Access Control with IAM

Service Usage uses Identity and Access Management (IAM) to control access to services. This page explains the IAM roles and permissions related to Service Usage and how to use them to control access.

Resource model

For Service Usage, there are three relevant resources:

  1. The service you are using.

  2. The project from which you are using the service.

  3. The operation or long-running operation returned by certain methods.

Each Service Usage method requires a permission on one or more of these resources.

IAM permissions

The following table shows the required permissions for each Service Usage API method. You can also find this information in the API reference.

Method Required permissions
services.batchEnable On the project: serviceusage.services.enable
On the services: servicemanagement.services.bind
services.enable On the project: serviceusage.services.enable
On the service: servicemanagement.services.bind
services.disable On the project: serviceusage.services.disable
services.get On the project: serviceusage.services.get
services.list On the project: serviceusage.services.list
services.consumerQuotaMetrics.list
services.consumerQuotaMetrics.get
services.consumerQuotaMetrics.limits.get
services.consumerQuotaMetrics.limits.consumerOverrides.list
services.consumerQuotaMetrics.limits.adminOverrides.list
services.consumerQuotaMetrics.limits.producerOverrides.list
On the project: serviceusage.quota.get
On the service: servicemanagement.services.bind
services.consumerQuotaMetrics.consumerOverrides.create
services.consumerQuotaMetrics.consumerOverrides.patch
services.consumerQuotaMetrics.consumerOverrides.delete
services.adminQuotaMetrics.adminOverrides.create
services.adminQuotaMetrics.adminOverrides.patch
services.adminQuotaMetrics.adminOverrides.delete
On the project: serviceusage.quota.update
On the service: servicemanagement.services.bind
To use a project for quota and billing purposes. For more information, see System parameters. On the project: serviceusage.services.use

IAM roles

With IAM, you give users permission by granting them a role. The following tables list IAM basic and predefined roles, and the permissions related to Service Usage that those roles include.

For more information about roles, see Understanding roles.

Basic roles

Name Title Permissions
roles/viewer Viewer serviceusage.services.get
serviceusage.services.list
serviceusage.quotas.get

roles/editor

roles/owner

Editor

Owner

serviceusage.services.get
serviceusage.services.list
serviceusage.services.disable
serviceusage.services.enable
serviceusage.services.use
serviceusage.quotas.get
serviceusage.quotas.update

Predefined roles

Role Permissions

(roles/serviceusage.apiKeysAdmin)

Ability to create, delete, update, get and list API keys for a project.

apikeys.*

  • apikeys.keys.create
  • apikeys.keys.delete
  • apikeys.keys.get
  • apikeys.keys.getKeyString
  • apikeys.keys.list
  • apikeys.keys.lookup
  • apikeys.keys.undelete
  • apikeys.keys.update

orgpolicy.policy.get

serviceusage.apiKeys.*

  • serviceusage.apiKeys.regenerate
  • serviceusage.apiKeys.revert

(roles/serviceusage.apiKeysViewer)

Ability to get and list API keys for a project.

apikeys.keys.get

apikeys.keys.getKeyString

apikeys.keys.list

apikeys.keys.lookup

(roles/serviceusage.serviceUsageAdmin)

Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.

monitoring.timeSeries.list

serviceusage.quotas.*

  • serviceusage.quotas.get
  • serviceusage.quotas.update

serviceusage.services.*

  • serviceusage.services.disable
  • serviceusage.services.enable
  • serviceusage.services.get
  • serviceusage.services.list
  • serviceusage.services.use

(roles/serviceusage.serviceUsageConsumer)

Ability to inspect service states and operations, and consume quota and billing for a consumer project.

monitoring.timeSeries.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list

serviceusage.services.use

(roles/serviceusage.serviceUsageViewer)

Ability to inspect service states and operations for a consumer project.

monitoring.timeSeries.list

serviceusage.quotas.get

serviceusage.services.get

serviceusage.services.list