Set IAM policies

Stay organized with collections Save and categorize content based on your preferences.

Demonstrates how to set IAM policies on a source

Explore further

For detailed documentation that includes this code sample, see the following:

Code sample


import (

	securitycenter ""
	iam ""

// setSourceIamPolicy grants user roles/securitycenter.findingsEditor permision
// for a source. sourceName is the full resource name of the source to be
// updated. user is an email address that IAM can grant permissions to.
func setSourceIamPolicy(w io.Writer, sourceName string, user string) error {
	// sourceName := "organizations/111122222444/sources/1234"
	// user := "
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %v", err)
	defer client.Close() // Closing the client safely cleans up background resources.

	// Retrieve the existing policy so we can update only a specific
	// field.
	existing, err := client.GetIamPolicy(ctx, &iam.GetIamPolicyRequest{
		Resource: sourceName,
	if err != nil {
		return fmt.Errorf("GetIamPolicy(%s): %v", sourceName, err)

	req := &iam.SetIamPolicyRequest{
		Resource: sourceName,
		Policy: &iam.Policy{
			// Enables partial update of existing policy
			Etag: existing.Etag,
			Bindings: []*iam.Binding{{
				Role: "roles/securitycenter.findingsEditor",
				// New IAM Binding for the user.
				Members: []string{fmt.Sprintf("user:%s", user)},
	policy, err := client.SetIamPolicy(ctx, req)
	if err != nil {
		return fmt.Errorf("SetIamPolicy(%s, %v): %v", sourceName, req.Policy, err)

	fmt.Fprint(w, "Bindings:\n")
	for _, binding := range policy.Bindings {
		for _, member := range binding.Members {
			fmt.Fprintf(w, "Principal: %s Role: %s\n", member, binding.Role)
	return nil


static Policy setIamPolicySource(SourceName sourceName, String userEmail) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // userEmail = ""
    // Set up IAM Policy for the user userMail to use the role findingsEditor.
    // The user must be a valid google account.
    Policy oldPolicy = client.getIamPolicy(sourceName.toString());
    Binding bindings =
            .addMembers("user:" + userEmail)
    Policy policy = oldPolicy.toBuilder().addBindings(bindings).build();

    // Start setting up a request to set IAM policy for a source.
    // SourceName sourceName = SourceName.of("123234324", "423432321");
    SetIamPolicyRequest.Builder request =

    // Call the API.
    Policy response = client.setIamPolicy(;

    System.out.println("Policy: " + response);
    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);


// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();

async function setSourceIamPolicy() {
  // sourceName is the full resource name of the source to be
  // updated.
  // user is an email address that IAM can grant permissions to.
   * TODO(developer): Uncomment the following lines
  // const sourceName = "organizations/111122222444/sources/1234";
  // const user = "";
  const [existingPolicy] = await client.getIamPolicy({
    resource: sourceName,

  const [updatedPolicy] = await client.setIamPolicy({
    resource: sourceName,
    policy: {
      // Enables partial update of existing policy
      etag: existingPolicy.etag,
      bindings: [
          role: 'roles/securitycenter.findingsEditor',
          // New IAM Binding for the user.
          members: [`user:${user}`],
  console.log('Updated policy: %j', updatedPolicy);


from import securitycenter
from google.iam.v1 import policy_pb2

client = securitycenter.SecurityCenterClient()

# source_name is the resource path for a source that has been
# created previously (you can use list_sources to find a specific one).
# Its format is:
# source_name = "organizations/{organization_id}/sources/{source_id}"
# e.g.:
# source_name = "organizations/111122222444/sources/1234"
# Get the old policy so we can do an incremental update.
old_policy = client.get_iam_policy(request={"resource": source_name})
print("Old Policy: {}".format(old_policy))

# Setup a new IAM binding.
binding = policy_pb2.Binding()
binding.role = "roles/securitycenter.findingsEditor"
# user_email is an e-mail address known to Cloud IAM (e.g. a gmail address).
# user_mail =

# Setting the e-tag avoids over-write existing policy
updated = client.set_iam_policy(
        "resource": source_name,
        "policy": {"etag": old_policy.etag, "bindings": [binding]},

print("Updated Policy: {}".format(updated))

What's next

To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser.