Access control for Cloud Marketplace

This page describes the Identity and Access Management (IAM) roles and permissions that you need to purchase and manage commercial solutions on Cloud Marketplace.

With IAM, you manage access control by defining who (identity) has what access (role) for which resource. For commercial apps on Cloud Marketplace, users in your Google Cloud organization require IAM roles to sign up for Cloud Marketplace plans, and to make changes to billing plans.

Before you begin

To grant Cloud Marketplace roles and permissions using gcloud, install the Cloud SDK. Otherwise, you can grant roles using the Cloud Console.

IAM roles for purchasing and managing solutions

We recommend that you assign the Billing Administrator (roles/billing.admin) IAM role to users who are purchasing services from Cloud Marketplace.

Users who want to access the services must have the Project Viewer (roles/viewer) role, at a minimum.

If you need more granular control over users' permissions, you can create custom roles with the permissions that you want to grant.

List of IAM roles and permissions

You can grant users one or more of the following IAM roles. Depending on the role you are granting to users, you must also assign the role to a Google Cloud billing account, organization, or project. For details, see the section on Granting IAM roles to users.

Role	Title	Description	Permissions
`roles/consumerprocurement.entitlementManager`	Consumer Procurement Entitlement Manager ^Beta	Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project.	consumerprocurement.entitlements.* consumerprocurement.freeTrials.* resourcemanager.projects.get resourcemanager.projects.list serviceusage.operations.get serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list
`roles/consumerprocurement.entitlementViewer`	Consumer Procurement Entitlement Viewer ^Beta	Allows inspecting entitlements and service states for a consumer project.	consumerprocurement.entitlements.* consumerprocurement.freeTrials.get consumerprocurement.freeTrials.list resourcemanager.projects.get resourcemanager.projects.list serviceusage.services.get serviceusage.services.list
`roles/consumerprocurement.orderAdmin`	Consumer Procurement Order Administrator ^Beta	Allows managing purchases.	consumerprocurement.accounts.* consumerprocurement.orders.*
`roles/consumerprocurement.orderViewer`	Consumer Procurement Order Viewer ^Beta	Allows inspecting purchases.	consumerprocurement.accounts.get consumerprocurement.accounts.list consumerprocurement.orders.get consumerprocurement.orders.list

Granting IAM roles to users

From the roles in the table above, the consumerprocurement.orderAdmin and consumerprocurement.orderViewer roles must be assigned at the billing account or organization level, and the consumerprocurement.entitlementManager and consumerprocurement.entitlementViewer roles must be assigned at the project or organization level.

To grant roles to users using gcloud, run one of the following commands:

Organization

You must have the resourcemanager.organizationAdmin role to assign roles at the organization level.

gcloud organizations add-iam-policy-binding org-name \
--member=member --role=role-id

The placeholder values are:

org-name: The organization that you are granting the role for.
member: The user that you are granting access to.
role-id: The role ID, from the previous table.

Billing account

You must have the billing.admin role to assign roles at the billing account level.

gcloud beta billing accounts set-iam-policy account-id \
policy-file

The placeholder values are:

account-id: Your billing account ID, which you can get from the Manage billing accounts page.
policy-file: An IAM policy file, in JSON or YAML format. The policy file must contain the role IDs from the previous table, and the users that you are assigning the roles to.

Project

You must have the resourcemanager.folderAdmin role to assign roles at the project level.

gcloud projects add-iam-policy-binding project-id \
--member=member --role=role-id

The placeholder values are:

project-id: The project that you are granting the role for.
member: The user that you are granting access to.
role-id: The role ID, from the previous table.

To grant roles to users using the Cloud Console, see the IAM documentation on Granting, changing, and revoking access for users.

Using custom roles with Cloud Marketplace

If you want granular control over the permissions you grant users, you can create custom roles with the permissions that you want to grant.

If you're creating a custom role for users who purchase services from Cloud Marketplace, the role must include these permissions:

billing.subscriptions.create and billing.accounts.get, which are typically granted with the roles/billing.admin role.
consumerprocurement.orders.place, which is typically granted with the roles/consumerprocurement.orderAdmin role.
consumerprocurement.accounts.create, which is typically granted with the roles/consumerprocurement.orderAdmin role.