Testing permissions

Most Google Cloud Platform resources expose the testIamPermissions() method, which allows you to check whether the currently authenticated caller has been granted one or more specific Cloud IAM permissions on the resource. The testIamPermissions() method takes a resource identifier and a set of permissions as input parameters, and returns the set of permissions that the caller is allowed.

For example, to determine if the currently authenticated user has the permission to delete a project, call the projects.testIamPermissions() method by providing the project ID (such as foo-project) and the resourcemanager.projects.delete permission as input parameters. If the caller has been granted the resourcemanager.projects.delete permission, it will be listed in the response body. If the caller does not have this permission, the response body will list no permissions.

The testIamPermissions() method is intended for third-party graphical user interfaces (GUIs) that need to display GCP resources based on what the authenticated user has permissions to see. For example, the GCP Console internally uses the testIamPermissions() method to determine what resources and functionality are visible to you after authenticating. Different users are typically granted different permissions, and the GCP Console hides or exposes items accordingly.

How to test permissions

To test permissions for a Resource Manager project, where the caller has permissions to get a project but not to list projects:

API

See the projects.testIamPermissions() method for more information.

Request:

POST https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_ID]:testIamPermissions

{
    "permissions":  [
        "resourcemanager.projects.get",
        "resourcemanager.projects.delete"
    ]
}

(Substitute your GCP project ID for [PROJECT_ID].)

Response:

{
    "permissions": [
        "resourcemanager.projects.get"
    ]
}

Java

import com.google.api.services.cloudresourcemanager.model.TestIamPermissionsRequest;
import java.util.List;

...

TestIamPermissionsRequest testIamPermissionsRequest =
    new TestIamPermissionsRequest().setPermissions(
        Arrays.asList("resourcemanager.projects.get", "resourcemanager.projects.delete"));

TestIamPermissionsResponse testIamPermissionsResponse =
    client.projects().testIamPermissions(
        projectId, testIamPermissionsRequest).execute();
List<String> testResults = testIamPermissionsResponse.getPermissions();
...

What's next

Czy ta strona była pomocna? Podziel się z nami swoją opinią:

Wyślij opinię na temat...

Cloud IAM Documentation