Quickstart using the Cloud Console

This page shows you how to use the Google Cloud Console to grant IAM roles to principals at the project level.

See the following video for a quick walkthrough:

A video showing how to grant IAM roles to principals using the
Cloud Console.

Before you begin

Enable the APIs

Enable the IAM and Resource Manager APIs.

Enable the APIs

Create a Google Cloud project

For this quickstart, you need a new Google Cloud project.

  1. In the Google Cloud Console, go to the project selector page.

    Go to project selector

  2. To begin creating a Google Cloud project, click Create project.

  3. Name your project. Make a note of your generated project ID.

  4. Edit the other fields as needed.

  5. To create the project, click Create.

Grant an IAM role

Grant a principal the Logs Viewer role (roles/logging.viewer) on the project.

  1. In the Cloud Console, go to the IAM page.

    Go to the IAM page

  2. Make sure the name of your new project appears in the project selector at the top of the page. The project selector tells you what project you are currently working in.

    If you don't see the name of your new project, click the project selector, then select your new project.

  3. In the main content area, click Add.
  4. Enter the email address of a principal.
  5. From the Select a role drop-down menu, select Logging, then Logs Viewer.

  6. Click Save.
  7. Verify that the principal and the corresponding role are listed in the IAM page.

That's it—you've just granted an IAM role to a principal!

Observe the effects of IAM roles

Verify that the principal you granted a role to can access the expected Cloud Console pages by doing the following:

  1. Send the following URL to the principal to whom you granted the role in the preceding step: https://console.cloud.google.com/logs?project=project-id.
  2. Verify that the principal is able to access and view the URL.

The principal cannot access the Cloud Console page for which they have not been granted the appropriate role. Instead, they see an error message like the following:

You don't have permissions to view logs.

Grant other roles to the same principal

Grant the principal the Viewer basic role (roles/viewer) in addition to their Logs Viewer role. The Viewer role provides read-only access to all existing resources and data in your project.

  1. In the Cloud Console, go to the IAM page.

    Go to the IAM page

  2. Locate the principal to whom you want to grant another role, and click Edit .
  3. In the Edit permissions pane, click Add another role.
  4. From the Select a role drop-down menu, select Project and then Viewer. Click Save.

The principal now has a second IAM role.

Revoke the roles granted to the principal

Revoke the roles you granted to the principal in the preceding steps by doing the following:

  1. Locate the principal whose role you want to revoke, then click Edit .
  2. In the Edit permissions pane, click the delete icon next to both roles that were previously granted to the principal.
  3. Click Save.

You have now removed the principal from both of the roles. If they try to view any of the pages they previously had access to, they will see an error message.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.

  1. In the Cloud Console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

What's next