Grant an IAM role by using the Google Cloud console
Learn how to use the Google Cloud console to grant IAM roles to principals at the project level.
See the following video for a quick walkthrough:
To follow step-by-step guidance for this task directly in the Google Cloud console, click Guide me:
Before you begin
Create a Google Cloud project
For this quickstart, you need a new Google Cloud project.
-
In the Google Cloud console, go to the project selector page.
-
Click Create project.
-
Name your project. Make a note of your generated project ID.
-
Edit the other fields as needed.
-
Click Create.
Ensure that you have the required roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
-
In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
- For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
- Click Grant access.
-
In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
Make sure that you have the following role or roles on the project: Project IAM Admin
Check for the roles
Grant the roles
Enable the APIs
Enable the IAM and Resource Manager APIs.
Grant an IAM role
Grant a principal the Logs Viewer role on the project.
In the Google Cloud console, go to the IAM page.
Select your new project.
Click
Grant access.Enter an identifier for the principal. For example,
[email protected]
.From the Select a role drop-down menu, search for Logs Viewer, then click Logs Viewer.
Click Save.
Verify that the principal and the corresponding role are listed in the IAM page.
You have successfully granted an IAM role to a principal.
Observe the effects of IAM roles
Verify that the principal you granted a role to can access the expected Google Cloud console pages by doing the following:
Send the following URL to the principal to whom you granted the role in the preceding step:
https://console.cloud.google.com/logs?project=PROJECT_ID
This URL takes the principal to the Logs Explorer page for your project.
Verify that the principal is able to access and view the URL.
If the principal tries to access a different Google Cloud console page that they don't have access to, they see an error message.
Grant additional roles to the same principal
Grant the principal the App Engine Viewer role in addition to their Logs Viewer role.
In the Google Cloud console, go to the IAM page.
Locate the row that contains the principal to whom you want to grant another role, and click Edit principal
in that row.In the Edit permissions pane, click Add another role.
From the Select a role drop-down menu, search for App Engine Viewer, then click App Engine Viewer. Click Save.
Click Save.
The principal now has a second IAM role.
Revoke IAM roles
Revoke the roles you granted to the principal in the preceding steps by doing the following:
Locate the row that contains the principal that you granted roles to and click Edit principal
in that row.In the Edit permissions pane, click the delete icon next to the Logs Viewer and App Engine Viewer roles.
Click Save.
You have now removed the principal from both of the roles. If they try to view the Logs Explorer page, they see the following error message:
You don't have permissions to view logs.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.
Clean up by deleting the project that you created for this quickstart.
- In the Google Cloud console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.
What's next
- Learn the basics of IAM.
- Review the list of all IAM roles.
- Find out how to manage access with IAM.