Granting, Changing, and Revoking Access to Project Members

This page describes how to grant, change, and revoke access to Project members. You can add team members to the projects you own, and grant the members different levels of access to the project's resources and APIs. To grant access to a project, a project owner can add new users and grant them specific Cloud IAM roles.

If you want to use Cloud IAM with Cloud Identity-Aware Proxy (Cloud IAP) to secure access to your applications, see the Cloud Identity-Aware Proxy documentation.

Before you begin

Granting access to team members

To allow team members to access a project's resources and APIs, project owners can grant IAM roles to users. You can grant a role to a user using the GCP Console, the gcloud command-line tool, or the setIamPolicy() method. When you set a policy or add a binding to grant a role to a user, they won't receive an invite email. Instead, the user's access is updated directly.

The setIamPolicy() method allows you grant roles to users by attaching a Cloud IAM policy to a resource. The IAM policy is a collection of statements that define who has what access. The roles that can be granted are related to the API services that are activated. If a service, such as Compute Engine, is not active for this project, then roles that grant access to Compute Engine APIs will not be visible in the console or grantable by any method. For more information, see Enable and disable APIs.

Read-Modify-Write: A common pattern for updating a resource's metadata, such as the policy, is to read its current state, update the data locally, and then send the modified data for writing. This pattern could cause a conflict if two or more independent processes attempt the sequence simultaneously. For example, if two owners for a project try to make conflicting policy changes at the same time, some changes could fail. Cloud IAM solves this problem using an etag property in Cloud IAM policies. This property is used to verify if the policy has changed since the last request. When you make a request to Cloud IAM with an etag value, Cloud IAM compares the etag value in the request with the existing etag value associated with the policy. It writes the policy only if the etag values match.

When you update a policy, first get the policy using getIamPolicy(), update the policy, and then write the updated policy using setIamPolicy(). Use the etag value when setting the policy only if the corresponding policy in GetPolicyResponse contains an etag value.

In the examples below, PROJECT-ID is the ID of your GCP project. See Identifying projects for more information about the difference between project IDs, names, and numbers.

gcloud

You can use either JSON or YAML files when executing gcloud commands to get or set a resource's policy. The examples in this section use JSON.

To set a project's Cloud IAM policy using the gcloud command:

  1. Get the policy that you want to modify by executing the gcloud projects get-iam-policy command:

    gcloud projects get-iam-policy PROJECT-ID --format json > iam.json
    

  2. The contents of the JSON file will look similar to the following. Note that the version field is read-only, so you won't need to supply it.

    {
      "bindings":[
        {
          "members":[
            "user:email1@gmail.com"
          ],
          "role":"roles/owner"
        },
        {
          "members":[
            "serviceAccount:our-project-123@appspot.gserviceaccount.com",
            "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
          ],
          "role":"roles/editor"
        }
      ],
      "etag":"BwUjMhCsNvY=",
      "version":1
    }
    
  3. Using a text editor, add a new object to the bindings array that defines the group members and the role for those members. For example, to grant the role roles/viewer to the user email2@gmail.com, you would change the example shown above as follows:

    {
      "bindings":[
        {
          "members":[
            "user:email1@gmail.com"
          ],
          "role":"roles/owner"
        },
        {
          "members":[
            "serviceAccount:our-project-123@appspot.gserviceaccount.com",
            "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
          ],
          "role":"roles/editor"
        },
        {
          "members":[
            "user:email2@gmail.com"
          ],
          "role":"roles/viewer"
        }
      ],
      "etag":"BwUjMhCsNvY="
    }
    
  4. Update the project's policy by executing the gcloud projects set-iam-policy command and providing the path to the JSON file containing the new policy:

    gcloud projects set-iam-policy PROJECT-ID iam.json
    

  5. The command outputs the updated policy:

    bindings:
    - members:
      - user:email1@gmail.com
        role: roles/owner
    - members:
      - serviceAccount:our-project-123@appspot.gserviceaccount.com
      - serviceAccount:123456789012-compute@developer.gserviceaccount.com
        role: roles/editor
    - members:
      - user:email2@gmail.com
        role: roles/viewer
    etag: BwUjMhXbSPU=
    version: 1
    

To add a single binding to a project's existing Cloud IAM policy:

Execute the gcloud projects add-iam-policy-binding command by specifying the ID of the GCP project and the new member and role:

gcloud projects add-iam-policy-binding PROJECT-ID \
      --member user:email3@gmail.com --role roles/editor

The command outputs the updated policy:

    bindings:
    - members:
      - user:email1@gmail.com
        role: roles/owner
    - members:
      - serviceAccount:our-project-123@appspot.gserviceaccount.com
      - serviceAccount:123456789012-compute@developer.gserviceaccount.com
      - user:email3@gmail.com
        role: roles/editor
    - members:
      - user:email2@gmail.com
    role: roles/viewer
    etag: BwUm38GGAQk=
    version: 1

Console

To add a team member and grant a Cloud IAM role to the member:

  1. Open the IAM page in the GCP Console

    Open the IAM page

  2. Click Select a project.

  3. Select a project and click Open.

  4. Click Add to add new members to the project and set their permissions. In the Select a role drop-down, click on a service name to find the roles that belong to that service.

To grant more than one role to the same project member:

  1. Open the IAM page in the GCP Console

    Open the IAM page

  2. Click Select a project.

  3. Select a project and click Open.

  4. Enter the email address of the member and select all the roles that you want to grant to the member. Click Add.

To grant a role to a member for more than one project:

  1. Open the IAM & Admin Projects page in the GCP Console.

    Open the IAM & Admin Projects page

  2. Select all the projects for which you want to grant permissions.

  3. In the IAM tab on the right pane, add the new member and select a role to grant the role for all selected projects.

API

To set a new GCP policy:

Get the existing policy by calling setIamPolicy():

POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT-ID:setIamPolicy

{ "policy":{ "bindings":[ { "role":"roles/owner", "members":[ "user:email1@gmail.com", "user:email2@gmail.com", "user:email3@gmail.com" ] }, { "role":"roles/editor", "members":[ "serviceAccount:my-other-app@appspot.gserviceaccount.com" ] } ] } }

Response:

{
  "bindings":[
    {
      "role":"roles/owner",
      "members":[
        "user:email1@gmail.com",
        "user:email2@gmail.com",
        "user:email3@gmail.com"
      ]
    },
    {
      "role":"roles/editor",
      "members":[
        "serviceAccount:my-other-app@appspot.gserviceaccount.com"
      ]
    }
  ]
}
 

Java

The Java code snippet below follows the read-modify-write pattern to add the policy.

import com.google.api.services.cloudresourcemanager.model.Policy;
import com.google.api.services.cloudresourcemanager.model.SetIamPolicyRequest;
import com.google.api.services.cloudresourcemanager.model.GetIamPolicyRequest;
import com.google.api.services.cloudresourcemanager.model.Binding;
import java.util.LinkedList;
import java.util.Arrays;

...

String[] myViewers = new String[] {"user:testviewer1@gmail.com",
    "user:testviewer2@gmail.com"};

// The name of the role, using the format `roles/<role-name>`.
String targetRole = "roles/viewer";

Policy policy =
    client.projects().getIamPolicy(projectId,
    new GetIamPolicyRequest()).execute();

Binding targetBinding = null;

// Make a local copy of the bindings for modification.
LinkedList<Binding> bindings =
    new LinkedList<Binding>(policy.getBindings());

// Search for the existing binding having role name of
// targetRole.
for (Binding binding : bindings) {
    if (binding.getRole().equals(targetRole)) {
        targetBinding = binding;
    break;
    }
}

// If no matching targetBinding is found, construct a new Binding object
// and add it to the bindings list.
if (targetBinding == null) {
    targetBinding = new Binding();
targetBinding.setRole(targetRole);
bindings.add(targetBinding);
}

// Finally, set the list of members as the members of targetBinding.
targetBinding.setMembers(Arrays.asList(myViewers));

// Write the policy back into the project by calling SetIamPolicy.
SetIamPolicyRequest setIamPolicyRequest = new SetIamPolicyRequest();
    setIamPolicyRequest.setPolicy(policy);
client.projects().setIamPolicy(projectId,
    setIamPolicyRequest).execute();

...

Changing team members' access

gcloud

To modify a project's Cloud IAM policy using the gcloud command:

  1. Get the policy that you want to modify by executing the gcloud projects get-iam-policy command and writing the output to a JSON file:

    gcloud projects get-iam-policy PROJECT-ID --format json > iam.json
    

  2. The contents of the JSON file will look similar to the following. Note that the version field is read-only, so you won't need to supply it.

    {
      "bindings":[
        {
          "members":[
            "user:email1@gmail.com"
          ],
          "role":"roles/owner"
        },
        {
          "members":[
            "serviceAccount:our-project-123@appspot.gserviceaccount.com",
            "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
          ],
          "role":"roles/editor"
        }
      ],
      "etag":"BwUjMhCsNvY=",
      "version":1
    }
    
  3. Using a text editor, add a new object to the bindings array that defines the group members and the role for those members. For example, to grant the role roles/viewer to the user email2@gmail.com, you would change the example shown above as follows:

    {
      "bindings":[
        {
          "members":[
            "user:email1@gmail.com"
          ],
          "role":"roles/owner"
        },
        {
          "members":[
            "serviceAccount:our-project-123@appspot.gserviceaccount.com",
            "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
          ],
          "role":"roles/editor"
        },
        {
          "members":[
            "user:email2@gmail.com"
          ],
          "role":"roles/viewer"
        }
      ],
      "etag":"BwUjMhCsNvY="
    }
    
  4. Update the project's policy by executing the gcloud projects set-iam-policy command and providing the path to the JSON file containing the updated policy:

    gcloud projects set-iam-policy PROJECT-ID iam.json
    

  5. The command outputs the updated policy:

    bindings:
    - members:
      - user:email1@gmail.com
        role: roles/owner
    - members:
      - serviceAccount:our-project-123@appspot.gserviceaccount.com
      - serviceAccount:123456789012-compute@developer.gserviceaccount.com
        role: roles/editor
    - members:
      - user:email2@gmail.com
        role: roles/viewer
    etag: BwUjMhXbSPU=
    version: 1
    

Console

  1. Open the IAM page in the Google Cloud Platform Console.

    Open the IAM page

  2. Click Select a project.

  3. Select a project and click Open.

  4. Locate the member for whom you want to change the access.

  5. In the Roles(s) drop-down in the member's row, uncheck the roles granted previously and check the new roles that you want to grant.

  6. Click Save.

API

To modify an existing policy:

  1. Get the existing policy by calling getIamPolicy():

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT-ID:getIamPolicy
    

  2. The command returns the policy in the response:

    {
      "bindings":[
        {
          "role":"roles/editor",
          "members":[
            "serviceAccount:my-other-app@appspot.gserviceaccount.com"
          ]
        },
        {
          "role":"roles/owner",
          "members":[
            "user:email1@gmail.com",
            "user:email2@gmail.com",
            "user:email3@gmail.com"
          ]
        }
      ]
    }
    
  3. Make any desired changes to the policy.

  4. Set the updated policy by calling setIamPolicy() and including the updated policy in the request body:

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT-ID:setIamPolicy

    { "policy":{ "bindings":[ { "role":"roles/owner", "members":[ "user:email1@gmail.com", "user:email2@gmail.com", "user:email3@gmail.com" ] }, { "role":"roles/viewer", "members":[ "serviceAccount:my-other-app@appspot.gserviceaccount.com" ] } ] } }

  5. The setIamPolicy() request returns the policy in the response:

    {
      "bindings":[
        {
          "role":"roles/owner",
          "members":[
            "user:email1@gmail.com",
            "user:email2@gmail.com",
            "user:email3@gmail.com"
          ]
        },
        {
          "role":"roles/viewer",
          "members":[
            "serviceAccount:my-other-app@appspot.gserviceaccount.com"
          ]
        }
      ]
    }
    

Revoking access to team members

gcloud

To revoke user's access to a project:

  1. Get the policy that you want to modify by executing the gcloud projects get-iam-policy command and writing the output to a JSON file:

    gcloud projects get-iam-policy PROJECT-ID --format json > iam.json
    

  2. The contents of the JSON file will look similar to the following. Note that the version field is read-only, so you won't need to supply it.

    {
      "bindings":[
        {
          "members":[
            "user:email1@gmail.com"
          ],
          "role":"roles/owner"
        },
        {
          "members":[
            "serviceAccount:our-project-123@appspot.gserviceaccount.com",
            "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
          ],
          "role":"roles/editor"
        }
      ],
      "etag":"BwUjMhCsNvY=",
      "version":1
    }
    
  3. Using a text editor, delete the user whose permission you want to revoke. For example, to revoke role roles/editor to the user serviceAccount:our-project-123@appspot.gserviceaccount.com, you would change the example shown above as follows:

    {
      "bindings":[
        {
          "members":[
            "user:email1@gmail.com"
          ],
          "role":"roles/owner"
        },
        {
          "members":[
            "serviceAccount:123456789012-compute@developer.gserviceaccount.com"
          ],
          "role":"roles/editor"
        }
      ],
      "etag":"BwUjMhCsNvY="
    }
    
  4. Update the project's policy by executing the gcloud projects set-iam-policy command and providing the path to the JSON file containing the updated policy:

    gcloud projects set-iam-policy PROJECT-ID iam.json
    

  5. The command outputs the updated policy:

    bindings:
    - members:
      - user:email1@gmail.com
        role: roles/owner
    - members:
      - serviceAccount:123456789012-compute@developer.gserviceaccount.com
        role: roles/editor
    etag: BwUjMhXbSPU=
    version: 1
    

To remove a binding from a policy:

Execute the gcloud projects remove-iam-policy-binding command by specifying the ID of the GCP project and the member and role to remove:

gcloud projects remove-iam-policy-binding PROJECT-ID \
    --member user:email3@gmail.com --role roles/editor

The command outputs the updated policy:

    bindings:
    - members:
      - user:email1@gmail.com
      role: roles/owner
    - members:
      - serviceAccount:our-project-123@appspot.gserviceaccount.com
      - serviceAccount:123456789012-compute@developer.gserviceaccount.com
      role: roles/editor
    - members:
      - user:email2@gmail.com
      role: roles/viewer
    etag: BwUf0bMcTwg=
    version: 1

Console

  1. Open the IAM page in the Google Cloud Platform Console.

    Open the IAM page

  2. Click Select a project.

  3. Select a project and click Open.

  4. Locate the member for whom you want to revoke access.

  5. In the Roles(s) drop-down in the member's row, uncheck the roles you want to revoke and click Save.

API

To modify an existing policy:

  1. Get the existing policy by calling getIamPolicy():

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT-ID:getIamPolicy
    

  2. The request returns the policy:

    {
      "bindings":[
        {
          "role":"roles/editor",
          "members":[
            "serviceAccount:my-other-app@appspot.gserviceaccount.com"
          ]
        },
        {
          "role":"roles/owner",
          "members":[
            "user:email1@gmail.com",
            "user:email2@gmail.com",
            "user:email3@gmail.com"
          ]
        }
      ]
    }
    
  3. Delete the user from the member binding and set the updated policy by calling setIamPolicy(). For example, if you want to revoke the owner role to email2@gmail.com, the request will look similar to the following:

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT-ID:setIamPolicy

    { "policy":{ "bindings":[ { "role":"roles/owner", "members":[ "user:email1@gmail.com", "user:email3@gmail.com" ] }, { "role":"roles/viewer", "members":[ "serviceAccount:my-other-app@appspot.gserviceaccount.com" ] } ] } }

  4. The response will include the updated policy:

    {
      "bindings":[
        {
          "role":"roles/owner",
          "members":[
            "user:email1@gmail.com",
            "user:email3@gmail.com"
          ]
        },
        {
          "role":"roles/viewer",
          "members":[
            "serviceAccount:my-other-app@appspot.gserviceaccount.com"
          ]
        }
      ]
    }
    

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Identity and Access Management Documentation