Access Control

To invoke the Google Service Control API for a managed service, the caller must have the following Google Cloud IAM permissions on the service:

The IAM roles roles/servicemanagement.serviceController, roles/owner and roles/editor include these permissions and can each be used to grant them. We recommend using the IAM role roles/servicemanagement.serviceController to run your services. While roles/owner and roles/editor also grant these permissions, the narrower role is better for security reasons.

Resource hierarchy

The Service Control API uses the following resource hierarchy:

  • Producer project A producer project may own zero or more managed services: the producer project is the parent of services in this hierarchy.
  • Service A service may have zero or more service consumers.
  • Service Consumer A service consumer refers to a Google project that has enabled the service.

The IAM access control is applied to the resource hierarchy. If a role is granted at the producer project level, it affects all services owned by the producer project. If a role is granted at the service level, it affects all consumers of the service.

It is highly recommended that you only create one service per producer project for security and isolation reasons. Otherwise, for example, if the producer project runs out of quota for sending requests to the Service Control API, multiple services will be impacted.

If you have a multi-tenant service, you should grant the role roles/servicemanagement.serviceController at the service level. If you have a single-tenant service, in other words, a service where each consumer gets its own instance of your service, you should grant the role at the service consumer level. For background data processing that affects all consumers, you should grant the role at the service level.

Grant roles

To call the Service Control API, you must grant the necessary roles to the callers. You can grant the roles via one of the following three approaches. You need to be an owner of the service producer project so that you can grant the the necessary roles.

Grant a role at the service producer project level

You can grant the necessary roles on the project that a service belongs to, following the instructions in IAM Managing Policies or use the Google Cloud SDK add-iam-policy-binding command to grant the roles.

For example, you can grant the roles to a service account (e.g. foo@developer.gserviceaccount.com):

gcloud projects add-iam-policy-binding PRODUCER_PROJECT_ID --member serviceAccount:SERVICE_ACCOUNT --role roles/servicemanagement.serviceController

Similarly, you can grant the roles to a user account (e.g. bar@gmail.com).

gcloud projects add-iam-policy-binding PRODUCER_PROJECT_ID --member user:USER_ACCOUNT --role roles/servicemanagement.serviceController

Grant a role at the service level

You can grant the role roles/servicemanagement.serviceController at the service level. For example:

gcurl -d "{
  'policy': {
    'bindings': [ {
      role: 'roles/servicemanagement.serviceController',
      members: 'serviceAccount:SERVICE_ACCOUNT'
    } ]
  }
}" https://servicemanagement.googleapis.com/v1/services/YOUR_SERVICE_NAME:setIamPolicy

Grant a role at the service consumer level

You can grant the role roles/servicemanagement.serviceController at the service consumer level. Service consumer level permissions require that the request to the Service Control API must contain at least one valid consumer id. For example, you can grant the roles as following:

gcurl -d "{
  'policy': {
    'bindings': [ {
      role: "roles/servicemanagement.serviceController",
      members: "serviceAccount:SERVICE_ACCOUNT"
    } ]
  }
}" https://servicemanagement.googleapis.com/v1/services/YOUR_SERVICE_NAME/consumers/CONSUMER_PROJECT_NUMBER:setIamPolicy

See Cloud Auth Guide for more information.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.