Quickstart

This page shows you how to grant Cloud IAM roles to project members using the Google Cloud Platform Console.

Before you begin

    Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  1. In the GCP Console, go to the Manage resources page.

    Go to the Manage resources page

  2. Select a project, or click Create Project to create a new GCP project.

  3. In the dialog, name your project. Make a note of your generated project ID.

  4. Click Create to create a new project.

Add a project member and grant them an IAM role

  1. Open the IAM page in the GCP Console.

    Open the IAM page

  2. Click Select a project.
  3. Select a project and click Open.
  4. Click Add.
  5. Enter the email address of a new member to whom you have not granted any Cloud IAM role previously.

  6. Select one of the following roles from the drop-down menu, depending on the GCP service you use:
    • If you are a Stackdriver Logging user, select Logging and then Logs Viewer.
    • If you are a Compute Engine user, select Compute Engine and then Compute Instance Admin.
    • If you are an App Engine user, select App Engine and then App Engine Admin.
    • If you are a Cloud Storage user, select Storage and then Storage Admin.
  7. Click Save.
  8. Verify that the member and the corresponding role is listed in the Cloud IAM page.

That's it - you've just granted a Cloud IAM role to your project member!

Observe the effects of IAM roles

  1. Send one of the following URLs to the member to whom you granted the role above:
    • If you granted the Logs Viewer role, send https://console.developers.google.com/logs?project=[your project ID].
    • If you granted the Compute Instance Admin role, send https://console.developers.google.com/compute/instances?project=[your project ID].
    • If you granted the App Engine Admin role, send https://console.developers.google.com/appengine?project=[your project ID].
    • If you granted the Storage Admin role, send https://console.developers.google.com/storage/browser?project=[your project ID].
  2. Verify that the member is able to access and view the URL.

The member cannot access the GCP Console page for which they have not been role, they will see the following error message if they try to access the App Engine page:

You don't have permissions to perform the action on the selected resource.

Grant other role(s) to the same member

  1. Open the IAM page in the GCP Console.

    Open the IAM page

  2. Click Select a project.
  3. Select a project and click Open.
  4. Locate the member to whom you want to grant another role, and click the edit icon on the right.
  5. In the Edit permissions pane, click Add another role.
  6. From the Select a role drop-down menu, select Project and then Viewer. Click Save.

You've just granted a second role to the same member. In the example above the same member is an admin of the App Engine application and a viewer of the project.

Revoke the roles granted to the member

  1. Open the IAM page in the GCP Console.

    Open the IAM page

  2. Click Select a project.
  3. Select a project and click Open.
  4. Locate the member to whom you want to revoke a role, and click the edit icon on the right.
  5. In the Edit permissions pane, click the delete icon next to both roles that were previously granted to the member.
  6. Click Save.

You have now removed the member from both of the roles.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Identity and Access Management