Quickstart: Using Client Libraries

This page shows you how to get started with the Cloud Identity and Access Management API in your favorite programming language using the Google Cloud Client Libraries.

Before you begin

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. Select or create a GCP project.

    Go to the project selector page

  3. Make sure that billing is enabled for your Google Cloud Platform project. Learn how to enable billing.

  4. Enable the Cloud Identity and Access Management API.

    Enable the API

  5. Set up authentication:
    1. In the GCP Console, go to the Create service account key page.

      Go to the Create Service Account Key page
    2. From the Service account list, select New service account.
    3. In the Service account name field, enter a name.
    4. From the Role list, select Project > Owner.

      Note: The Role field authorizes your service account to access resources. You can view and change this field later by using the GCP Console. If you are developing a production app, specify more granular permissions than Project > Owner. For more information, see granting roles to service accounts.
    5. Click Create. A JSON file that contains your key downloads to your computer.
  6. Set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the file path of the JSON file that contains your service account key. This variable only applies to your current shell session, so if you open a new session, set the variable again.

Install the client library


For more on setting up your C# development environment, refer to the C# Development Environment Setup Guide.
install-package Google.Apis.Iam.v1


go get -u golang.org/x/oauth2/google
go get -u google.golang.org/api/iam/v1


For more on setting up your Java development environment, refer to the Java Development Environment Setup Guide. If you are using Maven, add this to your pom.xml file.



For more on setting up your Python development environment, refer to the Python Development Environment Setup Guide.
pip install --upgrade google-api-python-client google-auth google-auth-httplib2

Call the Cloud IAM Roles API

Obtain a credential, then call the Cloud IAM Roles API to display a list of available roles using the code below:


For more information, see the Cloud IAM C# API reference documentation .

using System;
using System.Collections.Generic;
using Google.Apis.Auth.OAuth2;
using Google.Apis.Iam.v1;
using Google.Apis.Iam.v1.Data;

public class QuickStart
    public static void Main(string[] args)
        // Get credentials
        var credential = GoogleCredential.GetApplicationDefault()

        // Create the Cloud IAM service object
        IamService service = new IamService(new IamService.Initializer
            HttpClientInitializer = credential

        // Call the Cloud IAM Roles API
        ListRolesResponse response = service.Roles.List().Execute();
        IList<Role> roles = response.Roles;

        // Process the response
        foreach (Role role in roles)
            Console.WriteLine("Title: " + role.Title);
            Console.WriteLine("Name: " + role.Name);
            Console.WriteLine("Description: " + role.Description);


For more information, see the Cloud IAM Go API reference documentation .

// The quickstart command is an example of using the Cloud IAM Roles API.
package main

import (


func main() {
	// Get credentials.
	client, err := google.DefaultClient(context.Background(), iam.CloudPlatformScope)
	if err != nil {
		log.Fatalf("google.DefaultClient: %v", err)

	// Create the Cloud IAM service object.
	service, err := iam.New(client)
	if err != nil {
		log.Fatalf("iam.New: %v", err)

	// Call the Cloud IAM Roles API.
	resp, err := service.Roles.List().Do()
	if err != nil {
		log.Fatalf("Roles.List: %v", err)

	// Process the response.
	for _, role := range resp.Roles {
		log.Println("Tile: " + role.Title)
		log.Println("Name: " + role.Name)
		log.Println("Description: " + role.Description)


For more information, see the Cloud IAM Java API reference documentation .

package com.google.iam.snippets;

import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.services.iam.v1.Iam;
import com.google.api.services.iam.v1.IamScopes;
import com.google.api.services.iam.v1.model.ListRolesResponse;
import com.google.api.services.iam.v1.model.Role;
import java.util.Collections;
import java.util.List;

public class Quickstart {

  public static void main(String[] args) throws Exception {
    // Get credentials
    GoogleCredential credential =

    // Create the Cloud IAM service object
    Iam service =
        new Iam.Builder(

    // Call the Cloud IAM Roles API
    ListRolesResponse response = service.roles().list().execute();
    List<Role> roles = response.getRoles();

    // Process the response
    for (Role role : roles) {
      System.out.println("Title: " + role.getTitle());
      System.out.println("Name: " + role.getName());
      System.out.println("Description: " + role.getDescription());


For more information, see the Cloud IAM Python API reference documentation .

import os

from google.oauth2 import service_account
import googleapiclient.discovery

# Get credentials
credentials = service_account.Credentials.from_service_account_file(

# Create the Cloud IAM service object
service = googleapiclient.discovery.build(
    'iam', 'v1', credentials=credentials)

# Call the Cloud IAM Roles API
# If using pylint, disable weak-typing warnings
# pylint: disable=no-member
response = service.roles().list().execute()
roles = response['roles']

# Process the response
for role in roles:
    print('Title: ' + role['title'])
    print('Name: ' + role['name'])
    if 'description' in role:
        print('Description: ' + role['description'])

The output should be a list of information about roles, like this:

Title: App Engine Admin
Name: roles/appengine.appAdmin
Description: Full management of App Engine apps (but not storage).

Title: App Engine Viewer
Name: roles/appengine.appViewer
Description: Ability to view App Engine app status.

Congratulations! You've sent your first request to Cloud IAM.

How did it go?

What's next

You can find code snippets using the client libraries throughout the Cloud IAM documentation.

The APIs available in the client libraries mirror those available in the REST API. See the REST API Reference for more information.

Var denne siden nyttig? Si fra hva du synes:

Send tilbakemelding om ...