Quickstart using the Cloud Console

This page shows you how to grant IAM roles to project members using the Google Cloud Console.

See the following video for a quick walkthrough:

A video showing how to grant IAM roles to project members using the Cloud Console.

Before you begin

Create a Google Cloud project

For this quickstart, you need a new Google Cloud project.

  1. In the Google Cloud Console, go to the project selector page.

    Go to the project selector page

  2. Click Create to begin creating a Google Cloud project.

  3. Name your project. Make a note of your generated project ID.

  4. Edit the other fields as needed.

  5. Click Create to create a project.

Grant an IAM role

Add a project member, then grant them the Logs Viewer role (roles/logging.viewer) role.

  1. In the Cloud Console, go to the IAM page.

    Go to the IAM page

  2. Make sure the name of your new project appears in the project selector at the top of the page. The project selector tells you what project you are currently working in.

    If you don't see the name of your new project, click the project selector, then select your new project.

  3. In the main content area, click Add.
  4. Enter the email address of a new member.

  5. From the Select a role drop-down menu, select Logging, then Logs Viewer.

  6. Click Save.
  7. Verify that the member and the corresponding role are listed in the IAM page.

That's it—you've just granted an IAM role to your project member!

Observe the effects of IAM roles

Verify that the member you added can access the expected Cloud Console pages by doing the following:

  1. Send the following URL to the member to whom you granted the role in the preceding step: https://console.cloud.google.com/logs?project=project-id.
  2. Verify that the member is able to access and view the URL.

The member cannot access the Cloud Console page for which they have not been granted the appropriate role. Instead, they see an error message like the following:

You don't have permissions to view logs.

Grant other roles to the same member

Grant the existing member the Viewer basic role (roles/viewer) in addition to their Logs Viewer role. The Viewer role provides read-only access to all existing resources and data in your project.

  1. In the Cloud Console, go to the IAM page.

    Go to the IAM page

  2. Locate the member to whom you want to grant another role, and click Edit .
  3. In the Edit permissions pane, click Add another role.
  4. From the Select a role drop-down menu, select Project and then Viewer. Click Save.

The member now has a second IAM role.

Revoke the roles granted to the member

Revoke the roles you granted to the member in the preceding steps by doing the following:

  1. Locate the member whose role you want to revoke, then click Edit .
  2. In the Edit permissions pane, click the delete icon next to both roles that were previously granted to the member.
  3. Click Save.

You have now removed the member from both of the roles. If they try to view any of the pages they previously had access to, they will see an error message.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this quickstart, follow these steps.

  1. In the Cloud Console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

What's next