Quickstart

This page shows you how to grant Cloud IAM roles to project members using the Google Cloud Platform Console.

Before you begin

    Sign in to your Google account.

    If you don't already have one, sign up for a new account.

  1. In the Cloud Platform Console, go to the Manage resources page.

    Go to the Manage resources page

  2. Select a project, or click Create Project to create a new Cloud Platform project.
  3. In the dialog, name your project. Make a note of your generated project ID.
  4. Click Create to create a new project.

Add a project member and grant them an IAM role

  1. Open the IAM page in the Google Cloud Platform Console.

    Open the IAM page

  2. Click Select a project.
  3. Select a project and click Open.
  4. Click Add.
  5. Enter the email address of a new member to whom you have not granted any IAM role previously.

  6. Select one of the following roles from the drop-down menu, depending on the Google Cloud Platform service you use:
    • If you are a Google Cloud Logging user, select Logging and then Logs Viewer.
    • If you are a Google Compute Engine user, select Compute Engine and then Compute Instance Admin.
    • If you are an App Engine user, select App Engine and then App Engine Admin.
    • If you are a Google Cloud Storage user, select Storage and then Storage Admin.
  7. Click Add.
  8. Verify that the member and the corresponding role is listed in the IAM page.

That's it - you've just granted a Cloud IAM role to your project member!

Observe the effects of IAM roles

  1. Send one of the following URLs to the member to whom you granted the role above:
    • If you granted the Logs Viewer role, send https://console.developers.google.com/logs?project=[your project ID].
    • If you granted the Compute Instance Admin role, send https://console.developers.google.com/compute/instances?project=[your project ID].
    • If you granted the App Engine Admin role, send https://console.developers.google.com/appengine?project=[your project ID].
    • If you granted the Storage Admin role, send https://console.developers.google.com/storage/browser?project=[your project ID].
  2. Verify that the member is able to access and view the URL.

The member cannot access the Cloud Console page for which they have not been granted access. For example, if you granted a member only the Logs Viewer role, they will see the following error message if they try to access the App Engine page:

You don't have permissions to perform the action on the selected resource.

Grant other role(s) to the same member

  1. Open the IAM page in the Google Cloud Platform Console.

    Open the IAM page

  2. Click Select a project.
  3. Select a project and click Open.
  4. Locate the member to whom you want to grant another role.
  5. In the Roles(s) drop-down in the member's row, select Project and then Viewer. Click Save.

    The following screenshot shows the example where App Engine Admin and Viewer roles are granted to the member. The screen might look different if you granted any other role.


You've just granted a second role to the same member. In the example above the same member is an admin of the App Engine application and a viewer of the project.

Revoke the roles granted to the member

  1. Open the IAM page in the Google Cloud Platform Console.

    Open the IAM page

  2. Click Select a project.
  3. Select a project and click Open.
  4. Locate the member to whom you granted the roles previously.
  5. In the Role(s) drop-down in the member's row, uncheck both of the roles you granted to the member previously.
  6. Click Save.

You have now removed the member from both of the roles.

What's next

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Cloud Identity and Access Management