Quickstart

This page shows you how to grant Cloud IAM roles to project members using the Google Cloud Platform Console.

This page shows you how to grant Cloud IAM roles to project members using the
Google Cloud Platform Console.

Before you begin

  1. Sign in to your Google Account.

    If you don't already have one, sign up for a new account.

  2. Select or create a GCP project.

    Go to the project selector page

  3. Make sure that billing is enabled for your Google Cloud Platform project. Learn how to enable billing.

  4. Enable the Cloud IAM API.

    Enable the API

Add a project member and grant them an IAM role

  1. Open the IAM page in the GCP Console.

    Open the IAM page

  2. Click Select a project.
  3. Select a project and click Open.
  4. Click Add.
  5. Enter the email address of a new member to whom you have not granted any Cloud IAM role previously.

  6. Select one of the following roles from the drop-down menu, depending on the GCP service you use:
    • If you are a Stackdriver Logging user, select Logging and then Logs Viewer.
    • If you are a Compute Engine user, select Compute Engine and then Compute Instance Admin.
    • If you are an App Engine user, select App Engine and then App Engine Admin.
    • If you are a Cloud Storage user, select Storage and then Storage Admin.
  7. Click Save.
  8. Verify that the member and the corresponding role is listed in the Cloud IAM page.

That's it - you've just granted a Cloud IAM role to your project member!

Observe the effects of IAM roles

  1. Send one of the following URLs to the member to whom you granted the role above:
    • If you granted the Logs Viewer role, send https://console.developers.google.com/logs?project=[your project ID].
    • If you granted the Compute Instance Admin role, send https://console.developers.google.com/compute/instances?project=[your project ID].
    • If you granted the App Engine Admin role, send https://console.developers.google.com/appengine?project=[your project ID].
    • If you granted the Storage Admin role, send https://console.developers.google.com/storage/browser?project=[your project ID].
  2. Verify that the member is able to access and view the URL.

The member cannot access the GCP Console page for which they have not been granted the appropriate role. Instead, they will see the error message:

You don't have permissions to perform the action on the selected resource.

Grant other role(s) to the same member

  1. Open the IAM page in the GCP Console.

    Open the IAM page

  2. Click Select a project.
  3. Select a project and click Open.
  4. Locate the member to whom you want to grant another role, and click the edit icon on the right.
  5. In the Edit permissions pane, click Add another role.
  6. From the Select a role drop-down menu, select Project and then Viewer. Click Save.

You've just granted a second role to the same member. In the example above the same member is an admin of the App Engine application and a viewer of the project.

Revoke the roles granted to the member

  1. Open the IAM page in the GCP Console.

    Open the IAM page

  2. Click Select a project.
  3. Select a project and click Open.
  4. Locate the member to whom you want to revoke a role, and click the edit icon on the right.
  5. In the Edit permissions pane, click the delete icon next to both roles that were previously granted to the member.
  6. Click Save.

You have now removed the member from both of the roles.

What's next

Czy ta strona była pomocna? Podziel się z nami swoją opinią:

Wyślij opinię na temat...