Access Control for Managed Services

Google Service Management uses Google Cloud IAM to control access to services and their child resources. This page explains the IAM roles and permissions used with Service Management, and how to use them to control access.

Resource model

Cloud IAM applies IAM policies on resources to control who can perform what actions on the resources. Service Management uses the following resources to provide its functionality to both service producers and service consumers:

  • Producer Projects
    • Managed Services
      • Service Configurations
      • Service Rollouts

For service producers, they typically need all permissions to managed services and their child resources, so they can create services, configurations, and rollouts.

For service consumers, they need the servicemanagement.services.bind permission to see and enable the service for their projects, so they can use it.

IAM permissions

Calls to the Google Service Management API require the caller to have proper IAM permissions on the resources that the call is accessing.

The following table lists the permissions that apply to services.

Permission Description
servicemanagement.services.delete Delete services.
servicemanagement.services.get Read services.
servicemanagement.services.create Create new services in projects.
servicemanagement.services.list List services in projects.
servicemanagement.services.update Update services.
servicemanagement.services.bind

Enable or disable services on consumer projects.

servicemanagement.services.bind is currently unsupported for IAM custom roles. To work around this issue, use the servicemanagement.serviceConsumer predefined role.

servicemanagement.services.setIamPolicy Set IAM access policy for services.
servicemanagement.services.getIamPolicy Read IAM access policy for services.
servicemanagement.services.check Check service consumer status. See services.check
servicemanagement.services.quota Allocate quota for a service consumer. See services.allocateQuota
servicemanagement.services.report Report service usage. See services.report

The following table shows the required permissions for each Service Management API method, where applicable. This information is also documented in the API Reference.

Method Required Permission(s)
services.delete servicemanagement.services.delete on the specified service_name.
services.disable servicemanagement.services.bind on the specified service_name.
services.enable servicemanagement.services.bind on the specified service_name.
services.get servicemanagement.services.get on the specified service_name.
services.getConfig servicemanagement.services.get on the specified service_name.
services.undelete servicemanagement.services.delete on the specified service_name.
services.configs.create servicemanagement.services.update on the specified service_name.
services.configs.get servicemanagement.services.get on the specified service_name.
services.configs.list servicemanagement.services.get on the specified service_name.
services.configs.submit servicemanagement.services.update on the specified service_name.
services.rollouts.create servicemanagement.services.update on the specified service_name.
services.rollouts.get servicemanagement.services.get on the specified service_name.
services.rollouts.list servicemanagement.services.get on the specified service_name.

IAM roles

With Cloud IAM, permissions are granted by binding users to roles. See Understanding Roles for details.

The following table lists the roles that apply to services.

Role Permissions
roles/viewer servicemanagement.services.get
servicemanagement.services.list
roles/editor All permissions of roles/viewer, plus

servicemanagement.services.delete
servicemanagement.services.create
servicemanagement.services.update
servicemanagement.services.bind
servicemanagement.services.check
servicemanagement.services.quota
servicemanagement.services.report
roles/owner All permissions of roles/editor, plus

servicemanagement.services.setIamPolicy
servicemanagement.services.getIamPolicy
roles/servicemanagement.serviceConsumer servicemanagement.services.bind
roles/servicemanagement.serviceController servicemanagement.services.get
servicemanagement.services.check
servicemanagement.services.quota
servicemanagement.services.report

Managing policies

Cloud IAM evaluates policies hierarchically: a child resource always inherits the policy of its parent. For Service Management, each managed service is a child resource of its producer project. Therefore the roles granted on the producer project apply to all managed services that belong to the project. See Managing Policies for the instructions of granting roles at the project level.

You can also manage the IAM policy for an individual service. The following sections describe how to manage service-level roles using Google Cloud Console, Service Management API, and Google Cloud SDK.

Managing access using Cloud Console

  1. Open the Endpoints page in the Cloud Console.

    Open the Endpoints page

  2. Click the service that you want to manage access for.
  3. Click the "PERMISSIONS" link at the top of the page. This toggles the info panel on and off.
  4. From the info panel, you can view the list of current members, add new members, and remove members, for any service-level role.

Managing access using IAM Policy API

The Google Service Management API includes the IAM Policy API for managing service-level policies. You can use the gcurl command to experiment with the API methods. See Getting Started for the initial setup steps.

For example:

# View the current IAM policy on service "endpointsapis.appspot.com".
gcurl -d '{}' https://servicemanagement.googleapis.com/v1/services/endpointsapis.appspot.com:getIamPolicy

Managing access using Cloud SDK

Cloud SDK includes the following commands to manage IAM policies for managed services:

  • endpoints services get-iam-policy
    • Show the IAM policy of the service.
  • endpoints services add-iam-policy-binding
    • Add a member to a role.
  • endpoints services remove-iam-policy-binding
    • Remove a member from a role.

For example:

# Show the IAM policy of service "endpointsapis.appspot.com".
gcloud endpoints services get-iam-policy endpointsapis.appspot.com

# The above command may produce an output similar to this:
bindings:
- members:
  - user:email1@gmail.com
  - group:group1@googlegroups.com
  role: roles/servicemanagement.serviceConsumer

# Add a user to "roles/servicemanagement.serviceConsumer" role.
gcloud endpoints services add-iam-policy-binding endpointsapis.appspot.com --member "user:email1@gmail.com" --role "roles/servicemanagement.serviceConsumer"

# Add a group to "roles/servicemanagement.serviceConsumer" role.
gcloud endpoints services add-iam-policy-binding endpointsapis.appspot.com --member "group:group1@googlegroups.com" --role "roles/servicemanagement.serviceConsumer"

# Remove a user from "roles/servicemanagement.serviceConsumer" role.
gcloud endpoints services remove-iam-policy-binding endpointsapis.appspot.com --member "user:email1@gmail.com" --role "roles/servicemanagement.serviceConsumer"

# Remove a group from "roles/servicemanagement.serviceConsumer" role.
gcloud endpoints services remove-iam-policy-binding endpointsapis.appspot.com --member "group:group1@googlegroups.com" --role "roles/servicemanagement.serviceConsumer"
Was this page helpful? Let us know how we did: