This page describes how to grant, change, and revoke access to projects, folders, and organizations. To learn how to manage access to other resources, see the following guides:
In Identity and Access Management (IAM), access is granted through allow policies, also known as IAM policies. An allow policy is attached to a Google Cloud resource. Each allow policy contains a collection of role bindings that associate one or more principals, such as users or service accounts, with an IAM role. These role bindings grant the specified roles to the principals, both on the resource that the allow policy is attached to and on all of that resource's descendants. For more information about allow policies, see Understanding allow policies.
You can manage access to projects, folders, and organizations with the Google Cloud console, the Google Cloud CLI, the REST API, or the Resource Manager client libraries.
Before you begin
Enable the Resource Manager API.
Set up authentication.
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
C#
To use the .NET samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
Java
To use the Java samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
Python
To use the Python samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
If you're using a local shell, then create local authentication credentials for your user account:
gcloud auth application-default login
You don't need to do this if you're using Cloud Shell.
For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
For more information, see Authenticate for using REST in the Google Cloud authentication documentation.
Required roles
When you create a project, folder, or organization, you are automatically granted a role that lets you manage access for that resource. For more information, see Default policies.
If you didn't create your project, folder, or organization, ensure that you have the roles that you need to manage access to that resource.
To get the permissions that you need to manage access to a project, folder, or organization, ask your administrator to grant you the following IAM roles on the resource that you want to manage access for (project, folder, or organization):
-
To manage access to a project:
Project IAM Admin (
roles/resourcemanager.projectIamAdmin
) -
To manage access to a folder:
Folder Admin (
roles/resourcemanager.folderAdmin
) -
To manage access to projects, folders, and organizations:
Organization Admin (
roles/resourcemanager.organizationAdmin
) -
To manage access to almost all Google Cloud resources:
Security Admin (
roles/iam.securityAdmin
)
These predefined roles contain the permissions required to manage access to a project, folder, or organization. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to manage access to a project, folder, or organization:
-
To manage access to projects:
-
resourcemanager.projects.getIamPolicy
-
resourcemanager.projects.setIamPolicy
-
-
To manage access to folders:
-
resourcemanager.folders.getIamPolicy
-
resourcemanager.folders.setIamPolicy
-
-
To manage access to organizations:
-
resourcemanager.organizations.getIamPolicy
-
resourcemanager.organizations.setIamPolicy
-
You might also be able to get these permissions with custom roles or other predefined roles.
View current access
You can view who has access to your project, folder, or organization using the Google Cloud console, the gcloud CLI, the REST API, or the Resource Manager client libraries.
Console
In the Google Cloud console, go to the IAM page.
Select a project, folder, or organization.
The Google Cloud console lists all the principals who have been granted roles on your project, folder, or organization. This list includes principals who have inherited roles on the resource from parent resources. For more information about policy inheritance, see Policy inheritance and the resource hierarchy.
Optional: To view role grants for service agents, select the Include Google-provided role grants checkbox.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
-
To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, see Understanding allow policies.
To get the allow policy for the resource, run the
get-iam-policy
command for the resource:gcloud RESOURCE_TYPE get-iam-policy RESOURCE_ID --format=FORMAT > PATH
Provide the following values:
-
RESOURCE_TYPE
: The type of the resource that you want to view access to. Use one of these values:projects
,resource-manager folders
, ororganizations
. -
RESOURCE_ID
: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, likemy-project
. Folder and organization IDs are numeric, like123456789012
. -
FORMAT
: The desired format for the policy. Usejson
oryaml
. -
PATH
: The path to a new output file for the policy.
For example, the following command gets the policy for the project
my-project
and saves it to your home directory in JSON format:gcloud projects get-iam-policy my-project --format=json > ~/policy.json
-
C#
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, see Understanding allow policies.
The following example shows how to get the allow policy for a project. To learn how to get the allow policy for a folder or organization, review the Resource Manager client library documentation for your programming language.
Java
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, see Understanding allow policies.
The following example shows how to get the allow policy for a project. To learn how to get the allow policy for a folder or organization, review the Resource Manager client library documentation for your programming language.
Python
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, see Understanding allow policies.
The following example shows how to get the allow policy for a project. To learn how to get the allow policy for a folder or organization, review the Resource Manager client library documentation for your programming language.
REST
To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, see Understanding allow policies.
The Resource Manager API's
getIamPolicy
method gets a project's, folder's, or organization's allow policy.
Before using any of the request data, make the following replacements:
API_VERSION
: The API version to use. For projects and organizations, usev1
. For folders, usev2
.RESOURCE_TYPE
: The resource type whose policy you want to manage. Use the valueprojects
,folders
, ororganizations
.RESOURCE_ID
: Your Google Cloud project, organization, or folder ID. Project IDs are alphanumeric strings, likemy-project
. Folder and organization IDs are numeric, like123456789012
.POLICY_VERSION
: The policy version to be returned. Requests should specify the most recent policy version, which is policy version 3. See Specifying a policy version when getting a policy for details.
HTTP method and URL:
POST https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy
Request JSON body:
{ "options": { "requestedPolicyVersion": POLICY_VERSION } }
To send your request, expand one of these options:
The response contains the resource's allow policy. For example:
{ "version": 1, "etag": "BwWKmjvelug=", "bindings": [ { "role": "roles/owner", "members": [ "user:my-user@example.com" ] } ] }
Grant or revoke a single role
You can use the Google Cloud console and the gcloud CLI to quickly grant or revoke a single role for a single principal, without editing the resource's allow policy directly. Common types of principals include Google Accounts, service accounts, Google groups, and domains. For a list of all principal types, see Concepts related to identity.
In general, policy changes take effect within 2 minutes. However, in some cases, it can take 7 minutes or more for changes to propagate across the system.
If you need help identifying the most appropriate predefined role, see Choose predefined roles.
Grant a single role
To grant a single role to a principal, do the following:
Console
In the Google Cloud console, go to the IAM page.
Select a project, folder, or organization.
Select a principal to grant a role to:
To grant a role to a principal who already has other roles on the resource, find a row containing the principal, click
Edit principal in that row, and click Add another role.To grant a role to a service agent, select the Include Google-provided role grants checkbox to see its email address.
To grant a role to a principal who doesn't have any existing roles on the resource, click
Grant Access, then enter an identifier for the principal—for example,my-user@example.com
.
Select a role to grant from the drop-down list. For best security practices, choose a role that includes only the permissions that your principal needs.
Optional: Add a condition to the role.
Click Save. The principal is granted the role on the resource.
To grant a role to a principal for more than one project, folder, or organization, do the following:
In the Google Cloud console, go to the Manage resources page.
Select all the resources for which you want to grant permissions.
If the info panel is not visible, click Show info panel. Then, click Permissions.
Select a principal to grant a role to:
To grant a role to a principal who already has other roles, find a row containing the principal, click
Edit principal in that row, and click Add another role.To grant a role to a principal who does not already have other roles, click
Add principal, then enter an identifier for the principal—for example,my-user@example.com
.
Select a role to grant from the drop-down list.
Optional: Add a condition to the role.
Click Save. The principal is granted the selected role on each of the selected resources.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
-
The
add-iam-policy-binding
command lets you quickly grant a role to a principal.Before using any of the command data below, make the following replacements:
-
RESOURCE_TYPE
: The resource type that you want to manage access to. Useprojects
,resource-manager folders
, ororganizations
. -
RESOURCE_ID
: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, likemy-project
. Folder and organization IDs are numeric, like123456789012
. -
PRINCIPAL
: An identifier for the principal, or member, which usually has the following form:PRINCIPAL_TYPE:ID
. For example,user:my-user@example.com
. For a full list of the values thatPRINCIPAL
can have, see Principal identifiers.For the principal type
user
, the domain name in the identifier must be a Google Workspace domain or a Cloud Identity domain. To learn how to set up a Cloud Identity domain, see the overview of Cloud Identity. -
ROLE_NAME
: The name of the role that you want to revoke. Use one of the following formats:- Predefined roles:
roles/SERVICE.IDENTIFIER
- Project-level custom roles:
projects/PROJECT_ID/roles/IDENTIFIER
- Organization-level custom roles:
organizations/ORG_ID/roles/IDENTIFIER
For a list of predefined roles, see Understanding roles.
- Predefined roles:
-
CONDITION
: The condition to add to the role binding. If you don't want to add a condition, use the valueNone
. For more information about conditions, see the conditions overview.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud RESOURCE_TYPE add-iam-policy-binding RESOURCE_ID \ --member=PRINCIPAL --role=ROLE_NAME \ --condition=CONDITION
Windows (PowerShell)
gcloud RESOURCE_TYPE add-iam-policy-binding RESOURCE_ID ` --member=PRINCIPAL --role=ROLE_NAME ` --condition=CONDITION
Windows (cmd.exe)
gcloud RESOURCE_TYPE add-iam-policy-binding RESOURCE_ID ^ --member=PRINCIPAL --role=ROLE_NAME ^ --condition=CONDITION
The response contains the updated IAM policy.
-
Revoke a single role
To revoke a single role from a principal, do the following:
Console
In the Google Cloud console, go to the IAM page.
Select a project, folder, or organization.
Find the row containing the principal whose access you want to revoke. Then, click
Edit principal in that row.Click the Delete
button for the role that you want to revoke, and then click Save.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
-
To quickly revoke a role from a user, run the
remove-iam-policy-binding
command:gcloud RESOURCE_TYPE remove-iam-policy-binding RESOURCE_ID
--member=PRINCIPAL --role=ROLE_NAMEProvide the following values:
-
RESOURCE_TYPE
: The resource type that you want to manage access to. Useprojects
,resource-manager folders
, ororganizations
. -
RESOURCE_ID
: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, likemy-project
. Folder and organization IDs are numeric, like123456789012
. -
PRINCIPAL
: An identifier for the principal, or member, which usually has the following form:PRINCIPAL_TYPE:ID
. For example, user:my-user@example.com. For a full list of the values thatPRINCIPAL
can have, see Principal identifiers.For the principal type
user
, the domain name in the identifier must be a Google Workspace domain or a Cloud Identity domain. To learn how to set up a Cloud Identity domain, see the overview of Cloud Identity. -
ROLE_NAME
: The name of the role that you want to revoke. Use one of the following formats:- Predefined roles:
roles/SERVICE.IDENTIFIER
- Project-level custom roles:
projects/PROJECT_ID/roles/IDENTIFIER
- Organization-level custom roles:
organizations/ORG_ID/roles/IDENTIFIER
For a list of predefined roles, see Understanding roles.
- Predefined roles:
For example, to revoke the Project Creator role from the service account
example-service-account@example-project.iam.gserviceaccount.com
for the projectexample-project
:gcloud projects remove-iam-policy-binding example-project
--member=serviceAccount:example-service-account@example-project.iam.gserviceaccount.com
--role=roles/resourcemanager.projectCreator -
To help ensure that you don't revoke any necessary roles, you can enable change risk recommendations. Change risk recommendations generate warnings when you try to revoke project-level roles that Google Cloud has identified as important.
Grant or revoke multiple roles using the Google Cloud console
You can use the Google Cloud console to grant and revoke multiple roles for a single principal:
In the Google Cloud console, go to the IAM page.
Select a project, folder, or organization.
Select the principal whose roles you want to modify:
To modify roles for a principal who already has roles on the resource, find a row containing the principal, click
Edit principal in that row, and click Add another role.To modify roles for a service agent, select the Include Google-provided role grants checkbox to see its email address.
To grant roles to a principal who doesn't have any roles on the resource, click
Grant Access, then enter an identifier for the principal—for example,my-user@example.com
.
Modify the principal's roles:
- To grant a role to a principal who doesn't have any existing roles on the resource, click Select a role, then select a role to grant from the drop-down list.
- To grant an additional role to the principal, click Add another role, then select a role to grant from the drop-down list.
- To replace one of the principal's roles with a different role, click the existing role, then choose a different role to grant from the drop-down list.
- To revoke one of the principal's roles, click the Delete button for each role that you want to revoke.
You can also add a condition to a role, modify a role's condition, or remove a role's condition.
Click Save.
Grant or revoke multiple roles programmatically
To make large-scale access changes that involve granting and revoking multiple roles for multiple principals, use the read-modify-write pattern to update the resource's allow policy:
- Read the current allow policy by calling
getIamPolicy()
. - Edit the allow policy, either by using a text editor or programmatically, to add or remove any principals or role bindings.
- Write the updated allow policy by calling
setIamPolicy()
.
You can use the gcloud CLI, the REST API, or the Resource Manager client libraries to update the allow policy.
In general, policy changes take effect within 2 minutes. However, in some cases, it can take 7 minutes or more for changes to propagate across the system.
Get the current allow policy
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
-
To get the allow policy for the resource, run the
get-iam-policy
command for the resource:gcloud RESOURCE_TYPE get-iam-policy RESOURCE_ID --format=FORMAT > PATH
Provide the following values:
-
RESOURCE_TYPE
: The type of the resource that you want to get the allow policy for. Use one of the following values:projects
,resource-manager folders
, ororganizations
. -
RESOURCE_ID
: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, likemy-project
. Folder and organization IDs are numeric, like123456789012
. -
FORMAT
: The desired format for the allow policy. Usejson
oryaml
. -
PATH
: The path to a new output file for the allow policy.
For example, the following command gets the allow policy for the project
my-project
and saves it to your home directory in JSON format:gcloud projects get-iam-policy my-project --format json > ~/policy.json
-
C#
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
The following example shows how to get the allow policy for a project. To learn how to get the allow policy of a folder or organization, review the Resource Managerclient library documentation for your programming language.
Java
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
The following example shows how to get the allow policy for a project. To learn how to get the allow policy of a folder or organization, review the Resource Managerclient library documentation for your programming language.
Python
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
The following example shows how to get the allow policy for a project. To learn how to get the allow policy of a folder or organization, review the Resource Managerclient library documentation for your programming language.
REST
The Resource Manager API's
getIamPolicy
method gets a project's, folder's, or organization's allow policy.
Before using any of the request data, make the following replacements:
API_VERSION
: The API version to use. For projects and organizations, usev1
. For folders, usev2
.RESOURCE_TYPE
: The resource type whose policy you want to manage. Use the valueprojects
,folders
, ororganizations
.RESOURCE_ID
: Your Google Cloud project, organization, or folder ID. Project IDs are alphanumeric strings, likemy-project
. Folder and organization IDs are numeric, like123456789012
.POLICY_VERSION
: The policy version to be returned. Requests should specify the most recent policy version, which is policy version 3. See Specifying a policy version when getting a policy for details.
HTTP method and URL:
POST https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy
Request JSON body:
{ "options": { "requestedPolicyVersion": POLICY_VERSION } }
To send your request, expand one of these options:
The response contains the resource's allow policy. For example:
{ "version": 1, "etag": "BwWKmjvelug=", "bindings": [ { "role": "roles/owner", "members": [ "user:my-user@example.com" ] } ] }
Save the response in a file of the appropriate type (json
or yaml
).
Modify the allow policy
Programmatically or using a text editor, modify the local copy of your resource's allow policy to reflect the roles that you want to grant or revoke.
To help prevent you from overwriting other changes, don't edit or remove the
allow policy's etag
field. The etag
field identifies the current state of
the allow policy. When you set the updated allow policy,
IAM compares the etag
value in the request with the
existing etag
, and only writes the allow policy if the values match.
To edit the roles that an allow policy grants, you need to edit the role bindings in the allow policy. Role bindings have the following format:
{ "role": "ROLE_NAME", "members": [ "PRINCIPAL_1", "PRINCIPAL_2", ... "PRINCIPAL_N" ], "conditions:" { CONDITIONS } }
The placeholders have the following values:
ROLE_NAME
: The name of the role that you want to grant. Use one of the following formats:- Predefined roles:
roles/SERVICE.IDENTIFIER
- Project-level custom roles:
projects/PROJECT_ID/roles/IDENTIFIER
- Organization-level custom roles:
organizations/ORG_ID/roles/IDENTIFIER
For a list of predefined roles, see Understanding roles.
- Predefined roles:
PRINCIPAL_1
,PRINCIPAL_2
,...PRINCIPAL_N
: Identifiers for the principals that you want to grant the role to.Principal identifiers usually have the following form:
PRINCIPAL-TYPE:ID
. For example,user:my-user@example.com
. For a full list of the values thatPRINCIPAL
can have, see Principal identifiers.For the principal type
user
, the domain name in the identifier must be a Google Workspace domain or a Cloud Identity domain. To learn how to set up a Cloud Identity domain, see the overview of Cloud Identity.CONDITIONS
: Optional. Any conditions that specify when access will be granted.
Grant a role
To grant roles to your principals, modify the role bindings in the allow policy. To learn what roles you can grant, see Understanding roles, or view grantable roles for the resource. If you need help to identify the most appropriate predefined roles, see Choose predefined roles.
Optionally, you can use conditions to grant roles only when certain requirements are met.
To grant a role that is already included in the allow policy, add the principal to an existing role binding:
gcloud
Edit the returned allow policy by adding the principal to an existing role binding. This change won't take effect until you set the updated allow policy.
For example, imagine the allow policy contains the following role binding, which
grants the Security Reviewer role (roles/iam.securityReviewer
) to
Kai:
{
"role": "roles/iam.securityReviewer",
"members": [
"user:kai@example.com"
]
}
To grant that same role to Raha, add Raha's principal identifier to the existing role binding:
{ "role": "roles/iam.securityReviewer", "members": [ "user:kai@example.com", "user:raha@example.com" ] }
C#
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
Go
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
Java
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
Python
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
REST
Edit the returned allow policy by adding the principal to an existing role binding. This change won't take effect until you set the updated allow policy.
For example, imagine the allow policy contains the following role binding, which
grants the Security Reviewer role (roles/iam.securityReviewer
) to
Kai:
{
"role": "roles/iam.securityReviewer",
"members": [
"user:kai@example.com"
]
}
To grant that same role to Raha, add Raha's principal identifier to the existing role binding:
{ "role": "roles/iam.securityReviewer", "members": [ "user:kai@example.com", "user:raha@example.com" ] }
To grant a role that is not yet included in the allow policy, add a new role binding:
gcloud
Edit the allow policy by adding a new role binding that grants the role to the principal. This change won't take effect until you set the updated allow policy.
For example, to grant the Compute Storage Admin role
(roles/compute.storageAdmin
) to Raha, add the following role binding to the
bindings
array for the allow policy:
{
"role": "roles/compute.storageAdmin",
"members": [
"user:raha@example.com"
]
}
C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
REST
Edit the allow policy by adding a new role binding that grants the role to the principal. This change won't take effect until you set the updated allow policy.
For example, to grant the Compute Storage Admin role
(roles/compute.storageAdmin
) to Raha, add the following role binding to the
bindings
array for the allow policy:
{
"role": "roles/compute.storageAdmin",
"members": [
"user:raha@example.com"
]
}
You can only grant roles related to activated API services. If a service, such as Compute Engine, is not active, you cannot grant roles exclusively related to Compute Engine. For more information, see Enable and disable APIs.
There are some unique constraints when granting permissions on projects,
especially when granting the Owner (roles/owner
) role. See the
projects.setIamPolicy()
reference documentation
for more information.
Revoke a role
To revoke a role, remove the principal from the role binding. If there are no other principals in the role binding, remove the entire role binding.
gcloud
Revoke a role by editing the JSON or YAML allow policy returned by the
get-iam-policy
command. This change won't take effect until you
set the updated allow policy.
To revoke a role from a principal, delete the principal or binding from the
bindings
array for the allow policy.
C#
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
Go
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
Java
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
Python
To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.
To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
REST
Revoke a role by editing the JSON or YAML allow policy returned by the
get-iam-policy
command. This change won't take effect until you
set the updated allow policy.
To revoke a role from a principal, delete the principal or binding from the
bindings
array for the allow policy.
Set the allow policy
After you modify the allow policy to grant and revoke roles, call
setIamPolicy()
to update the policy.
gcloud
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
-
To set the allow policy for the resource, run the
set-iam-policy
command for the resource:gcloud RESOURCE_TYPE set-iam-policy RESOURCE_ID PATH
Provide the following values:
-
RESOURCE_TYPE
: The type of the resource that you want to set the allow policy for. Use one of the following values:projects
,resource-manager folders
, ororganizations
. -
RESOURCE_ID
: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, likemy-project
. Folder and organization IDs are numeric, like123456789012
. -
PATH
: The path to a file that contains the new allow policy.
The response contains the updated allow policy.
For example, the following command sets the allow policy stored in
policy.json
as the allow policy for the projectmy-project
:gcloud projects set-iam-policy my-project ~/policy.json
-
C#
Java
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
The following example shows how to set the allow policy for a project. To learn how to set the allow policy of a folder or organization, review the Resource Manager client library documentation for your programming language.
Python
To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.
The following example shows how to set the allow policy for a project. To learn how to set the allow policy of a folder or organization, review the Resource Manager client library documentation for your programming language.
REST
The Resource Manager API's
setIamPolicy
method sets the policy in the request as the new allow policy for the project, folder, or organization.
Before using any of the request data, make the following replacements:
API_VERSION
: The API version to use. For projects and organizations, usev1
. For folders, usev2
.RESOURCE_TYPE
: The resource type whose policy you want to manage. Use the valueprojects
,folders
, ororganizations
.RESOURCE_ID
: Your Google Cloud project, organization, or folder ID. Project IDs are alphanumeric strings, likemy-project
. Folder and organization IDs are numeric, like123456789012
.-
POLICY
: A JSON representation of the policy that you want to set. For more information about the format of a policy, see the Policy reference.
HTTP method and URL:
POST https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:setIamPolicy
Request JSON body:
{ "policy": POLICY }
To send your request, expand one of these options:
The response contains the updated allow policy.
What's next
- Learn how to manage access to service accounts.
- Learn the general steps for managing access to other resources.
- Find out how to choose the most appropriate predefined roles.
- Use the Policy Troubleshooter to understand why a user does or doesn't have access to a resource or have permission to call an API.
- Discover how to view the roles that you can grant on a particular resource.
- Learn how to make a principal's access conditional with conditional role bindings.
- Explore ways to secure your applications with Identity-Aware Proxy.
Try it for yourself
If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
Get started for free