Using Cloud IAM permissions

This page describes how to control access to buckets and objects using Cloud Identity and Access Management (Cloud IAM) permissions. Cloud IAM allows you to control who has access to your buckets and objects. To learn more about Cloud IAM for Cloud Storage, see the Overview of Cloud IAM.

To learn about other ways to control access to buckets and objects, read Overview of Access Control. To learn about controlling access to individual objects in your buckets, see Access Control Lists.

Using Cloud IAM with buckets

The following sections show how to complete basic Cloud IAM tasks on buckets.

Adding a member to a bucket-level policy

For a list of roles associated with Cloud Storage, see Cloud IAM Roles. For information on entities to which you grant Cloud IAM roles, see Member Types.

Console

  1. Open the Cloud Storage browser in the Google Cloud Platform Console.
    Open the Cloud Storage browser

  2. Click the drop-down menu associated with the bucket to which you want to grant a member a role.

    The drop-down menu appears as three vertical dots to the far right of the bucket's row.

  3. Choose Edit bucket permissions.

  4. In the Add members field, enter one or more identities that need access to your bucket.

    Add member dialog.

  5. Select a role (or roles) from the Select a role drop-down menu. The roles you select appear in the pane with a short description of the permissions they grant.

  6. Click Add.

gsutil

Use the gsutil iam ch command, replacing [VALUES_IN_BRACKETS] with the appropriate values:

gsutil iam ch [MEMBER_TYPE]:[MEMBER_NAME]:[ROLE] gs://[BUCKET_NAME]

For a list of acceptable values for [MEMBER_TYPE], see the gsutil iam reference page.

Code samples

C++

For more information, see the Cloud Storage C++ API reference documentation . 

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string bucket_name, std::string role,
   std::string member) {
  StatusOr<google::cloud::IamPolicy> policy =
      client.GetBucketIamPolicy(bucket_name);

  if (!policy) {
    throw std::runtime_error(policy.status().message());
  }

  policy->bindings.AddMember(role, member);

  StatusOr<google::cloud::IamPolicy> updated_policy =
      client.SetBucketIamPolicy(bucket_name, *policy);

  if (!updated_policy) {
    throw std::runtime_error(updated_policy.status().message());
  }

  std::cout << "Updated IAM policy bucket " << bucket_name
            << ". The new policy is " << *updated_policy << "\n";
}

C#

For more information, see the Cloud Storage C# API reference documentation . 

private void AddBucketIamMember(string bucketName,
    string role, string member)
{
    var storage = StorageClient.Create();
    var policy = storage.GetBucketIamPolicy(bucketName);
    Policy.BindingsData bindingToAdd = new Policy.BindingsData();
    bindingToAdd.Role = role;
    string[] members = { member };
    bindingToAdd.Members = members;
    policy.Bindings.Add(bindingToAdd);
    storage.SetBucketIamPolicy(bucketName, policy);
    Console.WriteLine($"Added {member} with role {role} "
        + $"to {bucketName}");
}

Go

For more information, see the Cloud Storage Go API reference documentation . 

bucket := c.Bucket(bucketName)
policy, err := bucket.IAM().Policy(ctx)
if err != nil {
	return err
}
// Other valid prefixes are "serviceAccount:", "user:"
// See the documentation for more values.
// https://cloud.google.com/storage/docs/access-control/iam
policy.Add("group:cloud-logs@google.com", "roles/storage.objectViewer")
if err := bucket.IAM().SetPolicy(ctx, policy); err != nil {
	return err
}
// NOTE: It may be necessary to retry this operation if IAM policies are
// being modified concurrently. SetPolicy will return an error if the policy
// was modified since it was retrieved.

Java

For more information, see the Cloud Storage Java API reference documentation . 

// Initialize a Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// Get IAM Policy for a bucket
Policy policy = storage.getIamPolicy(bucketName);

// Add identity to Bucket-level IAM role
Policy updatedPolicy =
    storage.setIamPolicy(bucketName, policy.toBuilder().addIdentity(role, identity).build());

if (updatedPolicy.getBindings().get(role).contains(identity)) {
  System.out.printf("Added %s with role %s to %s\n", identity, role, bucketName);
}

Node.js

For more information, see the Cloud Storage Node.js API reference documentation . 

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// const bucketName = 'Name of a bucket, e.g. my-bucket';
// const roleName = 'Role to grant, e.g. roles/storage.objectViewer';
// const members = [
//   'user:jdoe@example.com',    // Example members to grant
//   'group:admins@example.com', // the new role to
// ];

// Creates a client
const storage = new Storage();

// Get a reference to a Google Cloud Storage bucket
const bucket = storage.bucket(bucketName);

// Gets and updates the bucket's IAM policy
const [policy] = await bucket.iam.getPolicy();

// Adds the new roles to the bucket's IAM policy
policy.bindings.push({
  role: roleName,
  members: members,
});

// Updates the bucket's IAM policy
await bucket.iam.setPolicy(policy);

console.log(
  `Added the following member(s) with role ${roleName} to ${bucketName}:`
);

members.forEach(member => {
  console.log(`  ${member}`);
});

PHP

For more information, see the Cloud Storage PHP API reference documentation . 

use Google\Cloud\Storage\StorageClient;

/**
 * Adds a new member / role IAM pair to a given Cloud Storage bucket.
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 * @param string $role the role you want to add a given member to.
 * @param string $member the member you want to give the new role for the Cloud
 * Storage bucket.
 *
 * @return void
 */
function add_bucket_iam_member($bucketName, $role, $member)
{
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);

    $policy = $bucket->iam()->policy();

    $policy['bindings'][] = [
        'role' => $role,
        'members' => [$member]
    ];

    $bucket->iam()->setPolicy($policy);

    printf('User %s added to role %s for bucket %s' . PHP_EOL, $member, $role, $bucketName);
}

Python

For more information, see the Cloud Storage Python API reference documentation . 

def add_bucket_iam_member(bucket_name, role, member):
    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)

    policy = bucket.get_iam_policy()

    policy[role].add(member)

    bucket.set_iam_policy(policy)

    print('Added {} with role {} to {}.'.format(
         member, role, bucket_name))

Ruby

For more information, see the Cloud Storage Ruby API reference documentation . 

# project_id  = "Your Google Cloud project ID"
# bucket_name = "Your Google Cloud Storage bucket name"
# role        = "Bucket-level IAM role"
# member      = "Bucket-level IAM member"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id
bucket = storage.bucket bucket_name

bucket.policy do |policy|
  policy.add role, member
end

puts "Added #{member} with role #{role} to #{bucket_name}"

JSON

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.

  2. Create a .json file that contains the following information, replacing [VALUES_IN_BRACKETS] with the appropriate values: 

    {
"bindings":[
{
  "role": "[IAM_ROLE]",
  "members":[
    "[MEMBER_NAME]"
  ]
}
]
}

  3. Use cURL to call the JSON API with a PUT setIamPolicy request, replacing [VALUES_IN_BRACKETS] with the appropriate values: 

    curl -X PUT --data-binary @[JSON_FILE_NAME].json 
    
-H "Authorization: Bearer [OAUTH2_TOKEN]" 
    
-H "Content-Type: application/json" 
    
"https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

Viewing the Cloud IAM policy for a bucket

Console

  1. Open the Cloud Storage browser in the Google Cloud Platform Console.
    Open the Cloud Storage browser

  2. Click the drop-down menu associated with the bucket to which you want to view role members.

    The drop-down menu appears as three vertical dots to the far right of the bucket name.

  3. Choose Edit bucket permissions.

  4. Expand the desired role to view the members who have been assigned to it.

  5. (Optional) Use the search bar to filter your results by role or member.

    If you search by member, your results display each role that the member is assigned to.

gsutil

Use the gsutil iam get command, replacing [VALUES_IN_BRACKETS] with the appropriate values:

gsutil iam get gs://[BUCKET_NAME]

Code samples

C++

For more information, see the Cloud Storage C++ API reference documentation . 

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string bucket_name) {
  StatusOr<google::cloud::IamPolicy> policy =
      client.GetBucketIamPolicy(bucket_name);

  if (!policy) {
    throw std::runtime_error(policy.status().message());
  }

  std::cout << "The IAM policy for bucket " << bucket_name << " is "
            << *policy << "\n";
}

C#

For more information, see the Cloud Storage C# API reference documentation . 

private void ViewBucketIamMembers(string bucketName)
{
    var storage = StorageClient.Create();
    var policy = storage.GetBucketIamPolicy(bucketName);
    foreach (var binding in policy.Bindings)
    {
        Console.WriteLine($"  Role: {binding.Role}");
        Console.WriteLine("  Members:");
        foreach (var member in binding.Members)
        {
            Console.WriteLine($"    {member}");
        }
    }
}

Go

For more information, see the Cloud Storage Go API reference documentation . 

policy, err := c.Bucket(bucketName).IAM().Policy(ctx)
if err != nil {
	return nil, err
}
for _, role := range policy.Roles() {
	log.Printf("%q: %q", role, policy.Members(role))
}

Java

For more information, see the Cloud Storage Java API reference documentation . 

// Initialize a Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// Get IAM Policy for a bucket
Policy policy = storage.getIamPolicy(bucketName);

// Print Roles and its identities
Map<Role, Set<Identity>> policyBindings = policy.getBindings();
for (Map.Entry<Role, Set<Identity>> entry : policyBindings.entrySet()) {
  System.out.printf("Role: %s Identities: %s\n", entry.getKey(), entry.getValue());
}

Node.js

For more information, see the Cloud Storage Node.js API reference documentation . 

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

// Creates a client
const storage = new Storage();

/**
 * TODO(developer): Uncomment the following line before running the sample.
 */
// const bucketName = 'Name of a bucket, e.g. my-bucket';

// Gets and displays the bucket's IAM policy
const results = await storage.bucket(bucketName).iam.getPolicy();

const policy = results[0].bindings;

// Displays the roles in the bucket's IAM policy
console.log(`Roles for bucket ${bucketName}:`);
policy.forEach(role => {
  console.log(`  Role: ${role.role}`);
  console.log(`  Members:`);

  const members = role.members;
  members.forEach(member => {
    console.log(`    ${member}`);
  });
});

PHP

For more information, see the Cloud Storage PHP API reference documentation . 

use Google\Cloud\Storage\StorageClient;

/**
 * View Bucket IAM members for a given Cloud Storage bucket.
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 *
 * @return void
 */
function view_bucket_iam_members($bucketName)
{
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);

    $policy = $bucket->iam()->policy();

    printf('Printing Bucket IAM members for Bucket: %s' . PHP_EOL, $bucketName);
    printf(PHP_EOL);

    foreach ($policy['bindings'] as $binding) {
        printf('Role: %s' . PHP_EOL, $binding['role']);
        printf('Members:' . PHP_EOL);
        foreach ($binding['members'] as $member) {
            printf('  %s' . PHP_EOL, $member);
        }
        printf(PHP_EOL);
    }
}

Python

For more information, see the Cloud Storage Python API reference documentation . 

def view_bucket_iam_members(bucket_name):
    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)

    policy = bucket.get_iam_policy()

    for role in policy:
        members = policy[role]
        print('Role: {}, Members: {}'.format(role, members))

Ruby

For more information, see the Cloud Storage Ruby API reference documentation . 

# project_id  = "Your Google Cloud project ID"
# bucket_name = "Your Google Cloud Storage bucket name"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id
bucket = storage.bucket bucket_name

policy = bucket.policy

policy.roles.each do |role, members|
  puts "Role: #{role} Members: #{members}"
end

JSON

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.

  2. Use cURL to call the JSON API with a GET getIamPolicy request, replacing [VALUES_IN_BRACKETS] with the appropriate values: 

    curl -X GET 
    
-H "Authorization: Bearer [OAUTH2_TOKEN]" 
    
"https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

Removing a member from a bucket-level policy

Console

  1. Open the Cloud Storage browser in the Google Cloud Platform Console.
    Open the Cloud Storage browser

  2. Click the drop-down menu associated with the bucket from which you want to remove a member's role.

    The drop-down menu appears as three vertical dots to the far right of the bucket name.

  3. Choose Edit bucket permissions.

  4. Expand the role that contains the member you are removing.

  5. Hover over the member and click on the trash icon that appears.

    Removing a member from a project.

  6. In the overlay window that appears, click Remove.

gsutil

Use the gsutil iam ch command with a -d flag, replacing [VALUES_IN_BRACKETS] with the appropriate values:

gsutil iam ch -d [MEMBER_TYPE]:[MEMBER_NAME] gs://[BUCKET_NAME]

For a list of acceptable values for [MEMBER_TYPE], see the gsutil iam reference page.

Code samples

C++

For more information, see the Cloud Storage C++ API reference documentation . 

namespace gcs = google::cloud::storage;
using ::google::cloud::StatusOr;
[](gcs::Client client, std::string bucket_name, std::string role,
   std::string member) {
  StatusOr<google::cloud::IamPolicy> policy =
      client.GetBucketIamPolicy(bucket_name);
  if (!policy) {
    throw std::runtime_error(policy.status().message());
  }

  policy->bindings.RemoveMember(role, member);

  StatusOr<google::cloud::IamPolicy> updated_policy =
      client.SetBucketIamPolicy(bucket_name, *policy);

  if (!updated_policy) {
    throw std::runtime_error(updated_policy.status().message());
  }

  std::cout << "Updated IAM policy bucket " << bucket_name
            << ". The new policy is " << *updated_policy << "\n";
}

C#

For more information, see the Cloud Storage C# API reference documentation . 

private void RemoveBucketIamMember(string bucketName,
    string role, string member)
{
    var storage = StorageClient.Create();
    var policy = storage.GetBucketIamPolicy(bucketName);
    policy.Bindings.ToList().ForEach(response =>
    {
        if (response.Role == role)
        {
            // Remove the role/member combo from the IAM policy.
            response.Members = response.Members
                .Where(m => m != member).ToList();
            // Remove role if it contains no members.
            if (response.Members.Count == 0)
            {
                policy.Bindings.Remove(response);
            }
        }
    });
    // Set the modified IAM policy to be the current IAM policy.
    storage.SetBucketIamPolicy(bucketName, policy);
    Console.WriteLine($"Removed {member} with role {role} "
        + $"to {bucketName}");
}

Go

For more information, see the Cloud Storage Go API reference documentation . 

bucket := c.Bucket(bucketName)
policy, err := bucket.IAM().Policy(ctx)
if err != nil {
	return err
}
// Other valid prefixes are "serviceAccount:", "user:"
// See the documentation for more values.
// https://cloud.google.com/storage/docs/access-control/iam
policy.Remove("group:cloud-logs@google.com", "roles/storage.objectViewer")
if err := bucket.IAM().SetPolicy(ctx, policy); err != nil {
	return err
}
// NOTE: It may be necessary to retry this operation if IAM policies are
// being modified concurrently. SetPolicy will return an error if the policy
// was modified since it was retrieved.

Java

For more information, see the Cloud Storage Java API reference documentation . 

// Initialize a Cloud Storage client
Storage storage = StorageOptions.getDefaultInstance().getService();

// Get IAM Policy for a bucket
Policy policy = storage.getIamPolicy(bucketName);

// Remove an identity from a Bucket-level IAM role
Policy updatedPolicy =
    storage.setIamPolicy(bucketName, policy.toBuilder().removeIdentity(role, identity).build());

if (updatedPolicy.getBindings().get(role) == null
    || !updatedPolicy.getBindings().get(role).contains(identity)) {
  System.out.printf("Removed %s with role %s from %s\n", identity, role, bucketName);
}

Node.js

For more information, see the Cloud Storage Node.js API reference documentation . 

// Imports the Google Cloud client library
const {Storage} = require('@google-cloud/storage');

/**
 * TODO(developer): Uncomment the following lines before running the sample.
 */
// const bucketName = 'Name of a bucket, e.g. my-bucket';
// const roleName = 'Role to grant, e.g. roles/storage.objectViewer';
// const members = [
//   'user:jdoe@example.com',    // Example members to grant
//   'group:admins@example.com', // the new role to
// ];

// Creates a client
const storage = new Storage();

// Get a reference to a Google Cloud Storage bucket
const bucket = storage.bucket(bucketName);

// Gets and updates the bucket's IAM policy
const [policy] = await bucket.iam.getPolicy();

// Finds and updates the appropriate role-member group
const index = policy.bindings.findIndex(role => role.role === roleName);
const role = policy.bindings[index];
if (role) {
  role.members = role.members.filter(
    member => members.indexOf(member) === -1
  );

  // Updates the policy object with the new (or empty) role-member group
  if (role.members.length === 0) {
    policy.bindings.splice(index, 1);
  } else {
    policy.bindings.index = role;
  }

  // Updates the bucket's IAM policy
  await bucket.iam.setPolicy(policy);
} else {
  // No matching role-member group(s) were found
  throw new Error('No matching role-member group(s) found.');
}

console.log(
  `Removed the following member(s) with role ${roleName} from ${bucketName}:`
);
members.forEach(member => {
  console.log(`  ${member}`);
});

PHP

For more information, see the Cloud Storage PHP API reference documentation . 

use Google\Cloud\Core\Iam\PolicyBuilder;
use Google\Cloud\Storage\StorageClient;

/**
 * Removes a member / role IAM pair from a given Cloud Storage bucket.
 *
 * @param string $bucketName the name of your Cloud Storage bucket.
 * @param string $role the role you want to remove a given member from.
 * @param string $member the member you want to remove from the given role.
 *
 * @return void
 */
function remove_bucket_iam_member($bucketName, $role, $member)
{
    $storage = new StorageClient();
    $bucket = $storage->bucket($bucketName);
    $policy = $bucket->iam()->policy();
    $policyBuilder = new PolicyBuilder($policy);
    $policyBuilder->removeBinding($role, [$member]);

    $bucket->iam()->setPolicy($policyBuilder->result());
    printf('User %s removed from role %s for bucket %s' . PHP_EOL, $member, $role, $bucketName);
}

Python

For more information, see the Cloud Storage Python API reference documentation . 

def remove_bucket_iam_member(bucket_name, role, member):
    storage_client = storage.Client()
    bucket = storage_client.bucket(bucket_name)

    policy = bucket.get_iam_policy()

    policy[role].discard(member)

    bucket.set_iam_policy(policy)

    print('Removed {} with role {} from {}.'.format(
        member, role, bucket_name))

Ruby

For more information, see the Cloud Storage Ruby API reference documentation . 

# project_id  = "Your Google Cloud project ID"
# bucket_name = "Your Google Cloud Storage bucket name"
# role        = "Bucket-level IAM role"
# member      = "Bucket-level IAM member"

require "google/cloud/storage"

storage = Google::Cloud::Storage.new project_id: project_id
bucket = storage.bucket bucket_name

bucket.policy do |policy|
  policy.remove role, member
end

puts "Removed #{member} with role #{role} from #{bucket_name}"

JSON

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.

  2. Get the existing policy applied to your project. To do so, use cURL to call the JSON API with a GET getIamPolicy request, replacing [VALUES_IN_BRACKETS] with the appropriate values: 

    curl -X GET 
    
-H "Authorization: Bearer [OAUTH2_TOKEN]" 
    
"https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

  3. Create a .json file that contains the policy you retrieved in the previous step.

  4. Edit the .json file to remove the member from the policy.

  5. Use cURL to call the JSON API with a PUT setIamPolicy request, replacing [VALUES_IN_BRACKETS] with the appropriate values: 

    curl -X PUT --data-binary @[JSON_FILE_NAME].json 
    
-H "Authorization: Bearer [OAUTH2_TOKEN]" 
    
-H "Content-Type: application/json" 
    
"https://www.googleapis.com/storage/v1/b/[BUCKET_NAME]/iam"

Using Cloud IAM with projects

The following sections show how to complete basic Cloud IAM tasks on projects. Note that these tasks use a separate command line command, gcloud, and a separate endpoint, cloudresourcemanager.googleapis.com, compared to most Cloud Storage tasks.

Adding a member to a project-level policy

For a list of roles associated with Cloud Storage, see Cloud IAM Roles. For information on entities to which you grant Cloud IAM roles, see Member Types.

Console

  1. Open the IAM & Admin browser in the Google Cloud Platform Console.
    Open the IAM & Admin browser

  2. Select the project to which you want to add a member.

    Adding a member to a project.

  3. In the Add members dialog, specify the name of the entity you are granting access.

    Add member dialog.

  4. In the Select a role drop down, set the appropriate permissions for the team member.

    Roles that affect Cloud Storage buckets and objects are found in the Project and Storage submenus.

  5. Click Add.

gsutil

Project-level Cloud IAM policies are managed through the gcloud command, which is part of the Google Cloud SDK. To add a project-level policy, use gcloud beta projects add-iam-policy-binding.

JSON

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.

  2. Create a .json file that contains the following information, replacing [VALUES_IN_BRACKETS] with the appropriate values: 

    {
"policy": {
"version": "0",
"bindings": {
  "role": "[IAM_ROLE]",
  "members": "[MEMBER_NAME]"
},
}
}

  3. Use cURL to call the Resource Manager API with a POST setIamPolicy request, replacing [VALUES_IN_BRACKETS] with the appropriate values: 

    curl -X POST --data-binary @[JSON_FILE_NAME].json 
    
-H "Authorization: Bearer [OAUTH2_TOKEN]" 
    
-H "Content-Type: application/json" 
    
"https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_NAME]:setIamPolicy"

Viewing the Cloud IAM policy for a project

Console

  1. Open the IAM & Admin browser in the Google Cloud Platform Console.
    Open the IAM & Admin browser

  2. Select the project whose policy you want to view.

  3. Use the drop-down associated with individual roles to see which members have the role, or use the Search members dialog to filter your results.

gsutil

Project-level Cloud IAM policies are managed through the gcloud command, which is part of the Google Cloud SDK. To view the Cloud IAM policy of a project, use gcloud beta projects get-iam-policy command.

JSON

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.

  2. Use cURL to call the Resource Manager API with a POST getIamPolicy request, replacing [VALUES_IN_BRACKETS] with the appropriate values: 

    curl -X POST 
    
-H "Authorization: Bearer [OAUTH2_TOKEN]" 
    
-H "Content-Length: 0" 
    
"https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_NAME]:getIamPolicy"

Removing a member from a project-level policy

Console

  1. Open the IAM & Admin browser in the Google Cloud Platform Console.
    Open the IAM & Admin browser

  2. Select the project from which you want to remove a member.

    Adding a member to a project.

  3. In the Search members dialog, specify the name of the member whose access you are removing.

  4. In the results below the search, hover over the member you are removing and click on the trash icon that appears.

    Removing a member from a project.

  5. In the overlay window that appears, click Remove.

gsutil

Project-level Cloud IAM policies are managed through the gcloud command, which is part of the Google Cloud SDK. To remove a project-level policy, use gcloud beta projects remove-iam-policy-binding.

JSON

  1. Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.

  2. Get the existing policy applied to your project. To do so, use cURL to call the Resource Manager API with a POST getIamPolicy request, replacing [VALUES_IN_BRACKETS] with the appropriate values: 

    curl -X POST 
    
-H "Authorization: Bearer [OAUTH2_TOKEN]" 
    
-H "Content-Length: 0" 
    
"https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_NAME]:getIamPolicy"

  3. Create a .json file that contains the policy you retrieved in the previous step.

  4. Edit the .json file to remove the member from the policy.

  5. Use cURL to call the Resource Manager API with a POST setIamPolicy request, replacing [VALUES_IN_BRACKETS] with the appropriate values: 

    curl -X POST --data-binary @[JSON_FILE_NAME].json 
    
-H "Authorization: Bearer [OAUTH2_TOKEN]" 
    
-H "Content-Type: application/json" 
    
"https://cloudresourcemanager.googleapis.com/v1/projects/[PROJECT_NAME]:setIamPolicy"

What's next

¿Te sirvió esta página? Envíanos tu opinión:

Enviar comentarios sobre…

Esta página
Comentarios sobre la documentación
Cloud Storage
Comentarios sobre el producto
¿Necesitas ayuda? Visita nuestra página de asistencia.