Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://cloud.google.com/iam/docs/granting-changing-revoking-access below:

Manage access to projects, folders, and organizations | IAM Documentation

Stay organized with collections Save and categorize content based on your preferences.

This page describes how to grant, change, and revoke access to projects, folders, and organizations. When you grant access to projects, folders, and organizations, you also grant access to the resources inside them.

To learn how to manage access to other resources, see the following guides:

• Manage access to service accounts
• Manage access to other resources

In Identity and Access Management (IAM), access is granted through allow policies, also known as IAM policies. An allow policy is attached to a Google Cloud resource. Each allow policy contains a collection of role bindings that associate one or more principals, such as users or service accounts, with an IAM role. These role bindings grant the specified roles to the principals, both on the resource that the allow policy is attached to and on all of that resource's descendants. For more information about allow policies, see Understanding allow policies.

You can manage access to projects, folders, and organizations with the Google Cloud console, the Google Cloud CLI, the REST API, or the Resource Manager client libraries.

• Enable the Resource Manager API.

  Enable the API

• Set up authentication.

  Select the tab for how you plan to use the samples on this page:

  Console

  When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

  gcloud

  In the Google Cloud console, activate Cloud Shell.

  Activate Cloud Shell

  At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

  C#

  To use the .NET samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  1. Install the Google Cloud CLI.

  2. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  3. To initialize the gcloud CLI, run the following command:

     gcloud init

  4. If you're using a local shell, then create local authentication credentials for your user account:

     gcloud auth application-default login

     You don't need to do this if you're using Cloud Shell.

     If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  Java

  To use the Java samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  1. Install the Google Cloud CLI.

  2. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  3. To initialize the gcloud CLI, run the following command:

     gcloud init

  4. If you're using a local shell, then create local authentication credentials for your user account:

     gcloud auth application-default login

     You don't need to do this if you're using Cloud Shell.

     If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  Python

  To use the Python samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials.

  1. Install the Google Cloud CLI.

  2. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  3. To initialize the gcloud CLI, run the following command:

     gcloud init

  4. If you're using a local shell, then create local authentication credentials for your user account:

     gcloud auth application-default login

     You don't need to do this if you're using Cloud Shell.

     If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

  For more information, see Set up ADC for a local development environment in the Google Cloud authentication documentation.

  REST

  To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

  After installing the Google Cloud CLI, initialize it by running the following command:

  gcloud init

  If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

When you create a project, folder, or organization, you are automatically granted a role that lets you manage access for that resource. For more information, see Default policies.

If you didn't create your project, folder, or organization, ensure that you have the roles that you need to manage access to that resource.

To get the permissions that you need to manage access to a project, folder, or organization, ask your administrator to grant you the following IAM roles on the resource that you want to manage access for (project, folder, or organization):

• To manage access to a project: Project IAM Admin (roles/resourcemanager.projectIamAdmin)
• To manage access to a folder: Folder Admin (roles/resourcemanager.folderAdmin)
• To manage access to projects, folders, and organizations: Organization Admin (roles/resourcemanager.organizationAdmin)
• To manage access to almost all Google Cloud resources: Security Admin (roles/iam.securityAdmin)

These predefined roles contain the permissions required to manage access to a project, folder, or organization. To see the exact permissions that are required, expand the Required permissions section:

The following permissions are required to manage access to a project, folder, or organization:

• To manage access to projects:
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy
• To manage access to folders:
  • resourcemanager.folders.getIamPolicy
  • resourcemanager.folders.setIamPolicy
• To manage access to organizations:
  • resourcemanager.organizations.getIamPolicy
  • resourcemanager.organizations.setIamPolicy

You might also be able to get these permissions with custom roles or other predefined roles.

You can view who has access to your project, folder, or organization using the Google Cloud console, the gcloud CLI, the REST API, or the Resource Manager client libraries.

1. In the Google Cloud console, go to the IAM page.

   Go to IAM

2. Select a project, folder, or organization.

   The Google Cloud console lists all the principals who have been granted roles on your project, folder, or organization. This list includes principals who have inherited roles on the resource from parent resources. For more information about policy inheritance, see Policy inheritance and the resource hierarchy.

3. Optional: To view role grants for service agents, select the Include Google-provided role grants checkbox.

1. In the Google Cloud console, activate Cloud Shell.

   Activate Cloud Shell

   At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

2. To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, see Understanding allow policies.

   Note: A resource's allow policy does not show any roles gained through policy inheritance. To view inherited roles, use the Google Cloud console, or follow the instructions on Viewing effective IAM policies.

   To get the allow policy for the resource, run the get-iam-policy command for the resource:

   gcloud RESOURCE_TYPE get-iam-policy RESOURCE_ID --format=FORMAT > PATH

   Provide the following values:

   • RESOURCE_TYPE: The type of the resource that you want to view access to. Use one of these values: projects, resource-manager folders, or organizations.

   • RESOURCE_ID: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, like my-project. Folder and organization IDs are numeric, like 123456789012.

   • FORMAT: The desired format for the policy. Use json or yaml.

   • PATH: The path to a new output file for the policy.

   For example, the following command gets the policy for the project my-project and saves it to your home directory in JSON format:

   gcloud projects get-iam-policy my-project --format=json > ~/policy.json

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, see Understanding allow policies.

The following example shows how to get the allow policy for a project. To learn how to get the allow policy for a folder or organization, review the Resource Manager client library documentation for your programming language.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, see Understanding allow policies.

The following example shows how to get the allow policy for a project. To learn how to get the allow policy for a folder or organization, review the Resource Manager client library documentation for your programming language.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, see Understanding allow policies.

The following example shows how to get the allow policy for a project. To learn how to get the allow policy for a folder or organization, review the Resource Manager client library documentation for your programming language.

To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, see Understanding allow policies.

The Resource Manager API's getIamPolicy method gets a project's, folder's, or organization's allow policy.

Before using any of the request data, make the following replacements:

• API_VERSION: The API version to use. For projects and organizations, use v1. For folders, use v2.
• RESOURCE_TYPE: The resource type whose policy you want to manage. Use the value projects, folders, or organizations.
• RESOURCE_ID: Your Google Cloud project, organization, or folder ID. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
• POLICY_VERSION: The policy version to be returned. Requests should specify the most recent policy version, which is policy version 3. See Specifying a policy version when getting a policy for details.

HTTP method and URL:

POST https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy

Request JSON body:

{
  "options": {
    "requestedPolicyVersion": POLICY_VERSION
  }
}

To send your request, expand one of these options:

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy"

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `

    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy" | Select-Object -Expand Content

Copy the request body and open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.

The response contains the resource's allow policy. For example:

{
  "version": 1,
  "etag": "BwWKmjvelug=",
  "bindings": [
    {
      "role": "roles/owner",
      "members": [
        "user:my-user@example.com"
      ]
    }
  ]
}

You can use the Google Cloud console and the gcloud CLI to quickly grant or revoke a single role for a single principal, without editing the resource's allow policy directly. Common types of principals include Google Accounts, service accounts, Google groups, and domains.For a list of all principal types, see Principal types.

Note: If the iam.allowedPolicyMemberDomains organization policy constraint is enforced in your organization, then you might not be able to grant roles to newly created groups. If you get a failedPrecondition error when trying to grant a role to a newly created group, wait 24 hours, and then try granting the role again.

In general, policy changes take effect within 2 minutes. However, in some cases, it can take 7 minutes or more for changes to propagate across the system.

If you need help identifying the most appropriate predefined role, see Find the right predefined roles.

To grant a single role to a principal, do the following:

1. In the Google Cloud console, go to the IAM page.

   Go to IAM

2. Select a project, folder, or organization.

3. Select a principal to grant a role to:

   • To grant a role to a principal who already has other roles on the resource, find a row containing the principal, click edit Edit principal in that row, and click add Add another role.

     To grant a role to a service agent, select the Include Google-provided role grants checkbox to see its email address.

     Note: You cannot edit inherited roles when managing access to a resource. To edit inherited roles, go to the resource where the role was granted.

   • To grant a role to a principal who doesn't have any existing roles on the resource, click person_add Grant Access, then enter a principal identifier—for example, my-user@example.com or //iam.googleapis.com/locations/global/workforcePools/example-pool/group/example-group@example.com.

4. Select a role to grant from the drop-down list. For best security practices, choose a role that includes only the permissions that your principal needs.

5. Optional: Add a condition to the role.

6. Click Save. The principal is granted the role on the resource.

To grant a role to a principal for more than one project, folder, or organization, do the following:

1. In the Google Cloud console, go to the Manage resources page.

   Go to Manage resources

2. Select all the resources for which you want to grant permissions.

3. If the info panel is not visible, click Show info panel. Then, click Permissions.

4. Select a principal to grant a role to:

   • To grant a role to a principal who already has other roles, find a row containing the principal, click editEdit principal in that row, and click addAdd another role.
   • To grant a role to a principal who does not already have other roles, click person_add Add principal, then enter a principal identifier—for example, my-user@example.com or //iam.googleapis.com/locations/global/workforcePools/example-pool/group/example-group@example.com.

5. Select a role to grant from the drop-down list.

6. Optional: Add a condition to the role.

7. Click Save. The principal is granted the selected role on each of the selected resources.

1. In the Google Cloud console, activate Cloud Shell.

   Activate Cloud Shell

   At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

2. The add-iam-policy-binding command lets you quickly grant a role to a principal.

   Before using any of the command data below, make the following replacements:

   • RESOURCE_TYPE: The resource type that you want to manage access to. Use projects, resource-manager folders, or organizations.

   • RESOURCE_ID: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, like my-project. Folder and organization IDs are numeric, like 123456789012.

   • PRINCIPAL: An identifier for the principal, or member, which usually has the following form: PRINCIPAL_TYPE:ID. For example, user:my-user@example.com or principalSet://iam.googleapis.com/locations/global/workforcePools/example-pool/group/example-group@example.com. For a full list of the values that PRINCIPAL can have, see Principal identifiers.

     For the principal type user, the domain name in the identifier must be a Google Workspace domain or a Cloud Identity domain. To learn how to set up a Cloud Identity domain, see the overview of Cloud Identity.

   • ROLE_NAME: The name of the role that you want to revoke. Use one of the following formats:

     • Predefined roles: roles/SERVICE.IDENTIFIER
     • Project-level custom roles: projects/PROJECT_ID/roles/IDENTIFIER
     • Organization-level custom roles: organizations/ORG_ID/roles/IDENTIFIER

     For a list of predefined roles, see Understanding roles.

   • CONDITION: The condition to add to the role binding. If you don't want to add a condition, use the value None. For more information about conditions, see the conditions overview.

   Execute the following command:

   Linux, macOS, or Cloud Shell

   gcloud RESOURCE_TYPE add-iam-policy-binding RESOURCE_ID \
       --member=PRINCIPAL --role=ROLE_NAME \
       --condition=CONDITION

   Windows (PowerShell)

   gcloud RESOURCE_TYPE add-iam-policy-binding RESOURCE_ID `
       --member=PRINCIPAL --role=ROLE_NAME `
       --condition=CONDITION

   Windows (cmd.exe)

   gcloud RESOURCE_TYPE add-iam-policy-binding RESOURCE_ID ^
       --member=PRINCIPAL --role=ROLE_NAME ^
       --condition=CONDITION

   The response contains the updated IAM policy.

To revoke a single role from a principal, do the following:

1. In the Google Cloud console, go to the IAM page.

   Go to IAM

2. Select a project, folder, or organization.

3. Find the row containing the principal whose access you want to revoke. Then, click edit Edit principal in that row.

   Note: You cannot edit inherited roles when managing access to a resource. To edit inherited roles, go to the resource where the role was granted.

4. Click the Delete delete button for the role that you want to revoke, and then click Save.

1. In the Google Cloud console, activate Cloud Shell.

   Activate Cloud Shell

   At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

2. To quickly revoke a role from a user, run the remove-iam-policy-binding command:

   gcloud RESOURCE_TYPE remove-iam-policy-binding RESOURCE_ID 
   
       --member=PRINCIPAL --role=ROLE_NAME

   Provide the following values:

   • RESOURCE_TYPE: The resource type that you want to manage access to. Use projects, resource-manager folders, or organizations.

   • RESOURCE_ID: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, like my-project. Folder and organization IDs are numeric, like 123456789012.

   • PRINCIPAL: An identifier for the principal, or member, which usually has the following form: PRINCIPAL_TYPE:ID. For example, user:my-user@example.com or principalSet://iam.googleapis.com/locations/global/workforcePools/example-pool/group/example-group@example.com.

     For the principal type user, the domain name in the identifier must be a Google Workspace domain or a Cloud Identity domain. To learn how to set up a Cloud Identity domain, see the overview of Cloud Identity.

   • ROLE_NAME: The name of the role that you want to revoke. Use one of the following formats:

     • Predefined roles: roles/SERVICE.IDENTIFIER
     • Project-level custom roles: projects/PROJECT_ID/roles/IDENTIFIER
     • Organization-level custom roles: organizations/ORG_ID/roles/IDENTIFIER

     For a list of predefined roles, see Understanding roles.

   For example, to revoke the Project Creator role from the service account example-service-account@example-project.iam.gserviceaccount.com for the project example-project:

   gcloud projects remove-iam-policy-binding example-project 
   
         --member=serviceAccount:example-service-account@example-project.iam.gserviceaccount.com 
   
         --role=roles/resourcemanager.projectCreator

To help ensure that you don't revoke any necessary roles, you can enable change risk recommendations. Change risk recommendations generate warnings when you try to revoke project-level roles that Google Cloud has identified as important.

You can use the Google Cloud console to grant and revoke multiple roles for a single principal:

1. In the Google Cloud console, go to the IAM page.

   Go to IAM

2. Select a project, folder, or organization.

3. Select the principal whose roles you want to modify:

   • To modify roles for a principal who already has roles on the resource, find a row containing the principal, click edit Edit principal in that row, and click add Add another role.

     To modify roles for a service agent, select the Include Google-provided role grants checkbox to see its email address.

     Note: You cannot edit inherited roles when managing access to a resource. To edit inherited roles, go to the resource where the role was granted.

   • To grant roles to a principal who doesn't have any roles on the resource, click person_add Grant Access, then enter a principal identifier—for example, my-user@example.com or //iam.googleapis.com/locations/global/workforcePools/example-pool/group/example-group@example.com.

4. Modify the principal's roles:

   • To grant a role to a principal who doesn't have any existing roles on the resource, click Select a role, then select a role to grant from the drop-down list.
   • To grant an additional role to the principal, click Add another role, then select a role to grant from the drop-down list.
   • To replace one of the principal's roles with a different role, click the existing role, then choose a different role to grant from the drop-down list.
   • To revoke one of the principal's roles, click the Delete delete button for each role that you want to revoke.

   You can also add a condition to a role, modify a role's condition, or remove a role's condition.

5. Click Save.

To make large-scale access changes that involve granting and revoking multiple roles for multiple principals, use the read-modify-write pattern to update the resource's allow policy:

1. Read the current allow policy by calling getIamPolicy().
2. Edit the allow policy, either by using a text editor or programmatically, to add or remove any principals or role bindings.
3. Write the updated allow policy by calling setIamPolicy().

You can use the gcloud CLI, the REST API, or the Resource Manager client libraries to update the allow policy.

Note: If the iam.allowedPolicyMemberDomains organization policy constraint is enforced in your organization, then you might not be able to grant roles to newly created groups. If you get a failedPrecondition error when trying to grant a role to a newly created group, wait 24 hours, and then try granting the role again.

In general, policy changes take effect within 2 minutes. However, in some cases, it can take 7 minutes or more for changes to propagate across the system.

1. In the Google Cloud console, activate Cloud Shell.

   Activate Cloud Shell

   At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

2. To get the allow policy for the resource, run the get-iam-policy command for the resource:

   gcloud RESOURCE_TYPE get-iam-policy RESOURCE_ID --format=FORMAT > PATH

   Provide the following values:

   • RESOURCE_TYPE: The type of the resource that you want to get the allow policy for. Use one of the following values: projects, resource-manager folders, or organizations.

   • RESOURCE_ID: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, like my-project. Folder and organization IDs are numeric, like 123456789012.

   • FORMAT: The desired format for the allow policy. Use json or yaml.

   • PATH: The path to a new output file for the allow policy.

   For example, the following command gets the allow policy for the project my-project and saves it to your home directory in JSON format:

   gcloud projects get-iam-policy my-project --format json > ~/policy.json

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

The following example shows how to get the allow policy for a project. To learn how to get the allow policy of a folder or organization, review the Resource Managerclient library documentation for your programming language.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

The following example shows how to get the allow policy for a project. To learn how to get the allow policy of a folder or organization, review the Resource Managerclient library documentation for your programming language.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

The following example shows how to get the allow policy for a project. To learn how to get the allow policy of a folder or organization, review the Resource Managerclient library documentation for your programming language.

The Resource Manager API's getIamPolicy method gets a project's, folder's, or organization's allow policy.

Before using any of the request data, make the following replacements:

• API_VERSION: The API version to use. For projects and organizations, use v1. For folders, use v2.
• RESOURCE_TYPE: The resource type whose policy you want to manage. Use the value projects, folders, or organizations.
• RESOURCE_ID: Your Google Cloud project, organization, or folder ID. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
• POLICY_VERSION: The policy version to be returned. Requests should specify the most recent policy version, which is policy version 3. See Specifying a policy version when getting a policy for details.

HTTP method and URL:

POST https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy

Request JSON body:

{
  "options": {
    "requestedPolicyVersion": POLICY_VERSION
  }
}

To send your request, expand one of these options:

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy"

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `

    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy" | Select-Object -Expand Content

Copy the request body and open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.

The response contains the resource's allow policy. For example:

{
  "version": 1,
  "etag": "BwWKmjvelug=",
  "bindings": [
    {
      "role": "roles/owner",
      "members": [
        "user:my-user@example.com"
      ]
    }
  ]
}

Save the response in a file of the appropriate type (json or yaml).

Programmatically or using a text editor, modify the local copy of your resource's allow policy to reflect the roles that you want to grant or revoke.

To help prevent you from overwriting other changes, don't edit or remove the allow policy's etag field. The etag field identifies the current state of the allow policy. When you set the updated allow policy, IAM compares the etag value in the request with the existing etag, and only writes the allow policy if the values match.

To edit the roles that an allow policy grants, you need to edit the role bindings in the allow policy. Role bindings have the following format:

{
  "role": "ROLE_NAME",
  "members": [
    "PRINCIPAL_1",
    "PRINCIPAL_2",
    ...
    "PRINCIPAL_N"
  ],
  "conditions:" {
    CONDITIONS
  }
}

The placeholders have the following values:

• ROLE_NAME: The name of the role that you want to grant. Use one of the following formats:

  • Predefined roles: roles/SERVICE.IDENTIFIER
  • Project-level custom roles: projects/PROJECT_ID/roles/IDENTIFIER
  • Organization-level custom roles: organizations/ORG_ID/roles/IDENTIFIER

  For a list of predefined roles, see Understanding roles.

• PRINCIPAL_1, PRINCIPAL_2, ...PRINCIPAL_N: Identifiers for the principals that you want to grant the role to.

  Principal identifiers usually have the following form: PRINCIPAL-TYPE:ID. For example, user:my-user@example.com or principalSet://iam.googleapis.com/locations/global/workforcePools/example-pool/group/example-group@example.com. For a full list of the values that PRINCIPAL can have, see Principal identifiers.

  For the principal type user, the domain name in the identifier must be a Google Workspace domain or a Cloud Identity domain. To learn how to set up a Cloud Identity domain, see the overview of Cloud Identity.

• CONDITIONS: Optional. Any conditions that specify when access will be granted.

To grant roles to your principals, modify the role bindings in the allow policy. To learn what roles you can grant, see Understanding roles, or view grantable roles for the resource. If you need help to identify the most appropriate predefined roles, see Find the right predefined roles.

Optionally, you can use conditions to grant roles only when certain requirements are met.

To grant a role that is already included in the allow policy, add the principal to an existing role binding:

Edit the returned allow policy by adding the principal to an existing role binding. This change won't take effect until you set the updated allow policy.

For example, imagine the allow policy contains the following role binding, which grants the Security Reviewer role (roles/iam.securityReviewer) to Kai:

{
  "role": "roles/iam.securityReviewer",
  "members": [
    "user:kai@example.com"
  ]
}

To grant that same role to Raha, add Raha's principal identifier to the existing role binding:

{
  "role": "roles/iam.securityReviewer",
  "members": [
    "user:kai@example.com",
    "user:raha@example.com"
  ]
}

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

Edit the returned allow policy by adding the principal to an existing role binding. This change won't take effect until you set the updated allow policy.

For example, imagine the allow policy contains the following role binding, which grants the Security Reviewer role (roles/iam.securityReviewer) to Kai:

{
  "role": "roles/iam.securityReviewer",
  "members": [
    "user:kai@example.com"
  ]
}

To grant that same role to Raha, add Raha's principal identifier to the existing role binding:

{
  "role": "roles/iam.securityReviewer",
  "members": [
    "user:kai@example.com",
    "user:raha@example.com"
  ]
}

To grant a role that is not yet included in the allow policy, add a new role binding:

Edit the allow policy by adding a new role binding that grants the role to the principal. This change won't take effect until you set the updated allow policy.

For example, to grant the Compute Storage Admin role (roles/compute.storageAdmin) to Raha, add the following role binding to the bindings array for the allow policy:

{
  "role": "roles/compute.storageAdmin",
  "members": [
    "user:raha@example.com"
  ]
}

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

Edit the allow policy by adding a new role binding that grants the role to the principal. This change won't take effect until you set the updated allow policy.

For example, to grant the Compute Storage Admin role (roles/compute.storageAdmin) to Raha, add the following role binding to the bindings array for the allow policy:

{
  "role": "roles/compute.storageAdmin",
  "members": [
    "user:raha@example.com"
  ]
}

You can only grant roles related to activated API services. If a service, such as Compute Engine, is not active, you cannot grant roles exclusively related to Compute Engine. For more information, see Enable and disable APIs.

There are some unique constraints when granting permissions on projects, especially when granting the Owner (roles/owner) role. See the projects.setIamPolicy()reference documentation for more information.

To revoke a role, remove the principal from the role binding. If there are no other principals in the role binding, remove the entire role binding.

Revoke a role by editing the JSON or YAML allow policy returned by the get-iam-policy command. This change won't take effect until you set the updated allow policy.

To revoke a role from a principal, delete the principal or binding from the bindings array for the allow policy.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM C# API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Go API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Java API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

To learn how to install and use the client library for IAM, see IAM client libraries. For more information, see the IAM Python API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, see Before you begin.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

Revoke a role by editing the JSON or YAML allow policy returned by the get-iam-policy command. This change won't take effect until you set the updated allow policy.

To revoke a role from a principal, delete the principal or binding from the bindings array for the allow policy.

After you modify the allow policy to grant and revoke roles, call setIamPolicy() to update the policy.

1. In the Google Cloud console, activate Cloud Shell.

   Activate Cloud Shell

   At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

2. To set the allow policy for the resource, run the set-iam-policy command for the resource:

   gcloud RESOURCE_TYPE set-iam-policy RESOURCE_ID PATH

   Provide the following values:

   • RESOURCE_TYPE: The type of the resource that you want to set the allow policy for. Use one of the following values: projects, resource-manager folders, or organizations.

   • RESOURCE_ID: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, like my-project. Folder and organization IDs are numeric, like 123456789012.

   • PATH: The path to a file that contains the new allow policy.

   The response contains the updated allow policy.

   For example, the following command sets the allow policy stored in policy.json as the allow policy for the project my-project:

   gcloud projects set-iam-policy my-project ~/policy.json

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

The following example shows how to set the allow policy for a project. To learn how to set the allow policy of a folder or organization, review the Resource Manager client library documentation for your programming language.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, see Before you begin.

To learn how to install and use the client library for Resource Manager, see Resource Manager client libraries.

The following example shows how to set the allow policy for a project. To learn how to set the allow policy of a folder or organization, review the Resource Manager client library documentation for your programming language.

The Resource Manager API's setIamPolicy method sets the policy in the request as the new allow policy for the project, folder, or organization.

Before using any of the request data, make the following replacements:

• API_VERSION: The API version to use. For projects and organizations, use v1. For folders, use v2.
• RESOURCE_TYPE: The resource type whose policy you want to manage. Use the value projects, folders, or organizations.
• RESOURCE_ID: Your Google Cloud project, organization, or folder ID. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.

• POLICY: A JSON representation of the policy that you want to set. For more information about the format of a policy, see the Policy reference.

HTTP method and URL:

POST https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:setIamPolicy

Request JSON body:

{
  "policy": POLICY
}

To send your request, expand one of these options:

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:setIamPolicy"

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `

    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:setIamPolicy" | Select-Object -Expand Content

Copy the request body and open the method reference page. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.

The response contains the updated allow policy.

• Learn how to manage access to service accounts.
• Learn the general steps for managing access to other resources.
• Find out how to choose the most appropriate predefined roles.
• Use the Policy Troubleshooter to understand why a user does or doesn't have access to a resource or have permission to call an API.
• Discover how to view the roles that you can grant on a particular resource.
• Learn how to make a principal's access conditional with conditional role bindings.
• Explore ways to secure your applications with Identity-Aware Proxy.

If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-05-08 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-08 UTC."],[[["This document explains how to manage access to Google Cloud projects, folders, and organizations, detailing the processes for granting, changing, and revoking access using allow policies, also known as IAM policies."],["Access is managed via role bindings within allow policies, which associate principals (users or service accounts) with IAM roles, granting those roles to the principals on the specified resource and its descendants."],["You can manage access to resources using the Google Cloud console, the gcloud CLI, the REST API, or the Resource Manager client libraries, with different authentication methods detailed for each tool and code language."],["The document provides guidance on how to view current access, grant or revoke single or multiple roles, and use the \"read-modify-write\" pattern to update a resource's allow policy, with specific examples in different coding languages."],["It is necessary to configure Application Default Credentials before using the Resource Manager client libraries and also describes how to handle policy inheritance, along with providing links for further learning such as managing access to service accounts and selecting appropriate predefined roles."]]],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.3