This page shows you how to grant IAM roles to project members using the Google Cloud Console.
See the following video for a quick walkthrough:
Before you begin
Create a Google Cloud project
For this quickstart, you need a new Google Cloud project.
-
In the Google Cloud Console, go to the project selector page.
-
Click Create to begin creating a Google Cloud project.
-
Name your project. Make a note of your generated project ID.
-
Edit the other fields as needed.
-
Click Create to create a project.
Grant an IAM role
Add a project member, then grant them the Logs Viewer role (roles/logging.viewer
)
role.
-
In the Cloud Console, go to the IAM page.
-
Make sure the name of your new project appears in the project selector at the top of the page. The project selector tells you what project you are currently working in.
If you don't see the name of your new project, click the project selector, then select your new project.
- In the main content area, click person_add Add.
- Enter the email address of a new member.
From the Select a role drop-down menu, select Logging, then Logs Viewer.
- Click Save.
- Verify that the member and the corresponding role are listed in the IAM page.
That's it—you've just granted an IAM role to your project member!
Observe the effects of IAM roles
Verify that the member you added can access the expected Cloud Console pages by doing the following:
-
Send the following URL to the member to whom you granted the role in the
preceding step:
https://console.cloud.google.com/logs?project=project-id
. - Verify that the member is able to access and view the URL.
The member cannot access the Cloud Console page for which they have not been granted the appropriate role. Instead, they see an error message like the following:
You don't have permissions to view logs.
Grant other roles to the same member
Grant the existing member the Viewer basic role (roles/viewer
) in addition to
their Logs Viewer role. The Viewer role provides read-only access to all
existing resources and data in your project.
-
In the Cloud Console, go to the IAM page.
- Locate the member to whom you want to grant another role, and click Edit edit.
- In the Edit permissions pane, click Add another role.
- From the Select a role drop-down menu, select Project and then
Viewer. Click Save.
The member now has a second IAM role.
Revoke the roles granted to the member
Revoke the roles you granted to the member in the preceding steps by doing the following:
- Locate the member whose role you want to revoke, then click Edit edit.
- In the Edit permissions pane, click the delete icon next to both roles that were previously granted to the member.
- Click Save.
You have now removed the member from both of the roles. If they try to view any of the pages they previously had access to, they will see an error message.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used in this quickstart, follow these steps.
- In the Cloud Console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.
What's next
- Read IAM Overview to learn the basics of IAM.
- Read Understanding Roles for a list of all available IAM roles.
- Read Managing Policies to learn how to manage access control.