Quickstart

This page shows you how to grant Cloud IAM roles to project members using the Google Cloud Platform Console.

See the following video for a quick walkthrough:

This page shows you how to grant Cloud IAM roles to project members using the
Google Cloud Platform Console.

Before you begin

Create a GCP project

For this quickstart, you need a new GCP project.

  1. In the GCP Console, go to the project selector page.

    Go to the project selector page

  2. Click Create to begin creating a GCP project.

  3. Name your project. Make a note of your generated project ID.

  4. Edit the other fields as needed.

  5. Click Create to create a project.

Grant an IAM role

Add a project member, then grant them the Logs Viewer role (roles/logging.viewer) role.

  1. Open the IAM page in the GCP Console.

    Open the IAM page

  2. Make sure the name of your new project appears in the project selector at the top of the page:

    The project selector tells you what project you are currently working in.

    If you don't see the name of your new project, click the project selector, then select your new project.

  3. In the main content area, click Add.
  4. Enter the email address of a new member.
  5. From the Select a role drop-down menu, select Logging, then Logs Viewer.

    Select logging from the categories list, then select the Logs Viewer role from the role sub-menu.
  6. Click Save.
  7. Verify that the member and the corresponding role are listed in the Cloud IAM page.

That's it—you've just granted a Cloud IAM role to your project member!

Observe the effects of IAM roles

Verify that the member you added can access the expected GCP Console pages by doing the following:

  1. Send the following URL to the member to whom you granted the role in the preceding step: https://console.cloud.google.com/logs?project=[your project ID].
  2. Verify that the member is able to access and view the URL.

The member cannot access the GCP Console page for which they have not been granted the appropriate role. Instead, they see an error message like the following:

You don't have permissions to view logs.

Grant other roles to the same member

Grant the existing member the primitive Viewer role (roles/viewer) in addition to their Logs Viewer role. The Viewer role grants read-only access to all existing resources and data in your project.

  1. Open the IAM page in the GCP Console.

    Open the IAM page

  2. Locate the member to whom you want to grant another role, and click Edit .
  3. In the Edit permissions pane, click Add another role.
  4. From the Select a role drop-down menu, select Project and then Viewer. Click Save.
    Select project from the categories list, then select the Viewer role from the role sub-menu.

The member now has a second Cloud IAM role.

Revoke the roles granted to the member

Revoke the roles you granted to the member in the preceding steps by doing the following:

  1. Locate the member whose role you want to revoke, then click Edit .
  2. In the Edit permissions pane, click the delete icon next to both roles that were previously granted to the member.
  3. Click Save.

You have now removed the member from both of the roles. If they try to view any of the pages they previously had access to, they will see an error message.

Clean up

To avoid incurring charges to your GCP account for the resources used in this quickstart, follow these steps.

  1. In the GCP Console, go to the Manage resources page.

    Go to the Manage resources page

  2. In the project list, select the project you want to delete and click Delete .
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

What's next

Var denne side nyttig? Giv os en anmeldelse af den: