Write an allow policy by using client libraries
Learn how to get started with the IAM methods from the Resource Manager API in your favorite programming language.
For step-by-step guidance on this task directly in Cloud console, click Guide me:
The following sections take you through the same steps as clicking Guide me.
Before you begin
Create a Google Cloud project
For this quickstart, you need a new Google Cloud project.
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, click Create project to begin creating a new Google Cloud project.
-
Enable the Resource Manager API.
-
Create a service account:
-
In the Cloud console, go to the Create service account page.
Go to Create service account - Select your project.
-
In the Service account name field, enter a name. The Cloud console fills in the Service account ID field based on this name.
In the Service account description field, enter a description. For example,
Service account for quickstart
. - Click Create and continue.
-
To provide access to your project, grant the following role(s) to your service account: Project IAM Admin .
In the Select a role list, select a role.
For additional roles, click
Add another role and add each additional role. - Click Continue.
-
Click Done to finish creating the service account.
Do not close your browser window. You will use it in the next step.
-
-
Create a service account key:
- In the Cloud console, click the email address for the service account that you created.
- Click Keys.
- Click Add key, and then click Create new key.
- Click Create. A JSON key file is downloaded to your computer.
- Click Close.
-
Set the environment variable
GOOGLE_APPLICATION_CREDENTIALS
to the path of the JSON file that contains your service account key. This variable only applies to your current shell session, so if you open a new session, set the variable again. -
In the Google Cloud console, on the project selector page, click Create project to begin creating a new Google Cloud project.
-
Enable the Resource Manager API.
-
Create a service account:
-
In the Cloud console, go to the Create service account page.
Go to Create service account - Select your project.
-
In the Service account name field, enter a name. The Cloud console fills in the Service account ID field based on this name.
In the Service account description field, enter a description. For example,
Service account for quickstart
. - Click Create and continue.
-
To provide access to your project, grant the following role(s) to your service account: Project IAM Admin .
In the Select a role list, select a role.
For additional roles, click
Add another role and add each additional role. - Click Continue.
-
Click Done to finish creating the service account.
Do not close your browser window. You will use it in the next step.
-
-
Create a service account key:
- In the Cloud console, click the email address for the service account that you created.
- Click Keys.
- Click Add key, and then click Create new key.
- Click Create. A JSON key file is downloaded to your computer.
- Click Close.
-
Set the environment variable
GOOGLE_APPLICATION_CREDENTIALS
to the path of the JSON file that contains your service account key. This variable only applies to your current shell session, so if you open a new session, set the variable again.
Install the client library
C#
For more on setting up your C# development environment, refer to the C# Development Environment Setup Guide.
install-package Google.Apis.Iam.v1 install-package Google.Apis.CloudResourceManager.v1
Go
go get golang.org/x/oauth2/google go get google.golang.org/api/cloudresourcemanager/v1
Java
For more on setting up your Java development environment, refer to the Java Development Environment Setup Guide.
If you are using Maven, add this to yourpom.xml
file.
Python
For more on setting up your Python development environment, refer to the Python Development Environment Setup Guide.
pip install --upgrade google-api-python-client google-auth google-auth-httplib2
Read, modify, and write an allow policy
The code snippet in this quickstart does the following:
- Initializes the Resource Manager service, which manages Google Cloud projects.
- Reads the allow policy for your project.
- Modifies the allow policy by granting the Log Writer role
(
roles/logging.logWriter
) to your Google Account. - Writes the updated allow policy.
- Prints all the principals that have the Log Writer role
(
roles/logging.logWriter
) at the project level. - Revokes the Log Writer role.
Replace the following values before running the code snippet:
your-project
: The ID of your project.your-member
: The email address for your Google Account, with the prefixuser:
. For example,user:tanya@example.com
.
C#
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries. For more information, see the Resource Manager C# API reference documentation.
Go
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries. For more information, see the Resource Manager Go API reference documentation.
Java
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries. For more information, see the Resource Manager Java API reference documentation.
Python
To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries. For more information, see the Resource Manager Python API reference documentation.
Congratulations! You used the IAM methods in the Resource Manager API to modify access for a project.
How did it go?
Clean up
- Use the Cloud console to delete your project if you do not need it.
What's next
- Read about how IAM works.
- Learn more about granting, changing, and revoking access.
- Troubleshoot access issues with the Policy Troubleshooter.