Viewing the grantable roles on resources

Before you grant an Identity and Access Management (IAM) role to a user for a resource, you might want to know what roles are available to grant on a particular resource.

Understanding what roles are grantable

A role is grantable on or above a resource if it contains any permissions for that resource type. For example, the storage.admin role grants permissions to the storage.buckets.get and storage.objects.get APIs, so it is grantable on the Storage Buckets and Storage Objects resource types.

Roles can also be granted "above" the resource types that their permissions are defined for. In other words, roles for lower-level resources can be granted on a resource that is higher in the Google Cloud resource hierarchy. For example, the storage.admin role can also be granted at the project or organization levels, in addition to Storage Buckets.

Permissions granted by a role only affect resources at the specified level or below; they do not affect higher-level or peer resources. Additionally, when a role is granted on a resource, only permissions applicable to the given resource are granted, regardless of the role's name, description, or other permissions it contains. For example, assigning the role resourcemanager.organizationAdmin (which grants the permission resourcemanager.projects.list) to a user on the project level only grants them permissions for that specific project. It will not allow them to list or administer all projects in the organization. Similarly, assigning the compute.admin role on a specific Compute Engine instance only grants permissions for that instance, not others in the project.

Listing grantable roles

Before you list grantable roles, ensure that the service has been enabled in the project. If a service hasn't been enabled, its roles will not be returned.

Console

In the Cloud Console, go to the IAM page.

Go to the IAM page
Click the "Select a project" drop-down menu at the top of the page.
Select the project or organization for which you want to view roles.
Click Add.
Enter the member email or domain in Members.

The Select a role drop-down menu displays all the roles (including any custom roles) that you can grant to the member on this resource.

gcloud

Use the gcloud iam list-grantable-roles command to return a list of all roles that can be applied to a given resource.

gcloud iam list-grantable-roles full-resource-name

Depending on the desired resource, a large number of roles may be returned. To limit the results, you can specify a filter expression.

The output will look something like:

description: Full control of all Compute Engine resources.
name: roles/compute.admin
title: Compute Admin
---
description: Full control of Compute Engine instance resources.
name: roles/compute.instanceAdmin
title: Compute Instance Admin

# Additional results here...

REST

The roles.queryGrantableRoles method returns a list of all roles grantable on a resource.

Before using any of the request data, make the following replacements:

full-resource-name: A URI consisting of the service name and the path to the resource. For examples, see Full resource names.

HTTP method and URL:

POST https://iam.googleapis.com/v1/roles:queryGrantableRoles

Request JSON body:

{
  "fullResourceName": "full-resource-name"
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file called request.json, and execute the following command:

curl -X POST \
-H "Authorization: Bearer "$(gcloud auth application-default print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://iam.googleapis.com/v1/roles:queryGrantableRoles"

PowerShell (Windows)

Save the request body in a file called request.json, and execute the following command:

$cred = gcloud auth application-default print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method POST `
  -Headers $headers `
  -ContentType: "application/json; charset=utf-8" `
  -InFile request.json `
  -Uri "https://iam.googleapis.com/v1/roles:queryGrantableRoles" | Select-Object -Expand Content

API Explorer (browser)

Copy the request body and open the method reference page. The API Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.

You should receive a JSON response similar to the following:

{
  "roles": [
    {
      "name": "roles/compute.admin",
      "title": "Compute Admin",
      "description": "Full control of all Compute Engine resources."
    },
    {
      "name": "roles/compute.instanceAdmin",
      "title": "Compute Instance Admin (beta)",
      "description": "Full control of Compute Engine instance resources."
    }
  ]
}

C++

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C++ API reference documentation.

View on GitHub Feedback

namespace iam = ::google::cloud::iam;
[](std::string const& resource) {
  iam::IAMClient client(iam::MakeIAMConnection());
  int count = 0;
  for (auto const& role : client.QueryGrantableRoles(resource)) {
    if (!role) throw std::runtime_error(role.status().message());
    std::cout << "Role successfully retrieved: " << role->name() << "\n";
    ++count;
  }
  if (count == 0) {
    std::cout << "No grantable roles found in resource: " << resource << "\n";
  }
}

C#

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.

View on GitHub Feedback


using System;
using System.Collections.Generic;
using Google.Apis.Auth.OAuth2;
using Google.Apis.Iam.v1;
using Google.Apis.Iam.v1.Data;

public partial class CustomRoles
{
    public static IList<Role> ViewGrantableRoles(string fullResourceName)
    {
        var credential = GoogleCredential.GetApplicationDefault()
            .CreateScoped(IamService.Scope.CloudPlatform);
        var service = new IamService(new IamService.Initializer
        {
            HttpClientInitializer = credential
        });

        var request = new QueryGrantableRolesRequest
        {
            FullResourceName = fullResourceName
        };
        var response = service.Roles.QueryGrantableRoles(request).Execute();
        foreach (var role in response.Roles)
        {
            Console.WriteLine("Title: " + role.Title);
            Console.WriteLine("Name: " + role.Name);
            Console.WriteLine("Description: " + role.Description);
            Console.WriteLine();
        }
        return response.Roles;
    }
}

Go

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.

View on GitHub Feedback

import (
	"context"
	"fmt"
	"io"

	iam "google.golang.org/api/iam/v1"
)

// viewGrantableRoles lists roles grantable on a resource.
func viewGrantableRoles(w io.Writer, fullResourceName string) ([]*iam.Role, error) {
	ctx := context.Background()
	service, err := iam.NewService(ctx)
	if err != nil {
		return nil, fmt.Errorf("iam.NewService: %v", err)
	}

	request := &iam.QueryGrantableRolesRequest{
		FullResourceName: fullResourceName,
	}
	response, err := service.Roles.QueryGrantableRoles(request).Do()
	if err != nil {
		return nil, fmt.Errorf("Roles.QueryGrantableRoles: %v", err)
	}
	for _, role := range response.Roles {
		fmt.Fprintf(w, "Found grantable role: %v\n", role.Name)
	}
	return response.Roles, err
}

Java

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.

View on GitHub Feedback

QueryGrantableRolesRequest request = new QueryGrantableRolesRequest();
request.setFullResourceName(fullResourceName);

QueryGrantableRolesResponse response = service.roles().queryGrantableRoles(request).execute();

for (Role role : response.getRoles()) {
  System.out.println("Title: " + role.getTitle());
  System.out.println("Name: " + role.getName());
  System.out.println("Description: " + role.getDescription());
  System.out.println();
}

Python

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.

View on GitHub Feedback

def view_grantable_roles(full_resource_name):
    roles = service.roles().queryGrantableRoles(body={
        'fullResourceName': full_resource_name
    }).execute()

    for role in roles['roles']:
        if 'title' in role:
            print('Title: ' + role['title'])
        print('Name: ' + role['name'])
        if 'description' in role:
            print('Description: ' + role['description'])
        print(' ')

In the examples above, the full resource name is a scheme-less URI consisting of a DNS-compatible API service name and a resource path.

For example, to return all roles grantable on a project, use:

//cloudresourcemanager.googleapis.com/projects/project-id

Lower-level resources have a more detailed fully qualified name. For example, use the following to return all roles grantable on a Compute Engine instance:

//compute.googleapis.com/projects/project-id/zones/zone-name/instances/instance-id

What's next

Read about the available IAM roles.
Learn how to grant, change, and revoke a member's access.
See examples of resource names for different types of resources.