Access Control

Service Usage uses Cloud Identity and Access Management to control access to services. This page explains the Cloud IAM roles and permissions related to Service Usage and how to use them to control access.

Resource model

For Service Usage, there are three relevant resources:

  1. The service you are using.

  2. The project from which you are using the service.

  3. The operation or long-running operation returned by certain methods.

Each Service Usage method requires a permission on one or more of these resources.

Cloud IAM permissions

The following table shows the required permissions for each Service Usage API method. You can also find this information in the API Reference.

Method Required Permission(s)
services.batchEnable On the project: serviceusage.services.enable
On the services: servicemanagement.services.bind
services.enable On the project: serviceusage.services.enable
On the service: servicemanagement.services.bind
services.disable On the project: serviceusage.services.disable
services.get On the project: serviceusage.services.get
services.list On the project: serviceusage.services.list
To use a project for quota and billing purposes. For more information, see System Parameters. On the project: serviceusage.services.use

Cloud IAM roles

With Cloud IAM, permissions are granted by binding users to roles. See Understanding Roles for details.

The following table lists the predefined roles that apply to Service Usage.

Role Permissions
roles/viewer serviceusage.services.get
serviceusage.services.list
roles/editor and
roles/owner		 serviceusage.services.get
serviceusage.services.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.use
roles/serviceusage.serviceUsageViewer serviceusage.services.get
serviceusage.services.list
roles/serviceusage.serviceUsageConsumer serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
roles/serviceusage.serviceUsageAdmin serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
serviceusage.services.enable
serviceusage.services.disable
roles/servicemanagement.serviceConsumer servicemanagement.services.bind