viewer",
            "members": [
                "serviceAccount:my-other-app@appspot.gserviceaccount.com"
            ]
        }
        ]
    }
    

gcloud

You can use either JSON or YAML files with the gcloud commands. This example uses JSON.

To modify a project's Cloud IAM policy using the gcloud command:

  1. Get the policy that you want to modify, and write it to a JSON file:

    gcloud projects get-iam-policy PROJECT_ID --format json > iam.json
    
  2. The contents of the JSON file will look similar to the following. Note that the version field is read-only, so you won't need to supply it.

    {
        "bindings": [
        {
            "members": [
            "user:email1@gmail.com"
            ],
            "role": "roles/owner"
        },
        {
            "members": [
                "serviceAccount:our-project-123@appspot.gserviceaccount.com",
                "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
            ],
            "role": "roles/editor"
        }
        ],
        "etag": "BwUjMhCsNvY=",
        "version": 1
    }
    
  3. Using a text editor, add a new object to the bindings array that defines the group members and the role for those members. For example, to grant the role roles/viewer to the user email2@gmail.com, you would change the example shown above as follows:

    {
        "bindings": [
        {
            "members": [
                "user:email1@gmail.com"
            ],
            "role": "roles/owner"
        },
        {
            "members": [
                "serviceAccount:our-project-123@appspot.gserviceaccount.com",
                "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
            ],
            "role": "roles/editor"
        },
        {
            "members": [
                "user:email2@gmail.com"
            ],
            "role": "roles/viewer"
        }
        ],
        "etag": "BwUjMhCsNvY="
    }
    
  4. Update the project's policy by running the following command:

    gcloud projects set-iam-policy PROJECT_ID iam.json
    
  5. The command outputs the updated policy:

    bindings:
    - members:
      - user:email1@gmail.com
        role: roles/owner
    - members:
      - serviceAccount:our-project-123@appspot.gserviceaccount.com
      - serviceAccount:123456789012-compute@developer.gserviceaccount.com
        role: roles/editor
    - members:
      - user:email2@gmail.com
        role: roles/viewer
    etag: BwUjMhXbSPU=
    version: 1
    

Revoking access to team members

Console

  1. Open the IAM page in the Google Cloud Platform Console.

    Open the IAM page

  2. Click Select a project.

  3. Select a project and click Open.

  4. Locate the member for whom you want to revoke access.

  5. In the Roles(s) drop-down in the member's row, uncheck the roles you want to revoke and click Save.

API

To modify an existing policy:

  1. Get the existing policy by sending the following request:

    POST
    https://cloudresourcemanager.googleapis.com/v1beta1/projects/$our-project-123:getIamPolicy
    
  2. The request returns the policy:

    {
        "bindings": [
        {
            "role": "roles/editor",
            "members": [
                "serviceAccount:my-other-app@appspot.gserviceaccount.com"
            ]
        },
        {
            "role": "roles/owner",
            "members": [
                "user:email1@gmail.com",
                "user:email2@gmail.com",
                "user:email3@gmail.com"
            ]
        }
        ]
    }
    
  3. Delete the user from the member binding and write the policy using setIamPolicy(). For example, if you want to revoke the owner role to email2@gmail.com, the request will look similar to the following:

    POST https://cloudresourcemanager.googleapis.com/v1/projects/$our-project-123:setIamPolicy
    
     {
         "policy": {
             "bindings": [
             {
                 "role": "roles/owner",
                 "members": [
                     "user:email1@gmail.com",
                     "user:email3@gmail.com"
                 ]
             },
             {
                 "role": "roles/viewer",
                 "members": [
                     "serviceAccount:my-other-app@appspot.gserviceaccount.com"
                 ]
             }
             ]
         }
    }
    
  4. The response will be the updated policy:

    {
        "bindings": [
        {
            "role": "roles/owner",
            "members": [
                "user:email1@gmail.com",
                "user:email3@gmail.com"
            ]
        },
        {
            "role": "roles/viewer",
            "members": [
                "serviceAccount:my-other-app@appspot.gserviceaccount.com"
            ]
        }
        ]
    }
    

gcloud

You can use either JSON or YAML files with the gcloud commands. This example uses JSON.

To revoke user's access to a project:

  1. Get the policy that you want to modify, and write it to a JSON file:

    gcloud projects get-iam-policy PROJECT_ID --format json > iam.json
    
  2. The contents of the JSON file will look similar to the following:

    {
        "bindings": [
        {
            "members": [
            "user:email1@gmail.com"
            ],
            "role": "roles/owner"
        },
        {
            "members": [
                "serviceAccount:our-project-123@appspot.gserviceaccount.com",
                "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
            ],
            "role": "roles/editor"
        }
        ],
        "etag": "BwUjMhCsNvY=",
        "version": 1
    }
    
  3. Using a text editor, delete the user whose permission you want to revoke. For example, to revoke role roles/editor to the user serviceAccount:our-project-123@appspot.gserviceaccount.com, you would change the example shown above as follows:

    {
        "bindings": [
        {
            "members": [
                "user:email1@gmail.com"
            ],
            "role": "roles/owner"
        },
        {
            "members": [
                "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
            ],
            "role": "roles/editor"
        },
        ],
        "etag": "BwUjMhCsNvY="
    }
    
  4. Update the project's policy by running the following command:

    gcloud projects set-iam-policy PROJECT_ID iam.json
    
  5. The command outputs the updated policy:

    bindings:
    - members:
      - user:email1@gmail.com
        role: roles/owner
    - members:
      - serviceAccount:123456789012-compute@developer.gserviceaccount.com
        role: roles/editor
    etag: BwUjMhXbSPU=
    version: 1
    

To remove a binding from a policy:

    gcloud projects remove-iam-policy-binding PROJECT_ID \
        --member user:email3@gmail.com --role roles/editor

The command outputs the updated policy:

    bindings:
    - members:
      - user:email1@gmail.com
      role: roles/owner
    - members:
      - serviceAccount:our-project-123@appspot.gserviceaccount.com
      - serviceAccount:123456789012-compute@developer.gserviceaccount.com
      role: roles/editor
    - members:
      - user:email2@gmail.com
      role: roles/viewer
    etag: BwUf0bMcTwg=
    version: 1

What's next

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Cloud Identity and Access Management Documentation