Manage access to projects, folders, and organizations | IAM Documentation

<!doctype html> <html lang="en" dir="ltr"> <head> <meta name="google-signin-client-id" content="721724668570-nbkv1cfusk7kk4eni4pjvepaus73b13t.apps.googleusercontent.com"> <meta name="google-signin-scope" content="profile email https://www.googleapis.com/auth/developerprofiles https://www.googleapis.com/auth/developerprofiles.award https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/webhistory"> <meta property="og:site_name" content="Google Cloud"> <meta property="og:type" content="website"><meta name="theme-color" content="#039be5"><meta charset="utf-8"> <meta content="IE=Edge" http-equiv="X-UA-Compatible"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="manifest" href="/_pwa/cloud/manifest.json" crossorigin="use-credentials"> <link rel="preconnect" href="//www.gstatic.com" crossorigin> <link rel="preconnect" href="//fonts.gstatic.com" crossorigin> <link rel="preconnect" href="//fonts.googleapis.com" crossorigin> <link rel="preconnect" href="//apis.google.com" crossorigin> <link rel="preconnect" href="//www.google-analytics.com" crossorigin><link rel="stylesheet" href="//fonts.googleapis.com/css?family=Google+Sans:400,500,700|Google+Sans+Text:400,400italic,500,500italic,700,700italic|Roboto:400,400italic,500,500italic,700,700italic|Roboto+Mono:400,500,700&display=swap"> <link rel="stylesheet" href="//fonts.googleapis.com/css2?family=Material+Icons&family=Material+Symbols+Outlined&display=block"><link rel="stylesheet" href="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/css/app.css"> <link rel="shortcut icon" href="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/favicons/onecloud/favicon.ico"> <link rel="apple-touch-icon" href="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/favicons/onecloud/super_cloud.png"><link rel="canonical" href="https://cloud.google.com/iam/docs/granting-changing-revoking-access"><link rel="search" type="application/opensearchdescription+xml" title="Google Cloud" href="https://cloud.google.com/s/opensearch.xml"> <link rel="alternate" hreflang="en" href="https://cloud.google.com/iam/docs/granting-changing-revoking-access" /><link rel="alternate" hreflang="x-default" href="https://cloud.google.com/iam/docs/granting-changing-revoking-access" /><link rel="alternate" hreflang="zh-Hans" href="https://cloud.google.com/iam/docs/granting-changing-revoking-access?hl=zh-cn" /><link rel="alternate" hreflang="fr" href="https://cloud.google.com/iam/docs/granting-changing-revoking-access?hl=fr" /><link rel="alternate" hreflang="de" href="https://cloud.google.com/iam/docs/granting-changing-revoking-access?hl=de" /><link rel="alternate" hreflang="id" href="https://cloud.google.com/iam/docs/granting-changing-revoking-access?hl=id" /><link rel="alternate" hreflang="it" href="https://cloud.google.com/iam/docs/granting-changing-revoking-access?hl=it" /><link rel="alternate" hreflang="ja" href="https://cloud.google.com/iam/docs/granting-changing-revoking-access?hl=ja" /><link rel="alternate" hreflang="ko" href="https://cloud.google.com/iam/docs/granting-changing-revoking-access?hl=ko" /><link rel="alternate" hreflang="pt-BR" href="https://cloud.google.com/iam/docs/granting-changing-revoking-access?hl=pt-br" /><link rel="alternate" hreflang="es-419" href="https://cloud.google.com/iam/docs/granting-changing-revoking-access?hl=es-419" /><title>Manage access to projects, folders, and organizations  |  IAM Documentation  |  Google Cloud</title> <meta property="og:title" content="Manage access to projects, folders, and organizations  |  IAM Documentation  |  Google Cloud"><meta name="description" content="How to grant, change, and revoke access to projects, folders, and organizations."> <meta property="og:description" content="How to grant, change, and revoke access to projects, folders, and organizations."><meta property="og:url" content="https://cloud.google.com/iam/docs/granting-changing-revoking-access"><meta property="og:image" content="https://cloud.google.com/_static/cloud/images/social-icon-google-cloud-1200-630.png"> <meta property="og:image:width" content="1200"> <meta property="og:image:height" content="630"><meta property="og:locale" content="en"><meta name="twitter:card" content="summary_large_image"><script type="application/ld+json"> { "@context": "https://schema.org", "@type": "Article", "headline": "Manage access to projects, folders, and organizations" } </script><script type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [{ "@type": "ListItem", "position": 1, "name": "IAM", "item": "https://cloud.google.com/iam" },{ "@type": "ListItem", "position": 2, "name": "Documentation", "item": "https://cloud.google.com/iam/docs" },{ "@type": "ListItem", "position": 3, "name": "Manage access to projects, folders, and organizations", "item": "https://cloud.google.com/iam/docs/granting-changing-revoking-access" }] } </script> <link rel="stylesheet" href="/extras.css"></head> <body class="" template="page" theme="cloud-theme" type="article" layout="docs" free-trial display-toc pending> <devsite-progress type="indeterminate" id="app-progress"></devsite-progress> <section class="devsite-wrapper"> <devsite-cookie-notification-bar></devsite-cookie-notification-bar><cloudx-track userCountry="SG"></cloudx-track> <cloudx-utils-init></cloudx-utils-init> <devsite-header keep-tabs-visible> <div class="devsite-header--inner nocontent"> <div class="devsite-top-logo-row-wrapper-wrapper"> <div class="devsite-top-logo-row-wrapper"> <div class="devsite-top-logo-row"> <button type="button" id="devsite-hamburger-menu" class="devsite-header-icon-button button-flat material-icons gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Navigation menu button" visually-hidden aria-label="Open menu"> </button> <div class="devsite-product-name-wrapper"> <a href="/" class="devsite-site-logo-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Site logo" track-type="globalNav" track-name="googleCloud" track-metadata-position="nav" track-metadata-eventDetail="nav"> <picture> <img src="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/cloud-logo.svg" class="devsite-site-logo" alt="Google Cloud"> </picture> </a> <ul class="devsite-breadcrumb-list" > <li class="devsite-breadcrumb-item devsite-has-google-wordmark"> </li> </ul> </div> <div class="devsite-top-logo-row-middle"> <div class="devsite-header-upper-tabs"> <cloudx-tabs-nav class="upper-tabs"> <nav class="devsite-tabs-wrapper" aria-label="Upper tabs"> <tab class="devsite-active"> <a href="https://cloud.google.com/docs" track-metadata-eventdetail="https://cloud.google.com/docs" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - docs-home" track-metadata-module="primary nav" aria-label="Documentation, selected" data-category="Site-Wide Custom Events" data-label="Tab: Documentation" track-name="docs-home" track-link-column-type="single-column" > Documentation </a> </tab> <tab class="devsite-dropdown devsite-clickable "> <a href="https://cloud.google.com/docs/tech-area-overviews" track-metadata-eventdetail="https://cloud.google.com/docs/tech-area-overviews" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - technology-areas" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Technology areas" track-name="technology-areas" track-link-column-type="single-column" > Technology areas </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Technology areas" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/tech-area-overviews" track-metadata-position="nav - technology-areas" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Technology areas" track-name="technology-areas" track-link-column-type="single-column" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <button class="devsite-tabs-close-button material-icons button-flat gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Close dropdown menu" aria-label="Close dropdown menu" track-type="nav" track-name="close" track-metadata-eventdetail="#" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav">close</button> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/ai-ml" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/ai-ml" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> AI and ML </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/application-development" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/application-development" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Application development </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/application-hosting" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/application-hosting" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Application hosting </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/compute-area" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/compute-area" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Compute </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/data" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/data" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Data analytics and pipelines </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/databases" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/databases" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Databases </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/dhm-cloud" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/dhm-cloud" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Distributed, hybrid, and multicloud </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/generative-ai" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/generative-ai" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Generative AI </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/industry" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/industry" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Industry solutions </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/networking" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/networking" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Networking </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/observability" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/observability" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Observability and monitoring </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/security" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/security" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Security </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/storage" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/storage" track-metadata-position="nav - technology-areas" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Storage </div> </a> </li> </ul> </div> </div> </div> </tab> <tab class="devsite-dropdown devsite-clickable "> <a href="https://cloud.google.com/docs/cross-product-overviews" track-metadata-eventdetail="https://cloud.google.com/docs/cross-product-overviews" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - crossproduct" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Cross-product tools" track-name="crossproduct" track-link-column-type="single-column" > Cross-product tools </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Cross-product tools" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/cross-product-overviews" track-metadata-position="nav - crossproduct" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Cross-product tools" track-name="crossproduct" track-link-column-type="single-column" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <button class="devsite-tabs-close-button material-icons button-flat gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Close dropdown menu" aria-label="Close dropdown menu" track-type="nav" track-name="close" track-metadata-eventdetail="#" track-metadata-position="nav - crossproduct" track-metadata-module="tertiary nav">close</button> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/access-resources" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/access-resources" track-metadata-position="nav - crossproduct" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Access and resources management </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/costs-usage" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/costs-usage" track-metadata-position="nav - crossproduct" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Costs and usage management </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/devtools" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/devtools" track-metadata-position="nav - crossproduct" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud SDK, languages, frameworks, and tools </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/iac" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/iac" track-metadata-position="nav - crossproduct" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Infrastructure as code </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/docs/migration" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/docs/migration" track-metadata-position="nav - crossproduct" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Migration </div> </a> </li> </ul> </div> </div> </div> </tab> <tab class="devsite-dropdown devsite-clickable "> <a href="https://cloud.google.com/" track-metadata-eventdetail="https://cloud.google.com/" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - related-sites" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Related sites" track-name="related-sites" track-link-column-type="single-column" > Related sites </a> <a href="#" role="button" aria-haspopup="true" aria-expanded="false" aria-label="Dropdown menu for Related sites" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/" track-metadata-position="nav - related-sites" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Related sites" track-name="related-sites" track-link-column-type="single-column" class="devsite-tabs-dropdown-toggle devsite-icon devsite-icon-arrow-drop-down"></a> <div class="devsite-tabs-dropdown" aria-label="submenu" hidden> <button class="devsite-tabs-close-button material-icons button-flat gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Close dropdown menu" aria-label="Close dropdown menu" track-type="nav" track-name="close" track-metadata-eventdetail="#" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav">close</button> <div class="devsite-tabs-dropdown-content"> <div class="devsite-tabs-dropdown-column "> <ul class="devsite-tabs-dropdown-section "> <li class="devsite-nav-item"> <a href="https://cloud.google.com/" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud Home </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/free" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/free" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Free Trial and Free Tier </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/architecture" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/architecture" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Architecture Center </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/blog" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/blog" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Blog </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/contact" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/contact" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Contact Sales </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/developers" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/developers" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud Developer Center </div> </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/" track-type="nav" track-metadata-eventdetail="https://developers.google.com/" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Developer Center </div> </a> </li> <li class="devsite-nav-item"> <a href="https://console.cloud.google.com/marketplace" track-type="nav" track-metadata-eventdetail="https://console.cloud.google.com/marketplace" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud Marketplace </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/marketplace/docs" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/marketplace/docs" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud Marketplace Documentation </div> </a> </li> <li class="devsite-nav-item"> <a href="https://www.cloudskillsboost.google/paths" track-type="nav" track-metadata-eventdetail="https://www.cloudskillsboost.google/paths" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud Skills Boost </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/solutions" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/solutions" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud Solution Center </div> </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/support-hub" track-type="nav" track-metadata-eventdetail="https://cloud.google.com/support-hub" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud Support </div> </a> </li> <li class="devsite-nav-item"> <a href="https://www.youtube.com/@googlecloudtech" track-type="nav" track-metadata-eventdetail="https://www.youtube.com/@googlecloudtech" track-metadata-position="nav - related-sites" track-metadata-module="tertiary nav" tooltip > <div class="devsite-nav-item-title"> Google Cloud Tech Youtube Channel </div> </a> </li> </ul> </div> </div> </div> </tab> </nav> </cloudx-tabs-nav> </div> <devsite-search enable-signin enable-search enable-suggestions project-name="IAM Documentation" tenant-name="Google Cloud" project-scope="/iam/docs" url-scoped="https://cloud.google.com/s/results/iam/docs" > <form class="devsite-search-form" action="https://cloud.google.com/s/results" method="GET"> <div class="devsite-search-container"> <button type="button" search-open class="devsite-search-button devsite-header-icon-button button-flat material-icons" aria-label="Open search"></button> <div class="devsite-searchbox"> <input aria-activedescendant="" aria-autocomplete="list" aria-label="Search" aria-expanded="false" aria-haspopup="listbox" autocomplete="off" class="devsite-search-field devsite-search-query" name="q" placeholder="Search" role="combobox" type="text" value="" > <div class="devsite-search-image material-icons" aria-hidden="true"> </div> <div class="devsite-search-shortcut-icon-container" aria-hidden="true"> <kbd class="devsite-search-shortcut-icon">/</kbd> </div> </div> </div> </form> <button type="button" search-close class="devsite-search-button devsite-header-icon-button button-flat material-icons" aria-label="Close search"></button> </devsite-search> </div> <devsite-language-selector> <ul role="presentation"> <li role="presentation"> <a role="menuitem" lang="en" >English</a> </li> <li role="presentation"> <a role="menuitem" lang="de" >Deutsch</a> </li> <li role="presentation"> <a role="menuitem" lang="es_419" >Español – América Latina</a> </li> <li role="presentation"> <a role="menuitem" lang="fr" >Français</a> </li> <li role="presentation"> <a role="menuitem" lang="id" >Indonesia</a> </li> <li role="presentation"> <a role="menuitem" lang="it" >Italiano</a> </li> <li role="presentation"> <a role="menuitem" lang="pt_br" >Português – Brasil</a> </li> <li role="presentation"> <a role="menuitem" lang="zh_cn" >中文 – 简体</a> </li> <li role="presentation"> <a role="menuitem" lang="ja" >日本語</a> </li> <li role="presentation"> <a role="menuitem" lang="ko" >한국어</a> </li> </ul> </devsite-language-selector> <devsite-user enable-profiles fp-auth id="devsite-user"> Sign in </devsite-user> </div> </div> </div> <div class="devsite-collapsible-section "> <div class="devsite-header-background"> <div class="devsite-product-id-row" hidden> <div class="devsite-product-description-row"> </div> </div> <div class="devsite-doc-set-nav-row"> <ul class="devsite-breadcrumb-list" > <li class="devsite-breadcrumb-item "> <a href="https://cloud.google.com/iam" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Lower Header" data-value="1" track-type="globalNav" track-name="breadcrumb" track-metadata-position="1" track-metadata-eventdetail="IAM" > IAM </a> </li> </ul> <cloudx-tabs-nav class="lower-tabs"> <nav class="devsite-tabs-wrapper" aria-label="Lower tabs"> <tab class="devsite-active"> <a href="https://cloud.google.com/iam/docs/overview" track-metadata-eventdetail="https://cloud.google.com/iam/docs/overview" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - guides" track-metadata-module="primary nav" aria-label="Guides, selected" data-category="Site-Wide Custom Events" data-label="Tab: Guides" track-name="guides" > Guides </a> </tab> <tab > <a href="https://cloud.google.com/iam/docs/apis" track-metadata-eventdetail="https://cloud.google.com/iam/docs/apis" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - reference" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Reference" track-name="reference" > Reference </a> </tab> <tab > <a href="https://cloud.google.com/iam/docs/samples" track-metadata-eventdetail="https://cloud.google.com/iam/docs/samples" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - samples" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Samples" track-name="samples" > Samples </a> </tab> <tab > <a href="https://cloud.google.com/iam/docs/resources" track-metadata-eventdetail="https://cloud.google.com/iam/docs/resources" class="devsite-tabs-content gc-analytics-event " track-type="nav" track-metadata-position="nav - resources" track-metadata-module="primary nav" data-category="Site-Wide Custom Events" data-label="Tab: Resources" track-name="resources" > Resources </a> </tab> </nav> </cloudx-tabs-nav> <div class="devsite-product-button-row"> <a href="https://cloud.google.com/contact" class="cta-button-secondary button " track-metadata-position="nav" track-type="contact" data-overflow-wrapper="tab" track-name="sales" data-overflow="devsite-tabs-wrapper" track-metadata-eventDetail="nav" data-overflow-container="left" >Contact Us</a> <a href="//console.cloud.google.com/freetrial" class="cloud-free-trial-button cta-button-primary button-primary button cloud-button cloud-button--primary " data-overflow-container="right" track-metadata-eventDetail="nav" data-overflow-class="devsite-header-link devsite-top-button button cloud-free-trial-button cloud-free-trial-enabled cloud-button cloud-button--primary" track-type="freeTrial" data-overflow="devsite-top-logo-row" referrerpolicy="no-referrer-when-downgrade" track-name="gcpCta" track-metadata-position="nav" >Start free</a> </div> </div> </div> </div> </div> </devsite-header> <devsite-book-nav scrollbars > <div class="devsite-book-nav-filter" > <input type="text" placeholder="Filter" aria-label="Type to filter" role="searchbox"> </div> <nav class="devsite-book-nav devsite-nav nocontent" aria-label="Side menu"> <div class="devsite-mobile-header"> <button type="button" id="devsite-close-nav" class="devsite-header-icon-button button-flat material-icons gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Close navigation" aria-label="Close navigation"> </button> <div class="devsite-product-name-wrapper"> <a href="/" class="devsite-site-logo-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Site logo" track-type="globalNav" track-name="googleCloud" track-metadata-position="nav" track-metadata-eventDetail="nav"> <picture> <img src="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/cloud-logo.svg" class="devsite-site-logo" alt="Google Cloud"> </picture> </a> <ul class="devsite-breadcrumb-list" > <li class="devsite-breadcrumb-item devsite-has-google-wordmark"> </li> </ul> </div> </div> <div class="devsite-book-nav-wrapper"> <div class="devsite-mobile-nav-top"> <ul class="devsite-nav-list"> <li class="devsite-nav-item"> <a href="/docs" class="devsite-nav-title gc-analytics-event devsite-nav-active" data-category="Site-Wide Custom Events" data-label="Tab: Documentation" track-name="docs-home" track-link-column-type="single-column" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Documentation" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Documentation </a> <ul class="devsite-nav-responsive-tabs"> <li class="devsite-nav-item"> <a href="/iam/docs/overview" class="devsite-nav-title gc-analytics-event devsite-nav-has-children devsite-nav-active" data-category="Site-Wide Custom Events" data-label="Tab: Guides" track-name="guides" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Guides" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Guides </a> </li> <li class="devsite-nav-item"> <a href="/iam/docs/apis" class="devsite-nav-title gc-analytics-event devsite-nav-has-children " data-category="Site-Wide Custom Events" data-label="Tab: Reference" track-name="reference" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Reference" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Reference </a> </li> <li class="devsite-nav-item"> <a href="/iam/docs/samples" class="devsite-nav-title gc-analytics-event devsite-nav-has-children " data-category="Site-Wide Custom Events" data-label="Tab: Samples" track-name="samples" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Samples" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Samples </a> </li> <li class="devsite-nav-item"> <a href="/iam/docs/resources" class="devsite-nav-title gc-analytics-event devsite-nav-has-children " data-category="Site-Wide Custom Events" data-label="Tab: Resources" track-name="resources" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Resources" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Resources </a> </li> </ul> </li> <li class="devsite-nav-item"> <a href="/docs/tech-area-overviews" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Tab: Technology areas" track-name="technology-areas" track-link-column-type="single-column" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Technology areas" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Technology areas </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> More </li> </ul> </li> <li class="devsite-nav-item"> <a href="/docs/cross-product-overviews" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Tab: Cross-product tools" track-name="crossproduct" track-link-column-type="single-column" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Cross-product tools" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Cross-product tools </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> More </li> </ul> </li> <li class="devsite-nav-item"> <a href="/" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Tab: Related sites" track-name="related-sites" track-link-column-type="single-column" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Related sites" track-type="globalNav" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Related sites </a> <ul class="devsite-nav-responsive-tabs devsite-nav-has-menu "> <li class="devsite-nav-item"> More </li> </ul> </li> <li class="devsite-nav-item"> <a href="//console.cloud.google.com/" class="devsite-nav-title gc-analytics-event " track-name="console" track-metadata-position="nav" track-metadata-eventDetail="nav" track-type="globalNav" referrerpolicy="no-referrer-when-downgrade" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Console" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Console </a> </li> <li class="devsite-nav-item"> <a href="/contact" class="cta-button-secondary button" track-metadata-position="nav" track-type="contact" data-overflow-wrapper="tab" track-name="sales" data-overflow="devsite-tabs-wrapper" track-metadata-eventDetail="nav" data-overflow-container="left" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Contact Us" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Contact Us </a> </li> <li class="devsite-nav-item"> <a href="//console.cloud.google.com/freetrial" class="cloud-free-trial-button cta-button-primary button-primary button cloud-button cloud-button--primary" data-overflow-container="right" track-metadata-eventDetail="nav" data-overflow-class="devsite-header-link devsite-top-button button cloud-free-trial-button cloud-free-trial-enabled cloud-button cloud-button--primary" track-type="freeTrial" data-overflow="devsite-top-logo-row" referrerpolicy="no-referrer-when-downgrade" track-name="gcpCta" track-metadata-position="nav" data-category="Site-Wide Custom Events" data-label="Responsive Tab: Start free" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Start free </a> </li> </ul> </div> <div class="devsite-mobile-nav-bottom"> <ul class="devsite-nav-list" menu="_book"> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> Discover </div></li> <li class="devsite-nav-item"><a href="/iam/docs/overview" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/overview" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/overview" >Product overview</a></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> Get started </div></li> <li class="devsite-nav-item"><a href="/iam/docs/grant-role-console" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/grant-role-console" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/grant-role-console" >Grant roles in the Google Cloud console</a></li> <li class="devsite-nav-item"><a href="/iam/docs/write-policy-client-libraries" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/write-policy-client-libraries" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/write-policy-client-libraries" >Grant roles using client libraries</a></li> <li class="devsite-nav-item"><a href="/iam/docs/iam-security-architecture" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/iam-security-architecture" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/iam-security-architecture" >IAM and your security architecture</a></li> <li class="devsite-nav-item"><a href="/iam/docs/google-identities" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/google-identities" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/google-identities" >Identity management for Google Cloud</a></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> Configure identities for users </div></li> <li class="devsite-nav-item"><a href="/iam/docs/user-identities" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/user-identities" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/user-identities" >Identities for users</a></li> <li class="devsite-nav-item"><a href="/iam/docs/groups-in-cloud-console" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/groups-in-cloud-console" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/groups-in-cloud-console" >Create and manage Google groups in the Google Cloud console</a></li> <li class="devsite-nav-item"><a href="/iam/docs/groups-best-practices" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/groups-best-practices" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/groups-best-practices" >Best practices for using Google groups</a></li> <li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Federate identities for users </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/workforce-identity-federation" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workforce-identity-federation" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workforce-identity-federation" >Workforce identity federation</a></li><li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Configure Workforce Identity Federation </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/workforce-sign-in-microsoft-entra-id" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workforce-sign-in-microsoft-entra-id" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workforce-sign-in-microsoft-entra-id" >Microsoft Entra ID</a></li><li class="devsite-nav-item"><a href="/iam/docs/workforce-sign-in-okta" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workforce-sign-in-okta" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workforce-sign-in-okta" >Okta</a></li><li class="devsite-nav-item"><a href="/iam/docs/configuring-workforce-identity-federation" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/configuring-workforce-identity-federation" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/configuring-workforce-identity-federation" >Other OIDC or SAML 2.0</a></li><li class="devsite-nav-item"><a href="/iam/docs/workforce-sign-in-power-bi" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workforce-sign-in-power-bi" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workforce-sign-in-power-bi" >Access BigQuery data in Power BI with Microsoft Entra</a></li></ul></div></li><li class="devsite-nav-item"><a href="/iam/docs/workforce-obtaining-short-lived-credentials" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workforce-obtaining-short-lived-credentials" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workforce-obtaining-short-lived-credentials" >Obtain short-lived credentials for Workforce Identity Federation</a></li><li class="devsite-nav-item"><a href="/iam/docs/manage-workforce-identity-pools-providers" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/manage-workforce-identity-pools-providers" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/manage-workforce-identity-pools-providers" >Manage workforce identity pools and providers</a></li><li class="devsite-nav-item"><a href="/iam/docs/workforce-delete-user-data" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workforce-delete-user-data" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workforce-delete-user-data" >Delete Workforce Identity Federation users and their data</a></li><li class="devsite-nav-item"><a href="/iam/docs/workforce-console-sso" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workforce-console-sso" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workforce-console-sso" >Set up user access to console (federated)</a></li><li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Integrate OAuth applications </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/workforce-oauth-app" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workforce-oauth-app" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workforce-oauth-app" >OAuth application integration overview</a></li><li class="devsite-nav-item"><a href="/iam/docs/workforce-manage-oauth-app" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workforce-manage-oauth-app" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workforce-manage-oauth-app" >Manage OAuth applications</a></li></ul></div></li></ul></div></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> Configure identities for workloads </div></li> <li class="devsite-nav-item"><a href="/iam/docs/workload-identities" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workload-identities" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workload-identities" >Identities for workloads</a></li> <li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Create and manage service accounts </div><ul class="devsite-nav-section"><li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> About service accounts </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/service-account-overview" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/service-account-overview" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/service-account-overview" >Service accounts</a></li><li class="devsite-nav-item"><a href="/iam/docs/service-account-creds" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/service-account-creds" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/service-account-creds" >Service account credentials</a></li><li class="devsite-nav-item"><a href="/iam/docs/service-account-impersonation" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/service-account-impersonation" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/service-account-impersonation" >Service account impersonation</a></li><li class="devsite-nav-item"><a href="/iam/docs/service-account-types" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/service-account-types" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/service-account-types" >Service account types</a></li><li class="devsite-nav-item"><a href="/iam/docs/service-account-permissions" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/service-account-permissions" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/service-account-permissions" >Roles for service account authentication</a></li></ul></div></li><li class="devsite-nav-item devsite-nav-preview"><a href="/iam/docs/create-service-agents" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/create-service-agents" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/create-service-agents" >Create and grant roles to service agents</a></li><li class="devsite-nav-item"><a href="/iam/docs/service-accounts-create" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/service-accounts-create" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/service-accounts-create" >Create service accounts</a></li><li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Manage service accounts </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/service-accounts-list-edit" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/service-accounts-list-edit" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/service-accounts-list-edit" >List and edit service accounts</a></li><li class="devsite-nav-item"><a href="/iam/docs/service-accounts-disable-enable" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/service-accounts-disable-enable" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/service-accounts-disable-enable" >Disable and enable service accounts</a></li><li class="devsite-nav-item"><a href="/iam/docs/service-accounts-delete-undelete" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/service-accounts-delete-undelete" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/service-accounts-delete-undelete" >Delete and undelete service accounts</a></li><li class="devsite-nav-item"><a href="/iam/docs/service-accounts-tags" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/service-accounts-tags" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/service-accounts-tags" >Manage tags for service accounts</a></li></ul></div></li><li class="devsite-nav-item"><a href="/iam/docs/attach-service-accounts" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/attach-service-accounts" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/attach-service-accounts" >Attach service accounts to resources</a></li><li class="devsite-nav-item"><a href="/iam/docs/service-accounts-custom-constraints" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/service-accounts-custom-constraints" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/service-accounts-custom-constraints" >Use custom organization policies for service accounts and keys</a></li><li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Service account best practices </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/best-practices-service-accounts" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/best-practices-service-accounts" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/best-practices-service-accounts" >Best practices for using service accounts</a></li><li class="devsite-nav-item"><a href="/iam/docs/best-practices-for-using-service-accounts-in-deployment-pipelines" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/best-practices-for-using-service-accounts-in-deployment-pipelines" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/best-practices-for-using-service-accounts-in-deployment-pipelines" >Best practices for using service accounts in deployment pipelines</a></li></ul></div></li></ul></div></li> <li class="devsite-nav-item devsite-nav-expandable devsite-nav-preview"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Create managed workload identities </div><ul class="devsite-nav-section"><li class="devsite-nav-item devsite-nav-preview"><a href="/iam/docs/managed-workload-identity" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/managed-workload-identity" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/managed-workload-identity" >About managed workload identities</a></li><li class="devsite-nav-item devsite-nav-preview"><a href="/iam/docs/create-managed-workload-identities" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/create-managed-workload-identities" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/create-managed-workload-identities" >Create managed workload identities</a></li></ul></div></li> <li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Federate identities for external workloads </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/workload-identity-federation" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workload-identity-federation" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workload-identity-federation" >Workload Identity Federation</a></li><li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Configure Workload Identity Federation </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/workload-identity-federation-with-other-clouds" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workload-identity-federation-with-other-clouds" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workload-identity-federation-with-other-clouds" >AWS or Azure</a></li><li class="devsite-nav-item"><a href="/iam/docs/workload-identity-federation-with-active-directory" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workload-identity-federation-with-active-directory" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workload-identity-federation-with-active-directory" >Active Directory</a></li><li class="devsite-nav-item"><a href="/iam/docs/workload-identity-federation-with-deployment-pipelines" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workload-identity-federation-with-deployment-pipelines" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workload-identity-federation-with-deployment-pipelines" >Deployment pipelines</a></li><li class="devsite-nav-item"><a href="/iam/docs/workload-identity-federation-with-kubernetes" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workload-identity-federation-with-kubernetes" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workload-identity-federation-with-kubernetes" >Kubernetes</a></li><li class="devsite-nav-item devsite-nav-preview"><a href="/iam/docs/workload-identity-federation-with-x509-certificates" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workload-identity-federation-with-x509-certificates" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workload-identity-federation-with-x509-certificates" >Workloads with X.509 certificates</a></li><li class="devsite-nav-item"><a href="/iam/docs/workload-identity-federation-with-other-providers" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workload-identity-federation-with-other-providers" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workload-identity-federation-with-other-providers" >Other identity providers</a></li></ul></div></li><li class="devsite-nav-item"><a href="/iam/docs/manage-workload-identity-pools-providers" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/manage-workload-identity-pools-providers" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/manage-workload-identity-pools-providers" >Manage workload identity pools and providers</a></li><li class="devsite-nav-item"><a href="/iam/docs/best-practices-for-using-workload-identity-federation" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/best-practices-for-using-workload-identity-federation" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/best-practices-for-using-workload-identity-federation" >Best practices for using Workload Identity Federation</a></li><li class="devsite-nav-item"><a href="/iam/docs/use-workload-identity-federation-to-let-customers-access-their-cloud-resources" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/use-workload-identity-federation-to-let-customers-access-their-cloud-resources" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/use-workload-identity-federation-to-let-customers-access-their-cloud-resources" >Let customers access their Google Cloud resources from your product or service</a></li><li class="devsite-nav-item"><a href="/iam/docs/workload-download-cred-and-grant-access" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/workload-download-cred-and-grant-access" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/workload-download-cred-and-grant-access" >Download credential configuration and grant access</a></li><li class="devsite-nav-item"><a href="/iam/docs/tutorial-cloud-run-workload-id-federation" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/tutorial-cloud-run-workload-id-federation" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/tutorial-cloud-run-workload-id-federation" >Integrate Cloud Run and Workload Identity Federation</a></li></ul></div></li> <li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Create and manage service account keys </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/migrate-from-service-account-keys" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/migrate-from-service-account-keys" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/migrate-from-service-account-keys" >Migrate from service account keys</a></li><li class="devsite-nav-item"><a href="/iam/docs/key-rotation" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/key-rotation" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/key-rotation" >Service account key rotation</a></li><li class="devsite-nav-item"><a href="/iam/docs/keys-create-delete" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/keys-create-delete" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/keys-create-delete" >Create and delete service account keys</a></li><li class="devsite-nav-item"><a href="/iam/docs/keys-list-get" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/keys-list-get" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/keys-list-get" >List and get service account keys</a></li><li class="devsite-nav-item"><a href="/iam/docs/keys-upload" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/keys-upload" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/keys-upload" >Upload a public key</a></li><li class="devsite-nav-item"><a href="/iam/docs/keys-disable-enable" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/keys-disable-enable" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/keys-disable-enable" >Disable and enable service account keys</a></li><li class="devsite-nav-item"><a href="/iam/docs/best-practices-for-managing-service-account-keys" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/best-practices-for-managing-service-account-keys" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/best-practices-for-managing-service-account-keys" >Best practices for managing service account keys</a></li></ul></div></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> Control access to resources </div></li> <li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> About IAM access controls </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/roles-overview" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/roles-overview" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/roles-overview" >Roles and permissions</a></li><li class="devsite-nav-item"><a href="/iam/docs/policy-types" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/policy-types" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/policy-types" >Policy types</a></li><li class="devsite-nav-item"><a href="/iam/docs/policies" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/policies" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/policies" >Allow policies</a></li><li class="devsite-nav-item"><a href="/iam/docs/resource-hierarchy-access-control" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/resource-hierarchy-access-control" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/resource-hierarchy-access-control" >Allow policy inheritance</a></li><li class="devsite-nav-item"><a href="/iam/docs/deny-overview" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/deny-overview" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/deny-overview" >Deny policies</a></li><li class="devsite-nav-item"><a href="/iam/docs/principal-access-boundary-policies" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/principal-access-boundary-policies" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/principal-access-boundary-policies" >Principal access boundary policies</a></li><li class="devsite-nav-item"><a href="/iam/docs/access-change-propagation" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/access-change-propagation" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/access-change-propagation" >Access change propagation</a></li><li class="devsite-nav-item"><a href="/iam/docs/conditions-overview" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/conditions-overview" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/conditions-overview" >IAM conditions</a></li></ul></div></li> <li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Choose roles to grant </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/choose-predefined-roles" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/choose-predefined-roles" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/choose-predefined-roles" >Choose predefined roles</a></li><li class="devsite-nav-item"><a href="/iam/docs/viewing-grantable-roles" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/viewing-grantable-roles" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/viewing-grantable-roles" >View grantable roles</a></li><li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Roles for specific job functions </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/job-functions/billing" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/job-functions/billing" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/job-functions/billing" >Billing-related job functions</a></li><li class="devsite-nav-item"><a href="/iam/docs/job-functions/networking" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/job-functions/networking" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/job-functions/networking" >Networking-related job functions</a></li><li class="devsite-nav-item"><a href="/iam/docs/job-functions/auditing" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/job-functions/auditing" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/job-functions/auditing" >Auditing-related job functions</a></li></ul></div></li><li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Create and manage custom roles </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/creating-custom-roles" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/creating-custom-roles" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/creating-custom-roles" >Create and manage custom roles</a></li><li class="devsite-nav-item"><a href="/iam/docs/maintain-custom-roles-deployment-manager" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/maintain-custom-roles-deployment-manager" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/maintain-custom-roles-deployment-manager" >Use Deployment Manager to maintain custom roles</a></li></ul></div></li></ul></div></li> <li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Grant access </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/granting-changing-revoking-access" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/granting-changing-revoking-access" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/granting-changing-revoking-access" >Manage access to projects, folders, and organizations</a></li><li class="devsite-nav-item"><a href="/iam/docs/manage-access-service-accounts" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/manage-access-service-accounts" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/manage-access-service-accounts" >Manage access to service accounts</a></li><li class="devsite-nav-item"><a href="/iam/docs/manage-access-other-resources" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/manage-access-other-resources" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/manage-access-other-resources" >Manage access to other resources</a></li><li class="devsite-nav-item"><a href="/iam/docs/test-policy-changes" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/test-policy-changes" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/test-policy-changes" >Test allow policy changes</a></li></ul></div></li> <li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Grant access conditionally </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/managing-conditional-role-bindings" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/managing-conditional-role-bindings" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/managing-conditional-role-bindings" >Manage conditional role bindings</a></li><li class="devsite-nav-item"><a href="/iam/docs/configuring-temporary-access" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/configuring-temporary-access" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/configuring-temporary-access" >Configure temporary access</a></li><li class="devsite-nav-item"><a href="/iam/docs/configuring-resource-based-access" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/configuring-resource-based-access" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/configuring-resource-based-access" >Configure resource-based access</a></li><li class="devsite-nav-item"><a href="/iam/docs/tags-access-control" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/tags-access-control" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/tags-access-control" >Tags and conditional access</a></li><li class="devsite-nav-item"><a href="/iam/docs/setting-limits-on-granting-roles" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/setting-limits-on-granting-roles" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/setting-limits-on-granting-roles" >Set limits on granting roles</a></li><li class="devsite-nav-item devsite-nav-alpha"><a href="/iam/docs/linting-policies" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/linting-policies" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/linting-policies" >Lint conditions in allow policies</a></li></ul></div></li> <li class="devsite-nav-item"><a href="/iam/docs/deny-access" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/deny-access" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/deny-access" >Deny access</a></li> <li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Restrict the resources that a principal can access </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/principal-access-boundary-policies-create" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/principal-access-boundary-policies-create" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/principal-access-boundary-policies-create" >Create and apply principal access boundary policies</a></li><li class="devsite-nav-item"><a href="/iam/docs/principal-access-boundary-policies-view" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/principal-access-boundary-policies-view" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/principal-access-boundary-policies-view" >View principal access boundary policies</a></li><li class="devsite-nav-item"><a href="/iam/docs/principal-access-boundary-policies-edit" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/principal-access-boundary-policies-edit" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/principal-access-boundary-policies-edit" >Edit principal access boundary policies</a></li><li class="devsite-nav-item"><a href="/iam/docs/principal-access-boundary-policies-remove" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/principal-access-boundary-policies-remove" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/principal-access-boundary-policies-remove" >Remove principal access boundary policies</a></li></ul></div></li> <li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Temporary elevated access </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/temporary-elevated-access" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/temporary-elevated-access" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/temporary-elevated-access" >Temporary elevated access overview</a></li><li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Control temporary elevated access with PAM </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/pam-overview" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/pam-overview" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/pam-overview" >PAM overview</a></li><li class="devsite-nav-item"><a href="/iam/docs/pam-permissions-and-setup" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/pam-permissions-and-setup" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/pam-permissions-and-setup" >Permissions and setup</a></li><li class="devsite-nav-item"><a href="/iam/docs/pam-create-entitlements" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/pam-create-entitlements" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/pam-create-entitlements" >Create entitlements</a></li><li class="devsite-nav-item"><a href="/iam/docs/pam-view-update-delete-entitlements" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/pam-view-update-delete-entitlements" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/pam-view-update-delete-entitlements" >View, update, and delete entitlements</a></li><li class="devsite-nav-item"><a href="/iam/docs/pam-view-grants" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/pam-view-grants" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/pam-view-grants" >View grants</a></li><li class="devsite-nav-item"><a href="/iam/docs/pam-revoke-grants" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/pam-revoke-grants" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/pam-revoke-grants" >Revoke grants</a></li><li class="devsite-nav-item"><a href="/iam/docs/pam-audit-entitlement-events" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/pam-audit-entitlement-events" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/pam-audit-entitlement-events" >Audit entitlement and grant events</a></li></ul></div></li><li class="devsite-nav-item"><a href="/iam/docs/pam-request-temporary-elevated-access" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/pam-request-temporary-elevated-access" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/pam-request-temporary-elevated-access" >Request temporary elevated access with PAM</a></li><li class="devsite-nav-item"><a href="/iam/docs/pam-approve-deny-grants" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/pam-approve-deny-grants" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/pam-approve-deny-grants" >Approve or deny grants with PAM</a></li><li class="devsite-nav-item"><a href="/iam/docs/create-short-lived-credentials-direct" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/create-short-lived-credentials-direct" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/create-short-lived-credentials-direct" >Create short-lived credentials for a service account</a></li><li class="devsite-nav-item"><a href="/iam/docs/create-short-lived-credentials-delegated" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/create-short-lived-credentials-delegated" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/create-short-lived-credentials-delegated" >Create short-lived credentials for multiple service accounts</a></li><li class="devsite-nav-item"><a href="/iam/docs/downscoping-short-lived-credentials" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/downscoping-short-lived-credentials" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/downscoping-short-lived-credentials" >Restrict a credential's Cloud Storage permissions</a></li><li class="devsite-nav-item"><a href="/iam/docs/migrating-to-credentials-api" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/migrating-to-credentials-api" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/migrating-to-credentials-api" >Migrate to the Service Account Credentials API</a></li></ul></div></li> <li class="devsite-nav-item"><a href="/iam/docs/testing-permissions" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/testing-permissions" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/testing-permissions" >Test permissions for custom user interfaces</a></li> <li class="devsite-nav-item"><a href="/iam/docs/org-policy-custom-constraints" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/org-policy-custom-constraints" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/org-policy-custom-constraints" >Use custom organization policies for IAM</a></li> <li class="devsite-nav-item"><a href="/solutions/help-secure-the-pipeline-from-your-data-lake-to-your-data-warehouse" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /solutions/help-secure-the-pipeline-from-your-data-lake-to-your-data-warehouse" track-type="bookNav" track-name="click" track-metadata-eventdetail="/solutions/help-secure-the-pipeline-from-your-data-lake-to-your-data-warehouse" >Use IAM to help prevent exfiltration from data pipelines</a></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> Optimize your IAM configuration </div></li> <li class="devsite-nav-item"><a href="/iam/docs/using-iam-securely" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/using-iam-securely" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/using-iam-securely" >Use IAM securely</a></li> <li class="devsite-nav-item"><a href="/iam/docs/policy-intelligence-tools" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/policy-intelligence-tools" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/policy-intelligence-tools" >Optimize IAM policies by using Policy Intelligence tools</a></li> <li class="devsite-nav-item"><a href="/iam/docs/secure-iam-vpc-sc" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/secure-iam-vpc-sc" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/secure-iam-vpc-sc" >Help secure IAM using VPC Service Controls</a></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> Monitor </div></li> <li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Audit logging </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/audit-logging" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/audit-logging" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/audit-logging" >IAM API audit logging</a></li><li class="devsite-nav-item"><a href="/iam/docs/audit-logging/audit-logging-iamcreds" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/audit-logging/audit-logging-iamcreds" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/audit-logging/audit-logging-iamcreds" >Service Account Credentials API audit logging</a></li><li class="devsite-nav-item"><a href="/iam/docs/audit-logging/audit-logging-pam" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/audit-logging/audit-logging-pam" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/audit-logging/audit-logging-pam" >Privileged Access Manager audit logging</a></li><li class="devsite-nav-item"><a href="/iam/docs/audit-logging/audit-logging-sts" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/audit-logging/audit-logging-sts" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/audit-logging/audit-logging-sts" >Security Token Service API audit logging</a></li><li class="devsite-nav-item"><a href="/iam/docs/audit-logging/examples-service-accounts" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/audit-logging/examples-service-accounts" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/audit-logging/examples-service-accounts" >Example logs for service accounts</a></li><li class="devsite-nav-item"><a href="/iam/docs/audit-logging/examples-workforce-identity" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/audit-logging/examples-workforce-identity" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/audit-logging/examples-workforce-identity" >Example logs for Workforce Identity Federation</a></li><li class="devsite-nav-item"><a href="/iam/docs/audit-logging/examples-oauth-clients" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/audit-logging/examples-oauth-clients" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/audit-logging/examples-oauth-clients" >Example logs for Workforce OAuth application integration</a></li><li class="devsite-nav-item"><a href="/iam/docs/audit-logging/examples-workload-identity" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/audit-logging/examples-workload-identity" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/audit-logging/examples-workload-identity" >Example logs for Workload Identity Federation</a></li></ul></div></li> <li class="devsite-nav-item"><a href="/iam/docs/analyze-access" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/analyze-access" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/analyze-access" >Analyze access to resources</a></li> <li class="devsite-nav-item devsite-nav-expandable"><div class="devsite-expandable-nav"> <a class="devsite-nav-toggle" aria-hidden="true"></a><div class="devsite-nav-title devsite-nav-title-no-path" tabindex="0" role="button"> Monitor service account usage </div><ul class="devsite-nav-section"><li class="devsite-nav-item"><a href="/iam/docs/service-account-usage-tools" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/service-account-usage-tools" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/service-account-usage-tools" >Tools to understand service account usage</a></li><li class="devsite-nav-item"><a href="/iam/docs/service-account-monitoring" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/service-account-monitoring" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/service-account-monitoring" >Monitor usage patterns for service accounts and keys</a></li></ul></div></li> <li class="devsite-nav-item"><a href="/iam/docs/review-iam-policy-history" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/review-iam-policy-history" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/review-iam-policy-history" >Review allow policy history</a></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> Troubleshoot </div></li> <li class="devsite-nav-item"><a href="/iam/docs/troubleshoot-policies" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/troubleshoot-policies" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/troubleshoot-policies" >Troubleshoot allow and deny policies</a></li> <li class="devsite-nav-item"><a href="/iam/docs/troubleshooting-withcond" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/troubleshooting-withcond" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/troubleshooting-withcond" >Troubleshoot "withcond" in policies and role bindings</a></li> <li class="devsite-nav-item"><a href="/iam/docs/troubleshooting-workforce-identity-federation" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/troubleshooting-workforce-identity-federation" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/troubleshooting-workforce-identity-federation" >Troubleshoot Workforce Identity Federation</a></li> <li class="devsite-nav-item"><a href="/iam/docs/troubleshooting-workload-identity-federation" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/troubleshooting-workload-identity-federation" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/troubleshooting-workload-identity-federation" >Troubleshoot Workload Identity Federation</a></li> <li class="devsite-nav-item devsite-nav-heading"><div class="devsite-nav-title devsite-nav-title-no-path"> Samples </div></li> <li class="devsite-nav-item"><a href="/iam/docs/samples" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /iam/docs/samples" track-type="bookNav" track-name="click" track-metadata-eventdetail="/iam/docs/samples" >All Identity and Access Management code samples</a></li> <li class="devsite-nav-item"><a href="/docs/samples" class="devsite-nav-title gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Book nav link, pathname: /docs/samples" track-type="bookNav" track-name="click" track-metadata-eventdetail="/docs/samples" >Code samples for all products</a></li> </ul> <ul class="devsite-nav-list" menu="Technology areas" aria-label="Side menu" hidden> <li class="devsite-nav-item"> <a href="/docs/ai-ml" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: AI and ML" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> AI and ML </a> </li> <li class="devsite-nav-item"> <a href="/docs/application-development" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Application development" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Application development </a> </li> <li class="devsite-nav-item"> <a href="/docs/application-hosting" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Application hosting" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Application hosting </a> </li> <li class="devsite-nav-item"> <a href="/docs/compute-area" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Compute" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Compute </a> </li> <li class="devsite-nav-item"> <a href="/docs/data" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Data analytics and pipelines" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Data analytics and pipelines </a> </li> <li class="devsite-nav-item"> <a href="/docs/databases" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Databases" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Databases </a> </li> <li class="devsite-nav-item"> <a href="/docs/dhm-cloud" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Distributed, hybrid, and multicloud" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Distributed, hybrid, and multicloud </a> </li> <li class="devsite-nav-item"> <a href="/docs/generative-ai" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Generative AI" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Generative AI </a> </li> <li class="devsite-nav-item"> <a href="/docs/industry" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Industry solutions" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Industry solutions </a> </li> <li class="devsite-nav-item"> <a href="/docs/networking" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Networking" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Networking </a> </li> <li class="devsite-nav-item"> <a href="/docs/observability" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Observability and monitoring" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Observability and monitoring </a> </li> <li class="devsite-nav-item"> <a href="/docs/security" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Security" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Security </a> </li> <li class="devsite-nav-item"> <a href="/docs/storage" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Storage" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Storage </a> </li> </ul> <ul class="devsite-nav-list" menu="Cross-product tools" aria-label="Side menu" hidden> <li class="devsite-nav-item"> <a href="/docs/access-resources" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Access and resources management" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Access and resources management </a> </li> <li class="devsite-nav-item"> <a href="/docs/costs-usage" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Costs and usage management" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Costs and usage management </a> </li> <li class="devsite-nav-item"> <a href="/docs/devtools" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud SDK, languages, frameworks, and tools" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Google Cloud SDK, languages, frameworks, and tools </a> </li> <li class="devsite-nav-item"> <a href="/docs/iac" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Infrastructure as code" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Infrastructure as code </a> </li> <li class="devsite-nav-item"> <a href="/docs/migration" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Migration" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Migration </a> </li> </ul> <ul class="devsite-nav-list" menu="Related sites" aria-label="Side menu" hidden> <li class="devsite-nav-item"> <a href="/" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud Home" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Google Cloud Home </a> </li> <li class="devsite-nav-item"> <a href="/free" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Free Trial and Free Tier" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Free Trial and Free Tier </a> </li> <li class="devsite-nav-item"> <a href="/architecture" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Architecture Center" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Architecture Center </a> </li> <li class="devsite-nav-item"> <a href="https://cloud.google.com/blog" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Blog" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Blog </a> </li> <li class="devsite-nav-item"> <a href="/contact" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Contact Sales" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Contact Sales </a> </li> <li class="devsite-nav-item"> <a href="/developers" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud Developer Center" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Google Cloud Developer Center </a> </li> <li class="devsite-nav-item"> <a href="https://developers.google.com/" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Developer Center" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Google Developer Center </a> </li> <li class="devsite-nav-item"> <a href="https://console.cloud.google.com/marketplace" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud Marketplace" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Google Cloud Marketplace </a> </li> <li class="devsite-nav-item"> <a href="/marketplace/docs" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud Marketplace Documentation" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Google Cloud Marketplace Documentation </a> </li> <li class="devsite-nav-item"> <a href="https://www.cloudskillsboost.google/paths" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud Skills Boost" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Google Cloud Skills Boost </a> </li> <li class="devsite-nav-item"> <a href="/solutions" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud Solution Center" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Google Cloud Solution Center </a> </li> <li class="devsite-nav-item"> <a href="/support-hub" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud Support" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Google Cloud Support </a> </li> <li class="devsite-nav-item"> <a href="https://www.youtube.com/@googlecloudtech" class="devsite-nav-title gc-analytics-event " data-category="Site-Wide Custom Events" data-label="Responsive Tab: Google Cloud Tech Youtube Channel" track-type="navMenu" track-metadata-eventDetail="globalMenu" track-metadata-position="nav"> Google Cloud Tech Youtube Channel </a> </li> </ul> </div> </div> </nav> </devsite-book-nav> <section id="gc-wrapper"> <main role="main" class="devsite-main-content" has-book-nav has-sidebar > <div class="devsite-sidebar"> <div class="devsite-sidebar-content"> <devsite-toc class="devsite-nav" role="navigation" aria-label="On this page" depth="2" scrollbars ></devsite-toc> <devsite-recommendations-sidebar class="nocontent devsite-nav"> </devsite-recommendations-sidebar> </div> </div> <devsite-content> <article class="devsite-article"> <div class="devsite-article-meta nocontent" role="navigation"> <ul class="devsite-breadcrumb-list" aria-label="Breadcrumb"> <li class="devsite-breadcrumb-item "> <a href="https://cloud.google.com/" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="1" track-type="globalNav" track-name="breadcrumb" track-metadata-position="1" track-metadata-eventdetail="Google Cloud" > Home </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://cloud.google.com/iam" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="2" track-type="globalNav" track-name="breadcrumb" track-metadata-position="2" track-metadata-eventdetail="IAM" > IAM </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://cloud.google.com/iam/docs" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="3" track-type="globalNav" track-name="breadcrumb" track-metadata-position="3" track-metadata-eventdetail="IAM Documentation" > Documentation </a> </li> <li class="devsite-breadcrumb-item "> <div class="devsite-breadcrumb-guillemet material-icons" aria-hidden="true"></div> <a href="https://cloud.google.com/iam/docs/overview" class="devsite-breadcrumb-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Breadcrumbs" data-value="4" track-type="globalNav" track-name="breadcrumb" track-metadata-position="4" track-metadata-eventdetail="" > Guides </a> </li> </ul> <devsite-thumb-rating position="header"> </devsite-thumb-rating> </div> <devsite-feedback position="header" project-name="IAM Documentation" product-id="717553" bucket="documentation" context="" version="t-devsite-webserver-20241114-r00-rc02.464922260396498922" data-label="Send Feedback Button" track-type="feedback" track-name="sendFeedbackLink" track-metadata-position="header" class="nocontent" project-icon="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/favicons/onecloud/super_cloud.png" > <button> Send feedback </button> </devsite-feedback> <h1 class="devsite-page-title" tabindex="-1"> Manage access to projects, folders, and organizations </h1> <devsite-feature-tooltip ack-key="AckCollectionsBookmarkTooltipDismiss" analytics-category="Site-Wide Custom Events" analytics-action-show="Callout Profile displayed" analytics-action-close="Callout Profile dismissed" analytics-label="Create Collection Callout" class="devsite-page-bookmark-tooltip nocontent" dismiss-button="true" id="devsite-collections-dropdown" dismiss-button-text="Dismiss" close-button-text="Got it"> <devsite-bookmark></devsite-bookmark> Stay organized with collections Save and categorize content based on your preferences. </devsite-feature-tooltip> <div class="devsite-page-title-meta"><devsite-view-release-notes></devsite-view-release-notes></div> <devsite-toc class="devsite-nav" depth="2" devsite-toc-embedded > </devsite-toc> <div class="devsite-article-body clearfix "> This page describes how to grant, change, and revoke access to projects, folders, and organizations. To learn how to manage access to other resources, see the following guides: <ul> <li><a href="/iam/docs/manage-access-service-accounts">Manage access to service accounts</a></li> <li><a href="/iam/docs/manage-access-other-resources">Manage access to other resources</a></li> </ul> In Identity and Access Management (IAM), access is granted through allow policies, also known as IAM policies. An allow policy is attached to a Google Cloud resource. Each allow policy contains a collection of role bindings that associate one or more principals, such as users or service accounts, with an IAM role. These role bindings grant the specified roles to the principals, both on the resource that the allow policy is attached to and on all of that resource's <a href="/resource-manager/docs/cloud-platform-resource-hierarchy">descendants</a>. For more information about allow policies, see <a href="/iam/docs/policies">Understanding allow policies</a>. <aside class="note">Note: If you're getting started with Google Cloud, you can grant the appropriate IAM roles to your organization administrator groups as part of the <a href="/docs/enterprise/setup-checklist">Google Cloud setup process</a>.</aside> You can manage access to projects, folders, and organizations with the Google Cloud console, the Google Cloud CLI, the REST API, or the <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. <aside class="note"> Note: You can also use deny policies to prevent principals from using specific IAM permissions. For more information, see <a href="/iam/docs/deny-overview">Deny policies</a>. </aside> <h2 id="before-you-begin" data-text="Before you begin" tabindex="-1">Before you begin</h2> <ul> <li> Enable the Resource Manager API. <a href="https://console.cloud.google.com/flows/enableapi?apiid=cloudresourcemanager.googleapis.com" target="console" track-type="commonIncludes" track-name="consoleLink" track-metadata-end-goal="enableAPI" class="button button-primary">Enable the API</a> <style> .henhouse-text { font-size:85%; padding:2px 4px; line-height:1; } </style> </li> <li>Set up authentication. Select the tab for how you plan to use the samples on this page: <div class="ds-selector-tabs" data-ds-scope="code-sample"> <section> <h3 id="console" data-text="Console" tabindex="-1">Console</h3> When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication. </section> <section> <h3 id="gcloud" data-text="gcloud" tabindex="-1">gcloud</h3> In the Google Cloud console, activate Cloud Shell. <a href="https://console.cloud.google.com/?cloudshell=true" target="console" track-type="commonIncludes" track-name="consoleLink" track-metadata-end-goal="launchCloudShell" class="button button-primary">Activate Cloud Shell</a> At the bottom of the Google Cloud console, a <a href="/shell/docs/how-cloud-shell-works">Cloud Shell</a> session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize. </section> <section> <h3 id="c" data-text="C#" tabindex="-1">C#</h3> To use the .NET samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials. <ol> <li> <a href="/sdk/docs/install" track-type="commonIncludes" track-name="sdkLink" target="_blank">Install</a> the Google Cloud CLI. </li> <li> To <a href="/sdk/docs/initializing" track-type="commonIncludes" track-name="sdkLink" target="_blank">initialize</a> the gcloud CLI, run the following command: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud init</pre></devsite-code> </li> <li> If you're using a local shell, then create local authentication credentials for your user account: <pre class="prettyprint lang-sh" translate="no" dir="ltr">gcloud auth application-default login</pre> You don't need to do this if you're using Cloud Shell. </li> </ol> For more information, see <a href="/docs/authentication/provide-credentials-adc#local-dev"> Set up authentication for a local development environment</a> in the Google Cloud authentication documentation. </section> <section> <h3 id="java" data-text="Java" tabindex="-1">Java</h3> To use the Java samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials. <ol> <li> <a href="/sdk/docs/install" track-type="commonIncludes" track-name="sdkLink" target="_blank">Install</a> the Google Cloud CLI. </li> <li> To <a href="/sdk/docs/initializing" track-type="commonIncludes" track-name="sdkLink" target="_blank">initialize</a> the gcloud CLI, run the following command: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud init</pre></devsite-code> </li> <li> If you're using a local shell, then create local authentication credentials for your user account: <pre class="prettyprint lang-sh" translate="no" dir="ltr">gcloud auth application-default login</pre> You don't need to do this if you're using Cloud Shell. </li> </ol> For more information, see <a href="/docs/authentication/provide-credentials-adc#local-dev"> Set up authentication for a local development environment</a> in the Google Cloud authentication documentation. </section> <section> <h3 id="python" data-text="Python" tabindex="-1">Python</h3> To use the Python samples on this page in a local development environment, install and initialize the gcloud CLI, and then set up Application Default Credentials with your user credentials. <ol> <li> <a href="/sdk/docs/install" track-type="commonIncludes" track-name="sdkLink" target="_blank">Install</a> the Google Cloud CLI. </li> <li> To <a href="/sdk/docs/initializing" track-type="commonIncludes" track-name="sdkLink" target="_blank">initialize</a> the gcloud CLI, run the following command: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud init</pre></devsite-code> </li> <li> If you're using a local shell, then create local authentication credentials for your user account: <pre class="prettyprint lang-sh" translate="no" dir="ltr">gcloud auth application-default login</pre> You don't need to do this if you're using Cloud Shell. </li> </ol> For more information, see <a href="/docs/authentication/provide-credentials-adc#local-dev"> Set up authentication for a local development environment</a> in the Google Cloud authentication documentation. </section> <section> <h3 id="rest" data-text="REST" tabindex="-1">REST</h3> To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI. <ol> <a href="/sdk/docs/install" track-type="commonIncludes" track-name="sdkLink" target="_blank">Install</a> the Google Cloud CLI, then <a href="/sdk/docs/initializing" track-type="commonIncludes" track-name="sdkLink" target="_blank">initialize</a> it by running the following command: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud init</pre></devsite-code> </ol> For more information, see <a href="/docs/authentication/rest">Authenticate for using REST</a> in the Google Cloud authentication documentation. </section> </div> </li> </ul> <h3 id="required-permissions" data-text="Required roles" tabindex="-1">Required roles</h3> When you create a project, folder, or organization, you are automatically granted a role that lets you manage access for that resource. For more information, see <a href="/iam/docs/policies#default">Default policies</a>. If you didn't create your project, folder, or organization, ensure that you have the roles that you need to manage access to that resource. To get the permissions that you need to manage access to a project, folder, or organization, ask your administrator to grant you the following IAM roles on the resource that you want to manage access for (project, folder, or organization): <ul> <li> To manage access to a project: <a href="https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.projectIamAdmin">Project IAM Admin </a> (<code translate="no" dir="ltr">roles/resourcemanager.projectIamAdmin</code>) </li> <li> To manage access to a folder: <a href="https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.folderAdmin">Folder Admin </a> (<code translate="no" dir="ltr">roles/resourcemanager.folderAdmin</code>) </li> <li> To manage access to projects, folders, and organizations: <a href="https://cloud.google.com/iam/docs/understanding-roles#resourcemanager.organizationAdmin">Organization Admin </a> (<code translate="no" dir="ltr">roles/resourcemanager.organizationAdmin</code>) </li> <li> To manage access to almost all Google Cloud resources: <a href="https://cloud.google.com/iam/docs/understanding-roles#iam.securityAdmin">Security Admin </a> (<code translate="no" dir="ltr">roles/iam.securityAdmin</code>) </li> </ul> These predefined roles contain the permissions required to manage access to a project, folder, or organization. To see the exact permissions that are required, expand the Required permissions section: <devsite-expandable> <h4 class="showalways" id="required-permissions_1" data-text="Required permissions" tabindex="-1">Required permissions</h4> The following permissions are required to manage access to a project, folder, or organization: <ul> <li> To manage access to projects: <ul> <li> <code translate="no" dir="ltr"> resourcemanager.projects.getIamPolicy </code></li> <li> <code translate="no" dir="ltr"> resourcemanager.projects.setIamPolicy</code></li> </ul> </li> <li> To manage access to folders: <ul> <li> <code translate="no" dir="ltr"> resourcemanager.folders.getIamPolicy </code></li> <li> <code translate="no" dir="ltr"> resourcemanager.folders.setIamPolicy</code></li> </ul> </li> <li> To manage access to organizations: <ul> <li> <code translate="no" dir="ltr"> resourcemanager.organizations.getIamPolicy </code></li> <li> <code translate="no" dir="ltr"> resourcemanager.organizations.setIamPolicy</code></li> </ul> </li> </ul> </devsite-expandable> You might also be able to get these permissions with <a href="/iam/docs/creating-custom-roles">custom roles</a> or other <a href="/iam/docs/understanding-roles">predefined roles</a>. <a name="viewing-console"></a> <h2 id="view-access" data-text="View current access" tabindex="-1">View current access</h2> You can view who has access to your project, folder, or organization using the Google Cloud console, the gcloud CLI, the REST API, or the Resource Manager client libraries. <div id="iam-view-access-code-sample" class="ds-selector-tabs" data-ds-scope="code-sample"> <section> <h3 id="iam-view-access-console" track-metadata-position="iam-view-access" track-metadata-region-tag="iam-view-access" data-text="Console" tabindex="-1">Console</h3> <aside class="note">Note: The Google Cloud console shows access in a list form, rather than directly showing the resource's allow policy.</aside> <ol> <li>In the Google Cloud console, go to the IAM page. <a class="button button-primary" href="https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=project,folder,organizationId" target="console" track-type="task" track-name="consoleLink" track-metadata-position="body" track-metadata-end-goal="viewIamRoles">Go to IAM</a></li> <li>Select a project, folder, or organization. The Google Cloud console lists all the principals who have been granted roles on your project, folder, or organization. This list includes principals who have inherited roles on the resource from parent resources. For more information about policy inheritance, see <a href="/iam/docs/policies#inheritance">Policy inheritance and the resource hierarchy</a>.</li> <li>Optional: To view role grants for <a href="/iam/docs/service-account-types#service-agents">service agents</a>, select the Include Google-provided role grants checkbox. <img src="/static/iam/img/include-google-provided-role-grants.png" alt srcset="https://cloud.google.com/static/iam/img/include-google-provided-role-grants-2x.png 2x" data-modal-dialog-id="include-google-provided-role-grants"> <devsite-lightbox id="include-google-provided-role-grants"> <img src="/static/iam/img/include-google-provided-role-grants-2x.png" srcset="https://cloud.google.com/static/iam/img/include-google-provided-role-grants-2x_36.png 36w,https://cloud.google.com/static/iam/img/include-google-provided-role-grants-2x_48.png 48w,https://cloud.google.com/static/iam/img/include-google-provided-role-grants-2x_72.png 72w,https://cloud.google.com/static/iam/img/include-google-provided-role-grants-2x_96.png 96w,https://cloud.google.com/static/iam/img/include-google-provided-role-grants-2x_480.png 480w,https://cloud.google.com/static/iam/img/include-google-provided-role-grants-2x_720.png 720w,https://cloud.google.com/static/iam/img/include-google-provided-role-grants-2x_856.png 856w,https://cloud.google.com/static/iam/img/include-google-provided-role-grants-2x_960.png 960w,https://cloud.google.com/static/iam/img/include-google-provided-role-grants-2x_1440.png 1440w,https://cloud.google.com/static/iam/img/include-google-provided-role-grants-2x_1920.png 1920w,https://cloud.google.com/static/iam/img/include-google-provided-role-grants-2x_2880.png 2880w" sizes="(max-width: 840px) 100vw, 856px"> </devsite-lightbox> </li> </ol> </section> <section> <h3 id="iam-view-access-gcloud" track-metadata-position="iam-view-access" track-metadata-region-tag="iam-view-access" data-text="gcloud" tabindex="-1">gcloud</h3> <ol> <li> In the Google Cloud console, activate Cloud Shell. <a href="https://console.cloud.google.com/?cloudshell=true" target="console" track-type="commonIncludes" track-name="consoleLink" track-metadata-end-goal="launchCloudShell" class="button button-primary">Activate Cloud Shell</a> At the bottom of the Google Cloud console, a <a href="/shell/docs/how-cloud-shell-works">Cloud Shell</a> session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize. </li> <li> To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, see <a href="/iam/docs/policies">Understanding allow policies</a>. <aside class="note"> Note: A resource's allow policy does not show any roles gained through <a href="/iam/docs/policies#inheritance">policy inheritance</a>. To view inherited roles, use the Google Cloud console, or follow the instructions on <a href="/asset-inventory/docs/view-effective-iam-policies">Viewing effective IAM policies</a>. </aside> To get the allow policy for the resource, run the <code translate="no" dir="ltr">get-iam-policy</code> command for the resource: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud <var translate="no">RESOURCE_TYPE</var> get-iam-policy <var translate="no">RESOURCE_ID</var> --format=<var translate="no">FORMAT</var> > <var translate="no">PATH</var></pre></devsite-code> Provide the following values: <ul> <li> <code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The type of the resource that you want to view access to. Use one of these values: <code translate="no" dir="ltr">projects</code>, <code translate="no" dir="ltr">resource-manager folders</code>, or <code translate="no" dir="ltr">organizations</code>. </li> <li> <code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li> <code translate="no" dir="ltr"><var translate="no">FORMAT</var></code>: The desired format for the policy. Use <code translate="no" dir="ltr">json</code> or <code translate="no" dir="ltr">yaml</code>. </li> <li> <code translate="no" dir="ltr"><var translate="no">PATH</var></code>: The path to a new output file for the policy. </li> </ul> For example, the following command gets the policy for the project <code translate="no" dir="ltr">my-project</code> and saves it to your home directory in JSON format: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud projects get-iam-policy my-project --format=json > ~/policy.json</pre></devsite-code> </li> </ol> </section> <section> <h3 id="iam-view-access-csharp" track-metadata-position="iam-view-access" track-metadata-region-tag="iam-view-access" data-text="C#" tabindex="-1">C#</h3> To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, see <a href="/iam/docs/policies">Understanding allow policies</a>. The following example shows how to get the allow policy for a project. To learn how to get the allow policy for a folder or organization, review the <a href="/resource-manager/docs/libraries">Resource Manager client library documentation</a> for your programming language. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/dotnet-docs-samples/iam/api/Access/GetPolicy.cs/HEAD/iam_get_policy" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/dotnet-docs-samples/blob/HEAD/iam/api/Access/GetPolicy.cs" feedback-context="{"language": "csharp", "region_tag": "iam-view-access", "snippet_file_url": "https://github.com/GoogleCloudPlatform/dotnet-docs-samples/blob/HEAD/iam/api/Access/GetPolicy.cs"}" feedback-product="1634365" feedback-bucket="security" language="csharp" data-github-path="GoogleCloudPlatform/dotnet-docs-samples/iam/api/Access/GetPolicy.cs" data-git-revision="HEAD" data-region-tag="iam_get_policy" dir="ltr" is-upgraded syntax="C#"><code translate="no" dir="ltr"> using Google.Apis.Auth.OAuth2; using Google.Apis.CloudResourceManager.v1; using Google.Apis.CloudResourceManager.v1.Data; public partial class AccessManager { public static Policy GetPolicy(string projectId) { var credential = GoogleCredential.GetApplicationDefault() .CreateScoped(CloudResourceManagerService.Scope.CloudPlatform); var service = new CloudResourceManagerService( new CloudResourceManagerService.Initializer { HttpClientInitializer = credential }); var policy = service.Projects.GetIamPolicy(new GetIamPolicyRequest(), projectId).Execute(); return policy; } } </code></pre></devsite-code> </div> </section> <section> <h3 id="iam-view-access-java" track-metadata-position="iam-view-access" track-metadata-region-tag="iam-view-access" data-text="Java" tabindex="-1">Java</h3> To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, see <a href="/iam/docs/policies">Understanding allow policies</a>. The following example shows how to get the allow policy for a project. To learn how to get the allow policy for a folder or organization, review the <a href="/resource-manager/docs/libraries">Resource Manager client library documentation</a> for your programming language. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/java-docs-samples/iam/snippets/src/main/java/GetProjectPolicy.java/HEAD/iam_get_policy" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/java-docs-samples/blob/HEAD/iam/snippets/src/main/java/GetProjectPolicy.java" feedback-context="{"language": "java", "region_tag": "iam-view-access", "snippet_file_url": "https://github.com/GoogleCloudPlatform/java-docs-samples/blob/HEAD/iam/snippets/src/main/java/GetProjectPolicy.java"}" feedback-product="1634365" feedback-bucket="security" language="java" data-github-path="GoogleCloudPlatform/java-docs-samples/iam/snippets/src/main/java/GetProjectPolicy.java" data-git-revision="HEAD" data-region-tag="iam_get_policy" dir="ltr" is-upgraded syntax="Java"><code translate="no" dir="ltr">import com.google.cloud.resourcemanager.v3.ProjectsClient; import com.google.iam.admin.v1.ProjectName; import com.google.iam.v1.GetIamPolicyRequest; import com.google.iam.v1.Policy; import java.io.IOException; public class GetProjectPolicy { public static void main(String[] args) throws IOException { // TODO(developer): Replace the variables before running the sample. // TODO: Replace with your project ID. String projectId = "your-project-id"; getProjectPolicy(projectId); } // Gets a project's policy. public static Policy getProjectPolicy(String projectId) throws IOException { // Initialize client that will be used to send requests. // This client only needs to be created once, and can be reused for multiple requests. try (ProjectsClient projectsClient = ProjectsClient.create()) { GetIamPolicyRequest request = GetIamPolicyRequest.newBuilder() .setResource(ProjectName.of(projectId).toString()) .build(); return projectsClient.getIamPolicy(request); } } }</code></pre></devsite-code> </div> </section> <section> <h3 id="iam-view-access-python" track-metadata-position="iam-view-access" track-metadata-region-tag="iam-view-access" data-text="Python" tabindex="-1">Python</h3> To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, see <a href="/iam/docs/policies">Understanding allow policies</a>. The following example shows how to get the allow policy for a project. To learn how to get the allow policy for a folder or organization, review the <a href="/resource-manager/docs/libraries">Resource Manager client library documentation</a> for your programming language. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/python-docs-samples/iam/cloud-client/snippets/get_policy.py/HEAD/iam_get_policy" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/python-docs-samples/blob/HEAD/iam/cloud-client/snippets/get_policy.py" feedback-context="{"language": "python", "region_tag": "iam-view-access", "snippet_file_url": "https://github.com/GoogleCloudPlatform/python-docs-samples/blob/HEAD/iam/cloud-client/snippets/get_policy.py"}" feedback-product="1634365" feedback-bucket="security" language="python" data-github-path="GoogleCloudPlatform/python-docs-samples/iam/cloud-client/snippets/get_policy.py" data-git-revision="HEAD" data-region-tag="iam_get_policy" dir="ltr" is-upgraded syntax="Python"><code translate="no" dir="ltr">from google.cloud import resourcemanager_v3 from google.iam.v1 import iam_policy_pb2, policy_pb2 def get_project_policy(project_id: str) -> policy_pb2.Policy: """ Get policy for project. project_id: ID or number of the Google Cloud project you want to use. """ client = resourcemanager_v3.ProjectsClient() request = iam_policy_pb2.GetIamPolicyRequest() request.resource = f"projects/{project_id}" policy = client.get_iam_policy(request) print(f"Policy retrieved: {policy}") return policy </code></pre></devsite-code> </div> </section> <section> <h3 id="iam-view-access-rest" track-metadata-position="iam-view-access" track-metadata-region-tag="iam-view-access" data-text="REST" tabindex="-1">REST</h3> To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, see <a href="/iam/docs/policies">Understanding allow policies</a>. <aside class="note"> Note: A resource's allow policy does not show any roles gained through <a href="/iam/docs/policies#inheritance">policy inheritance</a>. To view inherited roles, use the Google Cloud console, or follow the instructions on <a href="/asset-inventory/docs/view-effective-iam-policies">Viewing effective IAM policies</a>. </aside> The Resource Manager API's <code translate="no" dir="ltr"><a href="/resource-manager/reference/rest/v1/projects/getIamPolicy">getIamPolicy</a></code> </code> method gets a project's, folder's, or organization's allow policy. Before using any of the request data, make the following replacements: <ul> <li><code translate="no" dir="ltr"><var translate="no">API_VERSION</var></code>: The API version to use. For projects and organizations, use <code translate="no" dir="ltr">v1</code>. For folders, use <code translate="no" dir="ltr">v2</code>.</li> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The resource type whose policy you want to manage. Use the value <code translate="no" dir="ltr">projects</code>, <code translate="no" dir="ltr">folders</code>, or <code translate="no" dir="ltr">organizations</code>.</li> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: Your Google Cloud project, organization, or folder ID. Project IDs are alphanumeric strings, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">POLICY_VERSION</var></code>: The policy version to be returned. Requests should specify the most recent policy version, which is policy version 3. See <a href="/iam/docs/policies#specifying-version-get">Specifying a policy version when getting a policy</a> for details.</li> </ul> HTTP method and URL: <section> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="getIamPolicy HTTP method and URL" translate="no" dir="ltr" is-upgraded>POST https://cloudresourcemanager.googleapis.com/<var translate="no">API_VERSION</var>/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:getIamPolicy</pre></devsite-code> </section> Request JSON body: <section> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="getIamPolicy request body" translate="no" dir="ltr" is-upgraded> { "options": { "requestedPolicyVersion": <var translate="no">POLICY_VERSION</var> } } </pre></devsite-code> </section> To send your request, expand one of these options: <section class="expandable" > <h4 class="showalways" id="curl-linux,-macos,-or-cloud-shell" data-text="curl (Linux, macOS, or Cloud Shell)" tabindex="-1">curl (Linux, macOS, or Cloud Shell)</h4> <aside class="note">Note: The following command assumes that you have logged in to the <code translate="no" dir="ltr">gcloud</code> CLI with your user account by running <a href="/sdk/gcloud/reference/init"><code translate="no" dir="ltr">gcloud init</code></a> or <a href="/sdk/gcloud/reference/auth/login"><code translate="no" dir="ltr">gcloud auth login</code></a> , or by using <a href="/shell/docs">Cloud Shell</a>, which automatically logs you into the <code translate="no" dir="ltr">gcloud</code> CLI . You can check the currently active account by running <a href="/sdk/gcloud/reference/auth/list"><code translate="no" dir="ltr">gcloud auth list</code></a>. </aside> Save the request body in a file named <code translate="no" dir="ltr">request.json</code>, and execute the following command: <section><div></div><devsite-code><pre class="devsite-click-to-copy" data-label="getIamPolicy CURL command" translate="no" dir="ltr" is-upgraded>curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d @request.json \ "https://cloudresourcemanager.googleapis.com/<var translate="no">API_VERSION</var>/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:getIamPolicy"</pre></devsite-code></section> </section> <section class="expandable" > <h4 class="showalways" id="powershell-windows" data-text="PowerShell (Windows)" tabindex="-1">PowerShell (Windows)</h4> <aside class="note">Note: The following command assumes that you have logged in to the <code translate="no" dir="ltr">gcloud</code> CLI with your user account by running <a href="/sdk/gcloud/reference/init"><code translate="no" dir="ltr">gcloud init</code></a> or <a href="/sdk/gcloud/reference/auth/login"><code translate="no" dir="ltr">gcloud auth login</code></a> . You can check the currently active account by running <a href="/sdk/gcloud/reference/auth/list"><code translate="no" dir="ltr">gcloud auth list</code></a>. </aside> Save the request body in a file named <code translate="no" dir="ltr">request.json</code>, and execute the following command: <section><div></div><devsite-code><pre class="devsite-click-to-copy" data-label="getIamPolicy PowerShell command" translate="no" dir="ltr" is-upgraded>$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -InFile request.json ` -Uri "https://cloudresourcemanager.googleapis.com/<var translate="no">API_VERSION</var>/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:getIamPolicy" | Select-Object -Expand Content</pre></devsite-code></section> </section> <section class="expandable" > <h4 class="showalways" id="apis-explorer-browser" data-text="APIs Explorer (browser)" tabindex="-1">APIs Explorer (browser)</h4> Copy the request body and open the <a href="/resource-manager/reference/rest/v1/projects/getIamPolicy" class="external" target="_blank">method reference page</a>. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute. </section> The response contains the resource's allow policy. For example: <section> <div></div><devsite-code><pre class="readonly" data-label="getIamPolicy sample response" translate="no" dir="ltr" is-upgraded> { "version": 1, "etag": "BwWKmjvelug=", "bindings": [ { "role": "roles/owner", "members": [ "user:my-user@example.com" ] } ] } </pre></devsite-code> </section> </section> </div> <a name="using_the"></a> <a name="access_control_via_console"></a> <a name="access-controle-via-console"></a> <a name="updating-gcloud"></a> <a name="using_gcloud_rest_api_or_client_libraries"></a> <a name="modify_access"></a> <a name="modifying-console"></a> <h2 id="single-role" data-text="Grant or revoke a single role" tabindex="-1">Grant or revoke a single role</h2> You can use the Google Cloud console and the gcloud CLI to quickly grant or revoke a single role for a single principal, without editing the resource's allow policy directly. Common types of principals include Google Accounts, service accounts, Google groups, and domains. For a list of all principal types, see <a href="/iam/docs/overview#concepts_related_identity">Concepts related to identity</a>. <aside class="note"> Note: If the <a href="/resource-manager/docs/organization-policy/restricting-domains"><code translate="no" dir="ltr">iam.allowedPolicyMemberDomains</code></a> organization policy constraint is enforced in your organization, then you might not be able to grant roles to newly created groups. If you get a <code translate="no" dir="ltr">failedPrecondition</code> error when trying to grant a role to a newly created group, wait 24 hours, and then try granting the role again. </aside> In general, policy changes take effect within 2 minutes. However, in some cases, it can take 7 minutes or more for changes to propagate across the system. If you need help identifying the most appropriate predefined role, see <a href="/iam/docs/choose-predefined-roles">Choose predefined roles</a>. <a name="grant_access"></a> <a name="granting-console"></a> <a name="granting-gcloud-manual"></a> <h3 id="grant-single-role" data-text="Grant a single role" tabindex="-1">Grant a single role</h3> To grant a single role to a principal, do the following: <div id="iam-grant-single-role-code-sample" class="ds-selector-tabs" data-ds-scope="code-sample"> <section> <h3 id="iam-grant-single-role-console" track-metadata-position="iam-grant-single-role" track-metadata-region-tag="iam-grant-single-role" data-text="Console" tabindex="-1">Console</h3> <ol> <li>In the Google Cloud console, go to the IAM page. <a class="button button-primary" href="https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=project,folder,organizationId" target="console" track-type="task" track-name="consoleLink" track-metadata-position="body" track-metadata-end-goal="grantIamRole">Go to IAM</a></li> <li>Select a project, folder, or organization.</li> <li>Select a principal to grant a role to: <ul> <li>To grant a role to a principal who already has other roles on the resource, find a row containing the principal, click edit Edit principal in that row, and click add Add another role. To grant a role to a <a href="/iam/docs/service-account-types#service-agents">service agent</a>, select the Include Google-provided role grants checkbox to see its email address. <aside class="note">Note: You cannot edit inherited roles when managing access to a resource. To edit inherited roles, go to the resource where the role was granted.</aside></li> <li>To grant a role to a principal who doesn't have any existing roles on the resource, click person_add Grant Access, then enter an identifier for the principal—for example, <code translate="no" dir="ltr">my-user@example.com</code>.</li> </ul></li> <li>Select a role to grant from the drop-down list. For best security practices, choose a role that includes only the permissions that your principal needs.</li> <li>Optional: Add a <a href="/iam/docs/conditions-overview">condition</a> to the role.</li> <li>Click Save. The principal is granted the role on the resource.</li> </ol> To grant a role to a principal for more than one project, folder, or organization, do the following: <ol> <li>In the Google Cloud console, go to the Manage resources page. <a class="button button-primary" href="https://console.cloud.google.com/cloud-resource-manager" target="console" track-type="task" track-name="consoleLink" track-metadata-position="body" track-metadata-end-goal="grantIamRole">Go to Manage resources</a></li> <li>Select all the resources for which you want to grant permissions.</li> <li>If the info panel is not visible, click Show info panel. Then, click Permissions.</li> <li>Select a principal to grant a role to: <ul> <li>To grant a role to a principal who already has other roles, find a row containing the principal, click editEdit principal in that row, and click addAdd another role.</li> <li>To grant a role to a principal who does not already have other roles, click person_add Add principal, then enter an identifier for the principal—for example, <code translate="no" dir="ltr">my-user@example.com</code>.</li> </ul></li> <li>Select a role to grant from the drop-down list.</li> <li>Optional: Add a <a href="/iam/docs/conditions-overview">condition</a> to the role.</li> <li>Click Save. The principal is granted the selected role on each of the selected resources.</li> </ol> </section> <section> <h3 id="iam-grant-single-role-gcloud" track-metadata-position="iam-grant-single-role" track-metadata-region-tag="iam-grant-single-role" data-text="gcloud" tabindex="-1">gcloud</h3> <aside class="note">Note: To grant the Owner role (<code translate="no" dir="ltr">roles/owner</code>) on a project to a user outside of your organization, you must use the Google Cloud console, not the gcloud CLI. If your project is not part of an organization, you must use the Google Cloud console to grant the Owner role.</aside> <ol> <li> In the Google Cloud console, activate Cloud Shell. <a href="https://console.cloud.google.com/?cloudshell=true" target="console" track-type="commonIncludes" track-name="consoleLink" track-metadata-end-goal="launchCloudShell" class="button button-primary">Activate Cloud Shell</a> At the bottom of the Google Cloud console, a <a href="/shell/docs/how-cloud-shell-works">Cloud Shell</a> session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize. </li> <li> The <code translate="no" dir="ltr"><a href="/sdk/gcloud/reference/projects/add-iam-policy-binding">add-iam-policy-binding</a></code> command lets you quickly grant a role to a principal. Before using any of the command data below, make the following replacements: <ul> <li> <code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The resource type that you want to manage access to. Use <code translate="no" dir="ltr">projects</code>, <code translate="no" dir="ltr">resource-manager folders</code>, or <code translate="no" dir="ltr">organizations</code>. </li> <li> <code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li> <code translate="no" dir="ltr"><var translate="no">PRINCIPAL</var></code>: An identifier for the principal, or member, which usually has the following form: <code translate="no" dir="ltr"><var translate="no">PRINCIPAL_TYPE</var>:<var translate="no">ID</var></code>. For example, <code translate="no" dir="ltr">user:my-user@example.com</code>. For a full list of the values that <code translate="no" dir="ltr"><var translate="no">PRINCIPAL</var></code> can have, see <a href="/iam/docs/principal-identifiers">Principal identifiers</a>. For the principal type <code translate="no" dir="ltr">user</code>, the domain name in the identifier must be a Google Workspace domain or a Cloud Identity domain. To learn how to set up a Cloud Identity domain, see the <a href="/identity/docs/overview">overview of Cloud Identity</a>. </li> <li> <code translate="no" dir="ltr"><var translate="no">ROLE_NAME</var></code>: The name of the role that you want to revoke. Use one of the following formats: <ul> <li>Predefined roles: <code translate="no" dir="ltr">roles/<var translate="no">SERVICE</var>.<var translate="no">IDENTIFIER</var></code></li> <li>Project-level custom roles: <code translate="no" dir="ltr">projects/<var translate="no">PROJECT_ID</var>/roles/<var translate="no">IDENTIFIER</var></code></li> <li>Organization-level custom roles: <code translate="no" dir="ltr">organizations/<var translate="no">ORG_ID</var>/roles/<var translate="no">IDENTIFIER</var></code></li> </ul> For a list of predefined roles, see <a href="/iam/docs/understanding-roles">Understanding roles</a>. </li> <li> <code translate="no" dir="ltr"><var translate="no">CONDITION</var></code>: The condition to add to the role binding. If you don't want to add a condition, use the value <code translate="no" dir="ltr">None</code>. For more information about conditions, see the <a href="/iam/docs/conditions-overview">conditions overview</a>. </li> </ul> Execute the following command: <devsite-expandable expanded> <h4 class="showalways" id="linux,-macos,-or-cloud-shell" data-text="Linux, macOS, or Cloud Shell" tabindex="-1">Linux, macOS, or Cloud Shell</h4> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="Linux command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud <var translate="no">RESOURCE_TYPE</var> add-iam-policy-binding <var translate="no">RESOURCE_ID</var> \ --member=<var translate="no">PRINCIPAL</var> --role=<var translate="no">ROLE_NAME</var> \ --condition=<var translate="no">CONDITION</var></pre></devsite-code> </devsite-expandable> <devsite-expandable> <h4 class="showalways" id="windows-powershell" data-text="Windows (PowerShell)" tabindex="-1">Windows (PowerShell)</h4> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="PowerShell command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud <var translate="no">RESOURCE_TYPE</var> add-iam-policy-binding <var translate="no">RESOURCE_ID</var> ` --member=<var translate="no">PRINCIPAL</var> --role=<var translate="no">ROLE_NAME</var> ` --condition=<var translate="no">CONDITION</var></pre></devsite-code> </devsite-expandable> <devsite-expandable> <h4 class="showalways" id="windows-cmd.exe" data-text="Windows (cmd.exe)" tabindex="-1">Windows (cmd.exe)</h4> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="cmd.exe command" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud <var translate="no">RESOURCE_TYPE</var> add-iam-policy-binding <var translate="no">RESOURCE_ID</var> ^ --member=<var translate="no">PRINCIPAL</var> --role=<var translate="no">ROLE_NAME</var> ^ --condition=<var translate="no">CONDITION</var></pre></devsite-code> </devsite-expandable> The response contains the updated IAM policy. </li> </ol> </section> </div> <a name="revoke_access"></a> <a name="revoking-console"></a> <a name="revoking-gcloud-manual"></a> <h3 id="revoke-single-role" data-text="Revoke a single role" tabindex="-1">Revoke a single role</h3> To revoke a single role from a principal, do the following: <div id="iam-revoke-single-role-code-sample" class="ds-selector-tabs" data-ds-scope="code-sample"> <section> <h3 id="iam-revoke-single-role-console" track-metadata-position="iam-revoke-single-role" track-metadata-region-tag="iam-revoke-single-role" data-text="Console" tabindex="-1">Console</h3> <ol> <li>In the Google Cloud console, go to the IAM page. <a class="button button-primary" href="https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=project,folder,organizationId" target="console" track-type="task" track-name="consoleLink" track-metadata-position="body" track-metadata-end-goal="revokeIamRole"> Go to IAM</a></li> <li>Select a project, folder, or organization.</li> <li>Find the row containing the principal whose access you want to revoke. Then, click edit Edit principal in that row. <aside class="note">Note: You cannot edit inherited roles when managing access to a resource. To edit inherited roles, go to the resource where the role was granted.</aside></li> <li>Click the Delete delete button for the role that you want to revoke, and then click Save.</li> </ol> </section> <section> <h3 id="iam-revoke-single-role-gcloud" track-metadata-position="iam-revoke-single-role" track-metadata-region-tag="iam-revoke-single-role" data-text="gcloud" tabindex="-1">gcloud</h3> <ol> <li> In the Google Cloud console, activate Cloud Shell. <a href="https://console.cloud.google.com/?cloudshell=true" target="console" track-type="commonIncludes" track-name="consoleLink" track-metadata-end-goal="launchCloudShell" class="button button-primary">Activate Cloud Shell</a> At the bottom of the Google Cloud console, a <a href="/shell/docs/how-cloud-shell-works">Cloud Shell</a> session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize. </li> <li> To quickly revoke a role from a user, run the <code translate="no" dir="ltr">remove-iam-policy-binding</code> command: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud <var translate="no">RESOURCE_TYPE</var> remove-iam-policy-binding <var translate="no">RESOURCE_ID</var> --member=<var translate="no">PRINCIPAL</var> --role=<var translate="no">ROLE_NAME</var></pre></devsite-code> Provide the following values: <ul> <li> <code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The resource type that you want to manage access to. Use <code translate="no" dir="ltr">projects</code>, <code translate="no" dir="ltr">resource-manager folders</code>, or <code translate="no" dir="ltr">organizations</code>. </li> <li> <code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li> <code translate="no" dir="ltr"><var translate="no">PRINCIPAL</var></code>: An identifier for the principal, or member, which usually has the following form: <code translate="no" dir="ltr"><var translate="no">PRINCIPAL_TYPE</var>:<var translate="no">ID</var></code>. For example, user:my-user@example.com. For a full list of the values that <code translate="no" dir="ltr"><var translate="no">PRINCIPAL</var></code> can have, see <a href="/iam/docs/principal-identifiers">Principal identifiers</a>. For the principal type <code translate="no" dir="ltr">user</code>, the domain name in the identifier must be a Google Workspace domain or a Cloud Identity domain. To learn how to set up a Cloud Identity domain, see the <a href="/identity/docs/overview">overview of Cloud Identity</a>. </li> <li> <code translate="no" dir="ltr"><var translate="no">ROLE_NAME</var></code>: The name of the role that you want to revoke. Use one of the following formats: <ul> <li>Predefined roles: <code translate="no" dir="ltr">roles/<var translate="no">SERVICE</var>.<var translate="no">IDENTIFIER</var></code></li> <li>Project-level custom roles: <code translate="no" dir="ltr">projects/<var translate="no">PROJECT_ID</var>/roles/<var translate="no">IDENTIFIER</var></code></li> <li>Organization-level custom roles: <code translate="no" dir="ltr">organizations/<var translate="no">ORG_ID</var>/roles/<var translate="no">IDENTIFIER</var></code></li> </ul> For a list of predefined roles, see <a href="/iam/docs/understanding-roles">Understanding roles</a>. </li> </ul> For example, to revoke the Project Creator role from the service account <code translate="no" dir="ltr">example-service-account@example-project.iam.gserviceaccount.com</code> for the project <code translate="no" dir="ltr">example-project</code>: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud projects remove-iam-policy-binding example-project --member=serviceAccount:example-service-account@example-project.iam.gserviceaccount.com --role=roles/resourcemanager.projectCreator</pre></devsite-code> </li> </ol> </section> </div> To help ensure that you don't revoke any necessary roles, you can enable <a href="/recommender/docs/change-risk-recommendations">change risk recommendations</a>. Change risk recommendations generate warnings when you try to revoke project-level roles that Google Cloud has identified as important. <h2 id="multiple-roles-console" data-text="Grant or revoke multiple roles using the Google Cloud console" tabindex="-1">Grant or revoke multiple roles using the Google Cloud console</h2> You can use the Google Cloud console to grant and revoke multiple roles for a single principal: <ol> <li>In the Google Cloud console, go to the IAM page. <a class="button button-primary" href="https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=project,folder,organizationId" target="console" track-type="task" track-name="consoleLink" track-metadata-position="body" track-metadata-end-goal="grantRevokeMultipleIamRoles"> Go to IAM</a></li> <li>Select a project, folder, or organization.</li> <li>Select the principal whose roles you want to modify: <ul> <li>To modify roles for a principal who already has roles on the resource, find a row containing the principal, click edit Edit principal in that row, and click add Add another role. To modify roles for a <a href="/iam/docs/service-account-types#service-agents">service agent</a>, select the Include Google-provided role grants checkbox to see its email address. <aside class="note">Note: You cannot edit inherited roles when managing access to a resource. To edit inherited roles, go to the resource where the role was granted.</aside></li> <li>To grant roles to a principal who doesn't have any roles on the resource, click person_add Grant Access, then enter an identifier for the principal—for example, <code translate="no" dir="ltr">my-user@example.com</code>.</li> </ul></li> <li>Modify the principal's roles: <ul> <li>To grant a role to a principal who doesn't have any existing roles on the resource, click Select a role, then select a role to grant from the drop-down list.</li> <li>To grant an additional role to the principal, click Add another role, then select a role to grant from the drop-down list.</li> <li>To replace one of the principal's roles with a different role, click the existing role, then choose a different role to grant from the drop-down list.</li> <li>To revoke one of the principal's roles, click the Delete delete button for each role that you want to revoke.</li> </ul> You can also <a href="/iam/docs/managing-conditional-role-bindings#add">add a condition</a> to a role, <a href="/iam/docs/managing-conditional-role-bindings#modify">modify a role's condition</a>, or <a href="/iam/docs/managing-conditional-role-bindings#removing">remove a role's condition</a>.</li> <li>Click Save.</li> </ol> <a name="programmatic"></a> <a name="policy-overview"></a> <a name="overview_of_cloud_iam_policy"></a> <a name="multiple-roles"></a> <h2 id="multiple-roles-programmatic" data-text="Grant or revoke multiple roles programmatically" tabindex="-1">Grant or revoke multiple roles programmatically</h2> To make large-scale access changes that involve granting and revoking multiple roles for multiple principals, use the read-modify-write pattern to update the resource's allow policy: <ol> <li>Read the current allow policy by calling <code translate="no" dir="ltr">getIamPolicy()</code>.</li> <li>Edit the allow policy, either by using a text editor or programmatically, to add or remove any principals or role bindings.</li> <li>Write the updated allow policy by calling <code translate="no" dir="ltr">setIamPolicy()</code>.</li> </ol> You can use the gcloud CLI, the REST API, or the Resource Manager client libraries to update the allow policy. <aside class="note"> Note: If the <a href="/resource-manager/docs/organization-policy/restricting-domains"><code translate="no" dir="ltr">iam.allowedPolicyMemberDomains</code></a> organization policy constraint is enforced in your organization, then you might not be able to grant roles to newly created groups. If you get a <code translate="no" dir="ltr">failedPrecondition</code> error when trying to grant a role to a newly created group, wait 24 hours, and then try granting the role again. </aside> In general, policy changes take effect within 2 minutes. However, in some cases, it can take 7 minutes or more for changes to propagate across the system. <a name="get_policy"></a> <h3 id="getting-policy" data-text="Get the current allow policy" tabindex="-1">Get the current allow policy</h3> <div id="iam-get-policy-code-sample" class="ds-selector-tabs" data-ds-scope="code-sample"> <section> <h3 id="iam-get-policy-gcloud" track-metadata-position="iam-get-policy" track-metadata-region-tag="iam-get-policy" data-text="gcloud" tabindex="-1">gcloud</h3> <ol> <li> In the Google Cloud console, activate Cloud Shell. <a href="https://console.cloud.google.com/?cloudshell=true" target="console" track-type="commonIncludes" track-name="consoleLink" track-metadata-end-goal="launchCloudShell" class="button button-primary">Activate Cloud Shell</a> At the bottom of the Google Cloud console, a <a href="/shell/docs/how-cloud-shell-works">Cloud Shell</a> session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize. </li> <li> To get the allow policy for the resource, run the <code translate="no" dir="ltr">get-iam-policy</code> command for the resource: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud <var translate="no">RESOURCE_TYPE</var> get-iam-policy <var translate="no">RESOURCE_ID</var> --format=<var translate="no">FORMAT</var> > <var translate="no">PATH</var></pre></devsite-code> Provide the following values: <ul> <li> <code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The type of the resource that you want to get the allow policy for. Use one of the following values: <code translate="no" dir="ltr">projects</code>, <code translate="no" dir="ltr">resource-manager folders</code>, or <code translate="no" dir="ltr">organizations</code>. </li> <li> <code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li> <code translate="no" dir="ltr"><var translate="no">FORMAT</var></code>: The desired format for the allow policy. Use <code translate="no" dir="ltr">json</code> or <code translate="no" dir="ltr">yaml</code>. </li> <li> <code translate="no" dir="ltr"><var translate="no">PATH</var></code>: The path to a new output file for the allow policy. </li> </ul> For example, the following command gets the allow policy for the project <code translate="no" dir="ltr">my-project</code> and saves it to your home directory in JSON format: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud projects get-iam-policy my-project --format json > ~/policy.json</pre></devsite-code> </li> </ol> </section> <section> <h3 id="iam-get-policy-csharp" track-metadata-position="iam-get-policy" track-metadata-region-tag="iam-get-policy" data-text="C#" tabindex="-1">C#</h3> To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. The following example shows how to get the allow policy for a project. To learn how to get the allow policy of a folder or organization, review the <a href="/resource-manager/docs/libraries">Resource Managerclient library documentation</a> for your programming language. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/dotnet-docs-samples/iam/api/Access/GetPolicy.cs/HEAD/iam_get_policy" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/dotnet-docs-samples/blob/HEAD/iam/api/Access/GetPolicy.cs" feedback-context="{"language": "csharp", "region_tag": "iam-get-policy", "snippet_file_url": "https://github.com/GoogleCloudPlatform/dotnet-docs-samples/blob/HEAD/iam/api/Access/GetPolicy.cs"}" feedback-product="1634365" feedback-bucket="security" language="csharp" data-github-path="GoogleCloudPlatform/dotnet-docs-samples/iam/api/Access/GetPolicy.cs" data-git-revision="HEAD" data-region-tag="iam_get_policy" dir="ltr" is-upgraded syntax="C#"><code translate="no" dir="ltr"> using Google.Apis.Auth.OAuth2; using Google.Apis.CloudResourceManager.v1; using Google.Apis.CloudResourceManager.v1.Data; public partial class AccessManager { public static Policy GetPolicy(string projectId) { var credential = GoogleCredential.GetApplicationDefault() .CreateScoped(CloudResourceManagerService.Scope.CloudPlatform); var service = new CloudResourceManagerService( new CloudResourceManagerService.Initializer { HttpClientInitializer = credential }); var policy = service.Projects.GetIamPolicy(new GetIamPolicyRequest(), projectId).Execute(); return policy; } } </code></pre></devsite-code> </div> </section> <section> <h3 id="iam-get-policy-java" track-metadata-position="iam-get-policy" track-metadata-region-tag="iam-get-policy" data-text="Java" tabindex="-1">Java</h3> To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. The following example shows how to get the allow policy for a project. To learn how to get the allow policy of a folder or organization, review the <a href="/resource-manager/docs/libraries">Resource Managerclient library documentation</a> for your programming language. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/java-docs-samples/iam/snippets/src/main/java/GetProjectPolicy.java/HEAD/iam_get_policy" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/java-docs-samples/blob/HEAD/iam/snippets/src/main/java/GetProjectPolicy.java" feedback-context="{"language": "java", "region_tag": "iam-get-policy", "snippet_file_url": "https://github.com/GoogleCloudPlatform/java-docs-samples/blob/HEAD/iam/snippets/src/main/java/GetProjectPolicy.java"}" feedback-product="1634365" feedback-bucket="security" language="java" data-github-path="GoogleCloudPlatform/java-docs-samples/iam/snippets/src/main/java/GetProjectPolicy.java" data-git-revision="HEAD" data-region-tag="iam_get_policy" dir="ltr" is-upgraded syntax="Java"><code translate="no" dir="ltr">import com.google.cloud.resourcemanager.v3.ProjectsClient; import com.google.iam.admin.v1.ProjectName; import com.google.iam.v1.GetIamPolicyRequest; import com.google.iam.v1.Policy; import java.io.IOException; public class GetProjectPolicy { public static void main(String[] args) throws IOException { // TODO(developer): Replace the variables before running the sample. // TODO: Replace with your project ID. String projectId = "your-project-id"; getProjectPolicy(projectId); } // Gets a project's policy. public static Policy getProjectPolicy(String projectId) throws IOException { // Initialize client that will be used to send requests. // This client only needs to be created once, and can be reused for multiple requests. try (ProjectsClient projectsClient = ProjectsClient.create()) { GetIamPolicyRequest request = GetIamPolicyRequest.newBuilder() .setResource(ProjectName.of(projectId).toString()) .build(); return projectsClient.getIamPolicy(request); } } }</code></pre></devsite-code> </div> </section> <section> <h3 id="iam-get-policy-python" track-metadata-position="iam-get-policy" track-metadata-region-tag="iam-get-policy" data-text="Python" tabindex="-1">Python</h3> To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. The following example shows how to get the allow policy for a project. To learn how to get the allow policy of a folder or organization, review the <a href="/resource-manager/docs/libraries">Resource Managerclient library documentation</a> for your programming language. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/python-docs-samples/iam/cloud-client/snippets/get_policy.py/HEAD/iam_get_policy" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/python-docs-samples/blob/HEAD/iam/cloud-client/snippets/get_policy.py" feedback-context="{"language": "python", "region_tag": "iam-get-policy", "snippet_file_url": "https://github.com/GoogleCloudPlatform/python-docs-samples/blob/HEAD/iam/cloud-client/snippets/get_policy.py"}" feedback-product="1634365" feedback-bucket="security" language="python" data-github-path="GoogleCloudPlatform/python-docs-samples/iam/cloud-client/snippets/get_policy.py" data-git-revision="HEAD" data-region-tag="iam_get_policy" dir="ltr" is-upgraded syntax="Python"><code translate="no" dir="ltr">from google.cloud import resourcemanager_v3 from google.iam.v1 import iam_policy_pb2, policy_pb2 def get_project_policy(project_id: str) -> policy_pb2.Policy: """ Get policy for project. project_id: ID or number of the Google Cloud project you want to use. """ client = resourcemanager_v3.ProjectsClient() request = iam_policy_pb2.GetIamPolicyRequest() request.resource = f"projects/{project_id}" policy = client.get_iam_policy(request) print(f"Policy retrieved: {policy}") return policy </code></pre></devsite-code> </div> </section> <section> <h3 id="iam-get-policy-rest" track-metadata-position="iam-get-policy" track-metadata-region-tag="iam-get-policy" data-text="REST" tabindex="-1">REST</h3> The Resource Manager API's <code translate="no" dir="ltr"><a href="/resource-manager/reference/rest/v1/projects/getIamPolicy">getIamPolicy</a></code> </code> method gets a project's, folder's, or organization's allow policy. Before using any of the request data, make the following replacements: <ul> <li><code translate="no" dir="ltr"><var translate="no">API_VERSION</var></code>: The API version to use. For projects and organizations, use <code translate="no" dir="ltr">v1</code>. For folders, use <code translate="no" dir="ltr">v2</code>.</li> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The resource type whose policy you want to manage. Use the value <code translate="no" dir="ltr">projects</code>, <code translate="no" dir="ltr">folders</code>, or <code translate="no" dir="ltr">organizations</code>.</li> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: Your Google Cloud project, organization, or folder ID. Project IDs are alphanumeric strings, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li><code translate="no" dir="ltr"><var translate="no">POLICY_VERSION</var></code>: The policy version to be returned. Requests should specify the most recent policy version, which is policy version 3. See <a href="/iam/docs/policies#specifying-version-get">Specifying a policy version when getting a policy</a> for details.</li> </ul> HTTP method and URL: <section> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="getIamPolicy HTTP method and URL" translate="no" dir="ltr" is-upgraded>POST https://cloudresourcemanager.googleapis.com/<var translate="no">API_VERSION</var>/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:getIamPolicy</pre></devsite-code> </section> Request JSON body: <section> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="getIamPolicy request body" translate="no" dir="ltr" is-upgraded> { "options": { "requestedPolicyVersion": <var translate="no">POLICY_VERSION</var> } } </pre></devsite-code> </section> To send your request, expand one of these options: <section class="expandable" > <h4 class="showalways" id="curl-linux,-macos,-or-cloud-shell_1" data-text="curl (Linux, macOS, or Cloud Shell)" tabindex="-1">curl (Linux, macOS, or Cloud Shell)</h4> <aside class="note">Note: The following command assumes that you have logged in to the <code translate="no" dir="ltr">gcloud</code> CLI with your user account by running <a href="/sdk/gcloud/reference/init"><code translate="no" dir="ltr">gcloud init</code></a> or <a href="/sdk/gcloud/reference/auth/login"><code translate="no" dir="ltr">gcloud auth login</code></a> , or by using <a href="/shell/docs">Cloud Shell</a>, which automatically logs you into the <code translate="no" dir="ltr">gcloud</code> CLI . You can check the currently active account by running <a href="/sdk/gcloud/reference/auth/list"><code translate="no" dir="ltr">gcloud auth list</code></a>. </aside> Save the request body in a file named <code translate="no" dir="ltr">request.json</code>, and execute the following command: <section><div></div><devsite-code><pre class="devsite-click-to-copy" data-label="getIamPolicy CURL command" translate="no" dir="ltr" is-upgraded>curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d @request.json \ "https://cloudresourcemanager.googleapis.com/<var translate="no">API_VERSION</var>/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:getIamPolicy"</pre></devsite-code></section> </section> <section class="expandable" > <h4 class="showalways" id="powershell-windows_1" data-text="PowerShell (Windows)" tabindex="-1">PowerShell (Windows)</h4> <aside class="note">Note: The following command assumes that you have logged in to the <code translate="no" dir="ltr">gcloud</code> CLI with your user account by running <a href="/sdk/gcloud/reference/init"><code translate="no" dir="ltr">gcloud init</code></a> or <a href="/sdk/gcloud/reference/auth/login"><code translate="no" dir="ltr">gcloud auth login</code></a> . You can check the currently active account by running <a href="/sdk/gcloud/reference/auth/list"><code translate="no" dir="ltr">gcloud auth list</code></a>. </aside> Save the request body in a file named <code translate="no" dir="ltr">request.json</code>, and execute the following command: <section><div></div><devsite-code><pre class="devsite-click-to-copy" data-label="getIamPolicy PowerShell command" translate="no" dir="ltr" is-upgraded>$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -InFile request.json ` -Uri "https://cloudresourcemanager.googleapis.com/<var translate="no">API_VERSION</var>/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:getIamPolicy" | Select-Object -Expand Content</pre></devsite-code></section> </section> <section class="expandable" > <h4 class="showalways" id="apis-explorer-browser_1" data-text="APIs Explorer (browser)" tabindex="-1">APIs Explorer (browser)</h4> Copy the request body and open the <a href="/resource-manager/reference/rest/v1/projects/getIamPolicy" class="external" target="_blank">method reference page</a>. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute. </section> The response contains the resource's allow policy. For example: <section> <div></div><devsite-code><pre class="readonly" data-label="getIamPolicy sample response" translate="no" dir="ltr" is-upgraded> { "version": 1, "etag": "BwWKmjvelug=", "bindings": [ { "role": "roles/owner", "members": [ "user:my-user@example.com" ] } ] } </pre></devsite-code> </section> Save the response in a file of the appropriate type (<code translate="no" dir="ltr">json</code> or <code translate="no" dir="ltr">yaml</code>). </section> </div> <a name="modify_policy"></a> <h3 id="modifying-policy" data-text="Modify the allow policy" tabindex="-1">Modify the allow policy</h3> Programmatically or using a text editor, modify the local copy of your resource's allow policy to reflect the roles that you want to grant or revoke. To help prevent you from overwriting other changes, don't edit or remove the allow policy's <code translate="no" dir="ltr">etag</code> field. The <code translate="no" dir="ltr">etag</code> field identifies the current state of the allow policy. When you <a href="#setting-policy">set the updated allow policy</a>, IAM compares the <code translate="no" dir="ltr">etag</code> value in the request with the existing <code translate="no" dir="ltr">etag</code>, and only writes the allow policy if the values match. <aside class="special">Important: None of your changes will take effect until you <a href="#setting-policy">set the updated allow policy</a>.</aside> To edit the roles that an allow policy grants, you need to edit the role bindings in the allow policy. Role bindings have the following format: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JSON">{ "role": "<var translate="no">ROLE_NAME</var>", "members": [ "<var translate="no">PRINCIPAL_1</var>", "<var translate="no">PRINCIPAL_2</var>", ... "<var translate="no">PRINCIPAL_N</var>" ], "conditions:" { <var translate="no">CONDITIONS</var> } }</pre></devsite-code> The placeholders have the following values: <ul> <li><code translate="no" dir="ltr"><var translate="no">ROLE_NAME</var></code>: The name of the role that you want to grant. Use one of the following formats: <ul> <li>Predefined roles: <code translate="no" dir="ltr">roles/<var translate="no">SERVICE</var>.<var translate="no">IDENTIFIER</var></code></li> <li>Project-level custom roles: <code translate="no" dir="ltr">projects/<var translate="no">PROJECT_ID</var>/roles/<var translate="no">IDENTIFIER</var></code></li> <li>Organization-level custom roles: <code translate="no" dir="ltr">organizations/<var translate="no">ORG_ID</var>/roles/<var translate="no">IDENTIFIER</var></code></li> </ul> For a list of predefined roles, see <a href="/iam/docs/understanding-roles">Understanding roles</a>.</li> <li><code translate="no" dir="ltr"><var translate="no">PRINCIPAL_1</var></code>, <code translate="no" dir="ltr"><var translate="no">PRINCIPAL_2</var></code>, <code translate="no" dir="ltr">...<var translate="no">PRINCIPAL_N</var></code>: Identifiers for the principals that you want to grant the role to. Principal identifiers usually have the following form: <code translate="no" dir="ltr"><var translate="no">PRINCIPAL-TYPE</var>:<var translate="no">ID</var></code>. For example, <code translate="no" dir="ltr">user:my-user@example.com</code>. For a full list of the values that <code translate="no" dir="ltr"><var translate="no">PRINCIPAL</var></code> can have, see <a href="/iam/docs/principal-identifiers">Principal identifiers</a>. For the principal type <code translate="no" dir="ltr">user</code>, the domain name in the identifier must be a Google Workspace domain or a Cloud Identity domain. To learn how to set up a Cloud Identity domain, see the <a href="/identity/docs/overview">overview of Cloud Identity</a>. </li> <li><code translate="no" dir="ltr"><var translate="no">CONDITIONS</var></code>: Optional. Any <a href="/iam/docs/conditions-overview">conditions</a> that specify when access will be granted.</li> </ul> <h4 id="granting-role" data-text="Grant a role" tabindex="-1">Grant a role</h4> To grant roles to your principals, modify the role bindings in the allow policy. To learn what roles you can grant, see <a href="/iam/docs/understanding-roles">Understanding roles</a>, or <a href="/iam/docs/viewing-grantable-roles">view grantable roles</a> for the resource. If you need help to identify the most appropriate predefined roles, see <a href="/iam/docs/choose-predefined-roles">Choose predefined roles</a>. Optionally, you can use <a href="/iam/docs/conditions-overview">conditions</a> to grant roles only when certain requirements are met. To grant a role that is already included in the allow policy, add the principal to an existing role binding: <div id="iam-modify-policy-member-code-sample" class="ds-selector-tabs" data-ds-scope="code-sample"> <section> <h3 id="iam-modify-policy-member-gcloud" track-metadata-position="iam-modify-policy-member" track-metadata-region-tag="iam-modify-policy-member" data-text="gcloud" tabindex="-1">gcloud</h3> Edit the returned allow policy by adding the principal to an existing role binding. This change won't take effect until you <a href="#setting-policy">set the updated allow policy</a>. For example, imagine the allow policy contains the following role binding, which grants the Security Reviewer role (<code translate="no" dir="ltr">roles/iam.securityReviewer</code>) to Kai: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JSON"><code translate="no" dir="ltr">{ "role": "roles/iam.securityReviewer", "members": [ "user:kai@example.com" ] } </code></pre></devsite-code> To grant that same role to Raha, add Raha's principal identifier to the existing role binding: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JSON">{ "role": "roles/iam.securityReviewer", "members": [ "user:kai@example.com", "user:raha@example.com" ] }</pre></devsite-code> </section> <section> <h3 id="iam-modify-policy-member-csharp" track-metadata-position="iam-modify-policy-member" track-metadata-region-tag="iam-modify-policy-member" data-text="C#" tabindex="-1">C#</h3> To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/dotnet-docs-samples/iam/api/Access/AddMember.cs/HEAD/iam_modify_policy_add_member" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/dotnet-docs-samples/blob/HEAD/iam/api/Access/AddMember.cs" feedback-context="{"language": "csharp", "region_tag": "iam-modify-policy-member", "snippet_file_url": "https://github.com/GoogleCloudPlatform/dotnet-docs-samples/blob/HEAD/iam/api/Access/AddMember.cs"}" feedback-product="1634365" feedback-bucket="security" language="csharp" data-github-path="GoogleCloudPlatform/dotnet-docs-samples/iam/api/Access/AddMember.cs" data-git-revision="HEAD" data-region-tag="iam_modify_policy_add_member" dir="ltr" is-upgraded syntax="C#"><code translate="no" dir="ltr"> using System.Linq; using Google.Apis.CloudResourceManager.v1.Data; public partial class AccessManager { public static Policy AddMember(Policy policy, string role, string member) { var binding = policy.Bindings.First(x => x.Role == role); binding.Members.Add(member); return policy; } } </code></pre></devsite-code> </div> </section> <section> <h3 id="iam-modify-policy-member-go" track-metadata-position="iam-modify-policy-member" track-metadata-region-tag="iam-modify-policy-member" data-text="Go" tabindex="-1">Go</h3> To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/golang-samples/iam/snippets/member_add.go/HEAD/iam_modify_policy_add_member" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/golang-samples/blob/HEAD/iam/snippets/member_add.go" feedback-context="{"language": "go", "region_tag": "iam-modify-policy-member", "snippet_file_url": "https://github.com/GoogleCloudPlatform/golang-samples/blob/HEAD/iam/snippets/member_add.go"}" feedback-product="1634365" feedback-bucket="security" language="go" data-github-path="GoogleCloudPlatform/golang-samples/iam/snippets/member_add.go" data-git-revision="HEAD" data-region-tag="iam_modify_policy_add_member" dir="ltr" is-upgraded syntax="Go"><code translate="no" dir="ltr">import ( "fmt" "io" "google.golang.org/api/iam/v1" ) // addMember adds a member to a role binding. func addMember(w io.Writer, policy *iam.Policy, role, member string) { for _, binding := range policy.Bindings { if binding.Role != role { continue } for _, m := range binding.Members { if m != member { continue } fmt.Fprintf(w, "Role %q found. Member already exists.\n", role) return } binding.Members = append(binding.Members, member) fmt.Fprintf(w, "Role %q found. Member added.\n", role) return } fmt.Fprintf(w, "Role %q not found. Member not added.\n", role) } </code></pre></devsite-code> </div> </section> <section> <h3 id="iam-modify-policy-member-java" track-metadata-position="iam-modify-policy-member" track-metadata-region-tag="iam-modify-policy-member" data-text="Java" tabindex="-1">Java</h3> To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/java-docs-samples/iam/snippets/src/main/java/AddMember.java/HEAD/iam_modify_policy_add_member" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/java-docs-samples/blob/HEAD/iam/snippets/src/main/java/AddMember.java" feedback-context="{"language": "java", "region_tag": "iam-modify-policy-member", "snippet_file_url": "https://github.com/GoogleCloudPlatform/java-docs-samples/blob/HEAD/iam/snippets/src/main/java/AddMember.java"}" feedback-product="1634365" feedback-bucket="security" language="java" data-github-path="GoogleCloudPlatform/java-docs-samples/iam/snippets/src/main/java/AddMember.java" data-git-revision="HEAD" data-region-tag="iam_modify_policy_add_member" dir="ltr" is-upgraded syntax="Java"><code translate="no" dir="ltr">import com.google.iam.v1.Binding; import com.google.iam.v1.Policy; import java.util.ArrayList; import java.util.List; public class AddMember { public static void main(String[] args) { // TODO(developer): Replace the variables before running the sample. // TODO: Replace with your policy, GetPolicy.getPolicy(projectId, serviceAccount). Policy policy = Policy.newBuilder().build(); // TODO: Replace with your role. String role = "roles/existing-role"; // TODO: Replace with your member. String member = "user:member-to-add@example.com"; addMember(policy, role, member); } // Adds a member to a pre-existing role. public static Policy addMember(Policy policy, String role, String member) { List<Binding> newBindingsList = new ArrayList<>(); for (Binding b : policy.getBindingsList()) { if (b.getRole().equals(role)) { newBindingsList.add(b.toBuilder().addMembers(member).build()); } else { newBindingsList.add(b); } } // Update the policy to add the member. Policy updatedPolicy = policy.toBuilder() .clearBindings() .addAllBindings(newBindingsList) .build(); System.out.println("Added member: " + updatedPolicy.getBindingsList()); return updatedPolicy; } }</code></pre></devsite-code> </div> </section> <section> <h3 id="iam-modify-policy-member-python" track-metadata-position="iam-modify-policy-member" track-metadata-region-tag="iam-modify-policy-member" data-text="Python" tabindex="-1">Python</h3> To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/python-docs-samples/iam/cloud-client/snippets/modify_policy_add_member.py/HEAD/iam_modify_policy_add_member" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/python-docs-samples/blob/HEAD/iam/cloud-client/snippets/modify_policy_add_member.py" feedback-context="{"language": "python", "region_tag": "iam-modify-policy-member", "snippet_file_url": "https://github.com/GoogleCloudPlatform/python-docs-samples/blob/HEAD/iam/cloud-client/snippets/modify_policy_add_member.py"}" feedback-product="1634365" feedback-bucket="security" language="python" data-github-path="GoogleCloudPlatform/python-docs-samples/iam/cloud-client/snippets/modify_policy_add_member.py" data-git-revision="HEAD" data-region-tag="iam_modify_policy_add_member" dir="ltr" is-upgraded syntax="Python"><code translate="no" dir="ltr">from google.iam.v1 import policy_pb2 from snippets.get_policy import get_project_policy from snippets.set_policy import set_project_policy def modify_policy_add_member( project_id: str, role: str, member: str ) -> policy_pb2.Policy: """ Add a member to certain role in project policy. project_id: ID or number of the Google Cloud project you want to use. role: role to which member need to be added. member: The principals requesting access. Possible format for member: * user:{emailid} * serviceAccount:{emailid} * group:{emailid} * deleted:user:{emailid}?uid={uniqueid} * deleted:serviceAccount:{emailid}?uid={uniqueid} * deleted:group:{emailid}?uid={uniqueid} * domain:{domain} """ policy = get_project_policy(project_id) for bind in policy.bindings: if bind.role == role: bind.members.append(member) break return set_project_policy(project_id, policy) </code></pre></devsite-code> </div> </section> <section> <h3 id="iam-modify-policy-member-rest" track-metadata-position="iam-modify-policy-member" track-metadata-region-tag="iam-modify-policy-member" data-text="REST" tabindex="-1">REST</h3> Edit the returned allow policy by adding the principal to an existing role binding. This change won't take effect until you <a href="#setting-policy">set the updated allow policy</a>. For example, imagine the allow policy contains the following role binding, which grants the Security Reviewer role (<code translate="no" dir="ltr">roles/iam.securityReviewer</code>) to Kai: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JSON"><code translate="no" dir="ltr">{ "role": "roles/iam.securityReviewer", "members": [ "user:kai@example.com" ] } </code></pre></devsite-code> To grant that same role to Raha, add Raha's principal identifier to the existing role binding: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JSON">{ "role": "roles/iam.securityReviewer", "members": [ "user:kai@example.com", "user:raha@example.com" ] }</pre></devsite-code> </section> </div> To grant a role that is not yet included in the allow policy, add a new role binding: <div id="iam-modify-policy-role-code-sample" class="ds-selector-tabs" data-ds-scope="code-sample"> <section> <h3 id="iam-modify-policy-role-gcloud" track-metadata-position="iam-modify-policy-role" track-metadata-region-tag="iam-modify-policy-role" data-text="gcloud" tabindex="-1">gcloud</h3> Edit the allow policy by adding a new role binding that grants the role to the principal. This change won't take effect until you <a href="#setting-policy">set the updated allow policy</a>. For example, to grant the Compute Storage Admin role (<code translate="no" dir="ltr">roles/compute.storageAdmin</code>) to Raha, add the following role binding to the <code translate="no" dir="ltr">bindings</code> array for the allow policy: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JSON"><code translate="no" dir="ltr">{ "role": "roles/compute.storageAdmin", "members": [ "user:raha@example.com" ] } </code></pre></devsite-code> </section> <section> <h3 id="iam-modify-policy-role-csharp" track-metadata-position="iam-modify-policy-role" track-metadata-region-tag="iam-modify-policy-role" data-text="C#" tabindex="-1">C#</h3> To learn how to install and use the client library for IAM, see <a href="/iam/docs/reference/libraries" track-type="clientLibrariesReference" track-name="csharp" track-metadata-snippet-file-url="https://github.com/GoogleCloudPlatform/dotnet-docs-samples/blob//iam/api/Access/AddBinding.cs" track-metadata-position="iam-modify-policy-role">IAM client libraries</a>. For more information, see the <a href="https://developers.google.com/api-client-library/dotnet/apis/iam/v1" class="external" track-type="clientLibrariesUsage" track-name="clientLibrariesLink" track-metadata-lang="csharp" track-metadata-snippet-file-url="https://github.com/GoogleCloudPlatform/dotnet-docs-samples/blob//iam/api/Access/AddBinding.cs" track-metadata-region-tag="iam-modify-policy-role">IAM C# API reference documentation</a>. To authenticate to IAM, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/dotnet-docs-samples/iam/api/Access/AddBinding.cs/HEAD/iam_modify_policy_add_role" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/dotnet-docs-samples/blob/HEAD/iam/api/Access/AddBinding.cs" feedback-context="{"language": "csharp", "region_tag": "iam-modify-policy-role", "snippet_file_url": "https://github.com/GoogleCloudPlatform/dotnet-docs-samples/blob/HEAD/iam/api/Access/AddBinding.cs"}" feedback-product="1634365" feedback-bucket="security" language="csharp" data-github-path="GoogleCloudPlatform/dotnet-docs-samples/iam/api/Access/AddBinding.cs" data-git-revision="HEAD" data-region-tag="iam_modify_policy_add_role" dir="ltr" is-upgraded syntax="C#"><code translate="no" dir="ltr"> using System.Collections.Generic; using Google.Apis.CloudResourceManager.v1.Data; public partial class AccessManager { public static Policy AddBinding(Policy policy, string role, string member) { var binding = new Binding { Role = role, Members = new List<string> { member } }; policy.Bindings.Add(binding); return policy; } } </code></pre></devsite-code> </div> </section> <section> <h3 id="iam-modify-policy-role-java" track-metadata-position="iam-modify-policy-role" track-metadata-region-tag="iam-modify-policy-role" data-text="Java" tabindex="-1">Java</h3> To learn how to install and use the client library for IAM, see <a href="/iam/docs/reference/libraries" track-type="clientLibrariesReference" track-name="java" track-metadata-snippet-file-url="https://github.com/GoogleCloudPlatform/java-docs-samples/blob//iam/snippets/src/main/java/AddBinding.java" track-metadata-position="iam-modify-policy-role">IAM client libraries</a>. For more information, see the <a href="https://developers.google.com/api-client-library/java/apis/iam/v1" class="external" track-type="clientLibrariesUsage" track-name="clientLibrariesLink" track-metadata-lang="java" track-metadata-snippet-file-url="https://github.com/GoogleCloudPlatform/java-docs-samples/blob//iam/snippets/src/main/java/AddBinding.java" track-metadata-region-tag="iam-modify-policy-role">IAM Java API reference documentation</a>. To authenticate to IAM, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/java-docs-samples/iam/snippets/src/main/java/AddBinding.java/HEAD/iam_modify_policy_add_role" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/java-docs-samples/blob/HEAD/iam/snippets/src/main/java/AddBinding.java" feedback-context="{"language": "java", "region_tag": "iam-modify-policy-role", "snippet_file_url": "https://github.com/GoogleCloudPlatform/java-docs-samples/blob/HEAD/iam/snippets/src/main/java/AddBinding.java"}" feedback-product="1634365" feedback-bucket="security" language="java" data-github-path="GoogleCloudPlatform/java-docs-samples/iam/snippets/src/main/java/AddBinding.java" data-git-revision="HEAD" data-region-tag="iam_modify_policy_add_role" dir="ltr" is-upgraded syntax="Java"><code translate="no" dir="ltr"> import com.google.iam.v1.Binding; import com.google.iam.v1.Policy; import java.util.Collections; import java.util.List; public class AddBinding { public static void main(String[] args) { // TODO(developer): Replace the variables before running the sample. // TODO: Replace with your policy: GetPolicy.getPolicy(projectId, serviceAccount). Policy policy = Policy.newBuilder().build(); // TODO: Replace with your role. String role = "roles/role-to-add"; // TODO: Replace with your members. List<String> members = Collections.singletonList("user:member-to-add@example.com"); addBinding(policy, role, members); } // Adds a member to a role. public static Policy addBinding(Policy policy, String role, List<String> members) { Binding binding = Binding.newBuilder() .setRole(role) .addAllMembers(members) .build(); // Update bindings for the policy. Policy updatedPolicy = policy.toBuilder().addBindings(binding).build(); System.out.println("Added binding: " + updatedPolicy.getBindingsList()); return updatedPolicy; } }</code></pre></devsite-code> </div> </section> <section> <h3 id="iam-modify-policy-role-python" track-metadata-position="iam-modify-policy-role" track-metadata-region-tag="iam-modify-policy-role" data-text="Python" tabindex="-1">Python</h3> To learn how to install and use the client library for IAM, see <a href="/iam/docs/reference/libraries" track-type="clientLibrariesReference" track-name="python" track-metadata-snippet-file-url="https://github.com/GoogleCloudPlatform/python-docs-samples/blob//iam/cloud-client/snippets/iam_modify_policy_add_role.py" track-metadata-position="iam-modify-policy-role">IAM client libraries</a>. For more information, see the <a href="https://developers.google.com/api-client-library/python/apis/iam/v1" class="external" track-type="clientLibrariesUsage" track-name="clientLibrariesLink" track-metadata-lang="python" track-metadata-snippet-file-url="https://github.com/GoogleCloudPlatform/python-docs-samples/blob//iam/cloud-client/snippets/iam_modify_policy_add_role.py" track-metadata-region-tag="iam-modify-policy-role">IAM Python API reference documentation</a>. To authenticate to IAM, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/python-docs-samples/iam/cloud-client/snippets/iam_modify_policy_add_role.py/HEAD/iam_modify_policy_add_role" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/python-docs-samples/blob/HEAD/iam/cloud-client/snippets/iam_modify_policy_add_role.py" feedback-context="{"language": "python", "region_tag": "iam-modify-policy-role", "snippet_file_url": "https://github.com/GoogleCloudPlatform/python-docs-samples/blob/HEAD/iam/cloud-client/snippets/iam_modify_policy_add_role.py"}" feedback-product="1634365" feedback-bucket="security" language="python" data-github-path="GoogleCloudPlatform/python-docs-samples/iam/cloud-client/snippets/iam_modify_policy_add_role.py" data-git-revision="HEAD" data-region-tag="iam_modify_policy_add_role" dir="ltr" is-upgraded syntax="Python"><code translate="no" dir="ltr">def modify_policy_add_role(policy: dict, role: str, member: str) -> dict: """Adds a new role binding to a policy.""" binding = {"role": role, "members": [member]} policy["bindings"].append(binding) print(policy) return policy </code></pre></devsite-code> </div> </section> <section> <h3 id="iam-modify-policy-role-rest" track-metadata-position="iam-modify-policy-role" track-metadata-region-tag="iam-modify-policy-role" data-text="REST" tabindex="-1">REST</h3> Edit the allow policy by adding a new role binding that grants the role to the principal. This change won't take effect until you <a href="#setting-policy">set the updated allow policy</a>. For example, to grant the Compute Storage Admin role (<code translate="no" dir="ltr">roles/compute.storageAdmin</code>) to Raha, add the following role binding to the <code translate="no" dir="ltr">bindings</code> array for the allow policy: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="JSON"><code translate="no" dir="ltr">{ "role": "roles/compute.storageAdmin", "members": [ "user:raha@example.com" ] } </code></pre></devsite-code> </section> </div> You can only grant roles related to activated API services. If a service, such as Compute Engine, is not active, you cannot grant roles exclusively related to Compute Engine. For more information, see <a href="https://support.google.com/cloud/answer/6158841">Enable and disable APIs</a>. There are some unique constraints when granting permissions on projects, especially when granting the Owner (<code translate="no" dir="ltr">roles/owner</code>) role. See the <a href="/resource-manager/reference/rest/v1/projects/setIamPolicy"><code translate="no" dir="ltr">projects.setIamPolicy()</code>reference documentation</a> for more information. <h4 id="revoking-role" data-text="Revoke a role" tabindex="-1">Revoke a role</h4> To revoke a role, remove the principal from the role binding. If there are no other principals in the role binding, remove the entire role binding. <aside class="note">Note: Role bindings with no principals are not allowed and will result in an error when setting the allow policy.</aside> <div id="iam-modify-policy-remove-member-code-sample" class="ds-selector-tabs" data-ds-scope="code-sample"> <section> <h3 id="iam-modify-policy-remove-member-gcloud" track-metadata-position="iam-modify-policy-remove-member" track-metadata-region-tag="iam-modify-policy-remove-member" data-text="gcloud" tabindex="-1">gcloud</h3> Revoke a role by editing the JSON or YAML allow policy returned by the <code translate="no" dir="ltr">get-iam-policy</code> command. This change won't take effect until you <a href="#setting-policy">set the updated allow policy</a>. To revoke a role from a principal, delete the principal or binding from the <code translate="no" dir="ltr">bindings</code> array for the allow policy. </section> <section> <h3 id="iam-modify-policy-remove-member-csharp" track-metadata-position="iam-modify-policy-remove-member" track-metadata-region-tag="iam-modify-policy-remove-member" data-text="C#" tabindex="-1">C#</h3> To learn how to install and use the client library for IAM, see <a href="/iam/docs/reference/libraries" track-type="clientLibrariesReference" track-name="csharp" track-metadata-snippet-file-url="https://github.com/GoogleCloudPlatform/dotnet-docs-samples/blob//iam/api/Access/RemoveMember.cs" track-metadata-position="iam-modify-policy-remove-member">IAM client libraries</a>. For more information, see the <a href="https://developers.google.com/api-client-library/dotnet/apis/iam/v1" class="external" track-type="clientLibrariesUsage" track-name="clientLibrariesLink" track-metadata-lang="csharp" track-metadata-snippet-file-url="https://github.com/GoogleCloudPlatform/dotnet-docs-samples/blob//iam/api/Access/RemoveMember.cs" track-metadata-region-tag="iam-modify-policy-remove-member">IAM C# API reference documentation</a>. To authenticate to IAM, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/dotnet-docs-samples/iam/api/Access/RemoveMember.cs/HEAD/iam_modify_policy_remove_member" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/dotnet-docs-samples/blob/HEAD/iam/api/Access/RemoveMember.cs" feedback-context="{"language": "csharp", "region_tag": "iam-modify-policy-remove-member", "snippet_file_url": "https://github.com/GoogleCloudPlatform/dotnet-docs-samples/blob/HEAD/iam/api/Access/RemoveMember.cs"}" feedback-product="1634365" feedback-bucket="security" language="csharp" data-github-path="GoogleCloudPlatform/dotnet-docs-samples/iam/api/Access/RemoveMember.cs" data-git-revision="HEAD" data-region-tag="iam_modify_policy_remove_member" dir="ltr" is-upgraded syntax="C#"><code translate="no" dir="ltr"> using System.Linq; using Google.Apis.CloudResourceManager.v1.Data; public partial class AccessManager { public static Policy RemoveMember(Policy policy, string role, string member) { try { var binding = policy.Bindings.First(x => x.Role == role); if (binding.Members.Count != 0 && binding.Members.Contains(member)) { binding.Members.Remove(member); } if (binding.Members.Count == 0) { policy.Bindings.Remove(binding); } return policy; } catch (System.InvalidOperationException e) { System.Diagnostics.Debug.WriteLine("Role does not exist in policy: \n" + e.ToString()); return policy; } } }</code></pre></devsite-code> </div> </section> <section> <h3 id="iam-modify-policy-remove-member-go" track-metadata-position="iam-modify-policy-remove-member" track-metadata-region-tag="iam-modify-policy-remove-member" data-text="Go" tabindex="-1">Go</h3> To learn how to install and use the client library for IAM, see <a href="/iam/docs/reference/libraries" track-type="clientLibrariesReference" track-name="go" track-metadata-snippet-file-url="https://github.com/GoogleCloudPlatform/golang-samples/blob//iam/snippets/member_remove.go" track-metadata-position="iam-modify-policy-remove-member">IAM client libraries</a>. For more information, see the <a href="https://godoc.org/google.golang.org/genproto/googleapis/iam/admin/v1" class="external" track-type="clientLibrariesUsage" track-name="clientLibrariesLink" track-metadata-lang="go" track-metadata-snippet-file-url="https://github.com/GoogleCloudPlatform/golang-samples/blob//iam/snippets/member_remove.go" track-metadata-region-tag="iam-modify-policy-remove-member">IAM Go API reference documentation</a>. To authenticate to IAM, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/golang-samples/iam/snippets/member_remove.go/HEAD/iam_modify_policy_remove_member" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/golang-samples/blob/HEAD/iam/snippets/member_remove.go" feedback-context="{"language": "go", "region_tag": "iam-modify-policy-remove-member", "snippet_file_url": "https://github.com/GoogleCloudPlatform/golang-samples/blob/HEAD/iam/snippets/member_remove.go"}" feedback-product="1634365" feedback-bucket="security" language="go" data-github-path="GoogleCloudPlatform/golang-samples/iam/snippets/member_remove.go" data-git-revision="HEAD" data-region-tag="iam_modify_policy_remove_member" dir="ltr" is-upgraded syntax="Go"><code translate="no" dir="ltr">import ( "fmt" "io" "google.golang.org/api/iam/v1" ) // removeMember removes a member from a role binding. func removeMember(w io.Writer, policy *iam.Policy, role, member string) { bindings := policy.Bindings bindingIndex, memberIndex := -1, -1 for bIdx := range bindings { if bindings[bIdx].Role != role { continue } bindingIndex = bIdx for mIdx := range bindings[bindingIndex].Members { if bindings[bindingIndex].Members[mIdx] != member { continue } memberIndex = mIdx break } } if bindingIndex == -1 { fmt.Fprintf(w, "Role %q not found. Member not removed.\n", role) return } if memberIndex == -1 { fmt.Fprintf(w, "Role %q found. Member not found.\n", role) return } members := removeIdx(bindings[bindingIndex].Members, memberIndex) bindings[bindingIndex].Members = members if len(members) == 0 { bindings = removeIdx(bindings, bindingIndex) policy.Bindings = bindings } fmt.Fprintf(w, "Role %q found. Member removed.\n", role) } // removeIdx removes arr[idx] from arr. func removeIdx[T any](arr []T, idx int) []T { return append(arr[:idx], arr[idx+1:]...) } </code></pre></devsite-code> </div> </section> <section> <h3 id="iam-modify-policy-remove-member-java" track-metadata-position="iam-modify-policy-remove-member" track-metadata-region-tag="iam-modify-policy-remove-member" data-text="Java" tabindex="-1">Java</h3> To learn how to install and use the client library for IAM, see <a href="/iam/docs/reference/libraries" track-type="clientLibrariesReference" track-name="java" track-metadata-snippet-file-url="https://github.com/GoogleCloudPlatform/java-docs-samples/blob//iam/snippets/src/main/java/RemoveMember.java" track-metadata-position="iam-modify-policy-remove-member">IAM client libraries</a>. For more information, see the <a href="https://developers.google.com/api-client-library/java/apis/iam/v1" class="external" track-type="clientLibrariesUsage" track-name="clientLibrariesLink" track-metadata-lang="java" track-metadata-snippet-file-url="https://github.com/GoogleCloudPlatform/java-docs-samples/blob//iam/snippets/src/main/java/RemoveMember.java" track-metadata-region-tag="iam-modify-policy-remove-member">IAM Java API reference documentation</a>. To authenticate to IAM, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/java-docs-samples/iam/snippets/src/main/java/RemoveMember.java/HEAD/iam_modify_policy_remove_member" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/java-docs-samples/blob/HEAD/iam/snippets/src/main/java/RemoveMember.java" feedback-context="{"language": "java", "region_tag": "iam-modify-policy-remove-member", "snippet_file_url": "https://github.com/GoogleCloudPlatform/java-docs-samples/blob/HEAD/iam/snippets/src/main/java/RemoveMember.java"}" feedback-product="1634365" feedback-bucket="security" language="java" data-github-path="GoogleCloudPlatform/java-docs-samples/iam/snippets/src/main/java/RemoveMember.java" data-git-revision="HEAD" data-region-tag="iam_modify_policy_remove_member" dir="ltr" is-upgraded syntax="Java"><code translate="no" dir="ltr">import com.google.iam.v1.Binding; import com.google.iam.v1.Policy; import java.io.IOException; import java.util.ArrayList; import java.util.List; public class RemoveMember { public static void main(String[] args) throws IOException { // TODO(developer): Replace the variables before running the sample. // TODO: Replace with your policy, GetPolicy.getPolicy(projectId, serviceAccount). Policy policy = Policy.newBuilder().build(); // TODO: Replace with your role. String role = "roles/existing-role"; // TODO: Replace with your member. String member = "user:member-to-add@example.com"; removeMember(policy, role, member); } // Removes member from a role; removes binding if binding contains no members. public static Policy removeMember(Policy policy, String role, String member) { // Creating new builder with all values copied from origin policy Policy.Builder policyBuilder = policy.toBuilder(); // Getting binding with suitable role. Binding binding = null; for (Binding b : policy.getBindingsList()) { if (b.getRole().equals(role)) { binding = b; break; } } if (binding != null && binding.getMembersList().contains(member)) { List<String> newMemberList = new ArrayList<>(binding.getMembersList()); // Removing member from a role newMemberList.remove(member); System.out.println("Member " + member + " removed from " + role); // Adding all remaining members to create new binding Binding newBinding = binding.toBuilder() .clearMembers() .addAllMembers(newMemberList) .build(); List<Binding> newBindingList = new ArrayList<>(policyBuilder.getBindingsList()); // Removing old binding to replace with new one newBindingList.remove(binding); // If binding has no more members, binding will not be added if (!newBinding.getMembersList().isEmpty()) { newBindingList.add(newBinding); } // Update the policy to remove the member. policyBuilder.clearBindings() .addAllBindings(newBindingList); } Policy updatedPolicy = policyBuilder.build(); System.out.println("Exising members: " + updatedPolicy.getBindingsList()); return updatedPolicy; } }</code></pre></devsite-code> </div> </section> <section> <h3 id="iam-modify-policy-remove-member-python" track-metadata-position="iam-modify-policy-remove-member" track-metadata-region-tag="iam-modify-policy-remove-member" data-text="Python" tabindex="-1">Python</h3> To learn how to install and use the client library for IAM, see <a href="/iam/docs/reference/libraries" track-type="clientLibrariesReference" track-name="python" track-metadata-snippet-file-url="https://github.com/GoogleCloudPlatform/python-docs-samples/blob//iam/cloud-client/snippets/modify_policy_remove_member.py" track-metadata-position="iam-modify-policy-remove-member">IAM client libraries</a>. For more information, see the <a href="https://developers.google.com/api-client-library/python/apis/iam/v1" class="external" track-type="clientLibrariesUsage" track-name="clientLibrariesLink" track-metadata-lang="python" track-metadata-snippet-file-url="https://github.com/GoogleCloudPlatform/python-docs-samples/blob//iam/cloud-client/snippets/modify_policy_remove_member.py" track-metadata-region-tag="iam-modify-policy-remove-member">IAM Python API reference documentation</a>. To authenticate to IAM, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/python-docs-samples/iam/cloud-client/snippets/modify_policy_remove_member.py/HEAD/iam_modify_policy_remove_member" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/python-docs-samples/blob/HEAD/iam/cloud-client/snippets/modify_policy_remove_member.py" feedback-context="{"language": "python", "region_tag": "iam-modify-policy-remove-member", "snippet_file_url": "https://github.com/GoogleCloudPlatform/python-docs-samples/blob/HEAD/iam/cloud-client/snippets/modify_policy_remove_member.py"}" feedback-product="1634365" feedback-bucket="security" language="python" data-github-path="GoogleCloudPlatform/python-docs-samples/iam/cloud-client/snippets/modify_policy_remove_member.py" data-git-revision="HEAD" data-region-tag="iam_modify_policy_remove_member" dir="ltr" is-upgraded syntax="Python"><code translate="no" dir="ltr">from google.iam.v1 import policy_pb2 from snippets.get_policy import get_project_policy from snippets.set_policy import set_project_policy def modify_policy_remove_member( project_id: str, role: str, member: str ) -> policy_pb2.Policy: """ Remove a member from certain role in project policy. project_id: ID or number of the Google Cloud project you want to use. role: role to which member need to be added. member: The principals requesting access. Possible format for member: * user:{emailid} * serviceAccount:{emailid} * group:{emailid} * deleted:user:{emailid}?uid={uniqueid} * deleted:serviceAccount:{emailid}?uid={uniqueid} * deleted:group:{emailid}?uid={uniqueid} * domain:{domain} """ policy = get_project_policy(project_id) for bind in policy.bindings: if bind.role == role: if member in bind.members: bind.members.remove(member) break return set_project_policy(project_id, policy, False) </code></pre></devsite-code> </div> </section> <section> <h3 id="iam-modify-policy-remove-member-rest" track-metadata-position="iam-modify-policy-remove-member" track-metadata-region-tag="iam-modify-policy-remove-member" data-text="REST" tabindex="-1">REST</h3> Revoke a role by editing the JSON or YAML allow policy returned by the <code translate="no" dir="ltr">get-iam-policy</code> command. This change won't take effect until you <a href="#setting-policy">set the updated allow policy</a>. To revoke a role from a principal, delete the principal or binding from the <code translate="no" dir="ltr">bindings</code> array for the allow policy. </section> </div> <a name="set_policy"></a> <h3 id="setting-policy" data-text="Set the allow policy" tabindex="-1">Set the allow policy</h3> After you modify the allow policy to grant and revoke roles, call <code translate="no" dir="ltr">setIamPolicy()</code> to update the policy. <aside class="warning">Warning: Setting a new allow policy permanently overwrites the existing allow policy on the resource. To avoid removing role bindings unintentionally, always follow the read-modify-write pattern when updating an allow policy: read the existing allow policy, modify it as needed, and then write the updated version of the allow policy.</aside> <div id="iam-set-policy-code-sample" class="ds-selector-tabs" data-ds-scope="code-sample"> <section> <h3 id="iam-set-policy-gcloud" track-metadata-position="iam-set-policy" track-metadata-region-tag="iam-set-policy" data-text="gcloud" tabindex="-1">gcloud</h3> <ol> <li> In the Google Cloud console, activate Cloud Shell. <a href="https://console.cloud.google.com/?cloudshell=true" target="console" track-type="commonIncludes" track-name="consoleLink" track-metadata-end-goal="launchCloudShell" class="button button-primary">Activate Cloud Shell</a> At the bottom of the Google Cloud console, a <a href="/shell/docs/how-cloud-shell-works">Cloud Shell</a> session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize. </li> <li> To set the allow policy for the resource, run the <code translate="no" dir="ltr">set-iam-policy</code> command for the resource: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud <var translate="no">RESOURCE_TYPE</var> set-iam-policy <var translate="no">RESOURCE_ID</var> <var translate="no">PATH</var></pre></devsite-code> Provide the following values: <ul> <li> <code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The type of the resource that you want to set the allow policy for. Use one of the following values: <code translate="no" dir="ltr">projects</code>, <code translate="no" dir="ltr">resource-manager folders</code>, or <code translate="no" dir="ltr">organizations</code>. </li> <li> <code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li> <code translate="no" dir="ltr"><var translate="no">PATH</var></code>: The path to a file that contains the new allow policy. </li> </ul> The response contains the updated allow policy. For example, the following command sets the allow policy stored in <code translate="no" dir="ltr">policy.json</code> as the allow policy for the project <code translate="no" dir="ltr">my-project</code>: <div></div><devsite-code><pre class="devsite-click-to-copy" translate="no" dir="ltr" is-upgraded syntax="Bash">gcloud projects set-iam-policy my-project ~/policy.json</pre></devsite-code> </li> </ol> <aside class="note"> Note: If you treat policies as code and store them in a version-control system, you should store the policy that is returned, not the policy that you sent in the request. </aside> </section> <section> <h3 id="iam-set-policy-csharp" track-metadata-position="iam-set-policy" track-metadata-region-tag="iam-set-policy" data-text="C#" tabindex="-1">C#</h3> <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/dotnet-docs-samples/iam/api/Access/SetPolicy.cs/HEAD/iam_set_policy" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/dotnet-docs-samples/blob/HEAD/iam/api/Access/SetPolicy.cs" feedback-context="{"language": "csharp", "region_tag": "iam-set-policy", "snippet_file_url": "https://github.com/GoogleCloudPlatform/dotnet-docs-samples/blob/HEAD/iam/api/Access/SetPolicy.cs"}" feedback-product="1634365" feedback-bucket="security" language="csharp" data-github-path="GoogleCloudPlatform/dotnet-docs-samples/iam/api/Access/SetPolicy.cs" data-git-revision="HEAD" data-region-tag="iam_set_policy" dir="ltr" is-upgraded syntax="C#"><code translate="no" dir="ltr"> using Google.Apis.Auth.OAuth2; using Google.Apis.CloudResourceManager.v1; using Google.Apis.CloudResourceManager.v1.Data; public partial class AccessManager { public static Policy SetPolicy(string projectId, Policy policy) { var credential = GoogleCredential.GetApplicationDefault() .CreateScoped(CloudResourceManagerService.Scope.CloudPlatform); var service = new CloudResourceManagerService( new CloudResourceManagerService.Initializer { HttpClientInitializer = credential }); return service.Projects.SetIamPolicy(new SetIamPolicyRequest { Policy = policy }, projectId).Execute(); } } </code></pre></devsite-code> </div> </section> <section> <h3 id="iam-set-policy-java" track-metadata-position="iam-set-policy" track-metadata-region-tag="iam-set-policy" data-text="Java" tabindex="-1">Java</h3> To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. The following example shows how to set the allow policy for a project. To learn how to set the allow policy of a folder or organization, review the <a href="/resource-manager/docs/libraries">Resource Manager client library documentation</a> for your programming language. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/java-docs-samples/iam/snippets/src/main/java/SetProjectPolicy.java/HEAD/iam_set_policy" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/java-docs-samples/blob/HEAD/iam/snippets/src/main/java/SetProjectPolicy.java" feedback-context="{"language": "java", "region_tag": "iam-set-policy", "snippet_file_url": "https://github.com/GoogleCloudPlatform/java-docs-samples/blob/HEAD/iam/snippets/src/main/java/SetProjectPolicy.java"}" feedback-product="1634365" feedback-bucket="security" language="java" data-github-path="GoogleCloudPlatform/java-docs-samples/iam/snippets/src/main/java/SetProjectPolicy.java" data-git-revision="HEAD" data-region-tag="iam_set_policy" dir="ltr" is-upgraded syntax="Java"><code translate="no" dir="ltr">import com.google.cloud.resourcemanager.v3.ProjectsClient; import com.google.iam.admin.v1.ProjectName; import com.google.iam.v1.Policy; import com.google.iam.v1.SetIamPolicyRequest; import com.google.protobuf.FieldMask; import java.io.IOException; import java.util.Arrays; import java.util.List; public class SetProjectPolicy { public static void main(String[] args) throws IOException { // TODO(developer): Replace the variables before running the sample. // TODO: Replace with your project ID. String projectId = "your-project-id"; // TODO: Replace with your policy, GetPolicy.getPolicy(projectId, serviceAccount). Policy policy = Policy.newBuilder().build(); setProjectPolicy(policy, projectId); } // Sets a project's policy. public static Policy setProjectPolicy(Policy policy, String projectId) throws IOException { // Initialize client that will be used to send requests. // This client only needs to be created once, and can be reused for multiple requests. try (ProjectsClient projectsClient = ProjectsClient.create()) { List<String> paths = Arrays.asList("bindings", "etag"); SetIamPolicyRequest request = SetIamPolicyRequest.newBuilder() .setResource(ProjectName.of(projectId).toString()) .setPolicy(policy) // A FieldMask specifying which fields of the policy to modify. Only // the fields in the mask will be modified. If no mask is provided, the // following default mask is used: // `paths: "bindings, etag"` .setUpdateMask(FieldMask.newBuilder().addAllPaths(paths).build()) .build(); return projectsClient.setIamPolicy(request); } } }</code></pre></devsite-code> </div> </section> <section> <h3 id="iam-set-policy-python" track-metadata-position="iam-set-policy" track-metadata-region-tag="iam-set-policy" data-text="Python" tabindex="-1">Python</h3> To authenticate to Resource Manager, set up Application Default Credentials. For more information, see <a href="#before-you-begin">Before you begin</a>. To learn how to install and use the client library for Resource Manager, see <a href="/resource-manager/docs/libraries">Resource Manager client libraries</a>. The following example shows how to set the allow policy for a project. To learn how to set the allow policy of a folder or organization, review the <a href="/resource-manager/docs/libraries">Resource Manager client library documentation</a> for your programming language. <div class="github-docwidget-gitinclude-code"> <div></div><devsite-code><pre suppresswarning="suppresswarning" translate="no" class="devsite-click-to-copy" track-metadata-position="GoogleCloudPlatform/python-docs-samples/iam/cloud-client/snippets/set_policy.py/HEAD/iam_set_policy" data-code-snippet="true" data-github-includecode-link="https://github.com/GoogleCloudPlatform/python-docs-samples/blob/HEAD/iam/cloud-client/snippets/set_policy.py" feedback-context="{"language": "python", "region_tag": "iam-set-policy", "snippet_file_url": "https://github.com/GoogleCloudPlatform/python-docs-samples/blob/HEAD/iam/cloud-client/snippets/set_policy.py"}" feedback-product="1634365" feedback-bucket="security" language="python" data-github-path="GoogleCloudPlatform/python-docs-samples/iam/cloud-client/snippets/set_policy.py" data-git-revision="HEAD" data-region-tag="iam_set_policy" dir="ltr" is-upgraded syntax="Python"><code translate="no" dir="ltr">from google.cloud import resourcemanager_v3 from google.iam.v1 import iam_policy_pb2, policy_pb2 def set_project_policy( project_id: str, policy: policy_pb2.Policy, merge: bool = True ) -> policy_pb2.Policy: """ Set policy for project. Pay attention that previous state will be completely rewritten. If you want to update only part of the policy follow the approach read->modify->write. For more details about policies check out https://cloud.google.com/iam/docs/policies project_id: ID or number of the Google Cloud project you want to use. policy: Policy which has to be set. merge: The strategy to be used forming the request. CopyFrom is clearing both mutable and immutable fields, when MergeFrom is replacing only immutable fields and extending mutable. https://googleapis.dev/python/protobuf/latest/google/protobuf/message.html#google.protobuf.message.Message.CopyFrom """ client = resourcemanager_v3.ProjectsClient() request = iam_policy_pb2.GetIamPolicyRequest() request.resource = f"projects/{project_id}" current_policy = client.get_iam_policy(request) # Etag should as fresh as possible to lower chance of collisions policy.ClearField("etag") if merge: current_policy.MergeFrom(policy) else: current_policy.CopyFrom(policy) request = iam_policy_pb2.SetIamPolicyRequest() request.resource = f"projects/{project_id}" # request.etag field also will be merged which means you are secured from collision, # but it means that request may fail and you need to leverage exponential retries approach # to be sure policy has been updated. request.policy.CopyFrom(current_policy) policy = client.set_iam_policy(request) return policy </code></pre></devsite-code> </div> </section> <section> <h3 id="iam-set-policy-rest" track-metadata-position="iam-set-policy" track-metadata-region-tag="iam-set-policy" data-text="REST" tabindex="-1">REST</h3> The Resource Manager API's <code translate="no" dir="ltr"><a href="/resource-manager/reference/rest/v1/projects/setIamPolicy">setIamPolicy</a></code> </code> method sets the policy in the request as the new allow policy for the project, folder, or organization. Before using any of the request data, make the following replacements: <ul> <li><code translate="no" dir="ltr"><var translate="no">API_VERSION</var></code>: The API version to use. For projects and organizations, use <code translate="no" dir="ltr">v1</code>. For folders, use <code translate="no" dir="ltr">v2</code>.</li> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_TYPE</var></code>: The resource type whose policy you want to manage. Use the value <code translate="no" dir="ltr">projects</code>, <code translate="no" dir="ltr">folders</code>, or <code translate="no" dir="ltr">organizations</code>.</li> <li><code translate="no" dir="ltr"><var translate="no">RESOURCE_ID</var></code>: Your Google Cloud project, organization, or folder ID. Project IDs are alphanumeric strings, like <code translate="no" dir="ltr">my-project</code>. Folder and organization IDs are numeric, like <code translate="no" dir="ltr">123456789012</code>. </li> <li> <code translate="no" dir="ltr"><var translate="no">POLICY</var></code>: A JSON representation of the policy that you want to set. For more information about the format of a policy, see the <a href="/iam/docs/reference/rest/v1/Policy">Policy reference</a>. </li> </ul> HTTP method and URL: <section> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="setIamPolicy HTTP method and URL" translate="no" dir="ltr" is-upgraded>POST https://cloudresourcemanager.googleapis.com/<var translate="no">API_VERSION</var>/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:setIamPolicy</pre></devsite-code> </section> Request JSON body: <section> <div></div><devsite-code><pre class="devsite-click-to-copy" data-label="setIamPolicy request body" translate="no" dir="ltr" is-upgraded> { "policy": <var translate="no">POLICY</var> } </pre></devsite-code> </section> To send your request, expand one of these options: <section class="expandable" > <h4 class="showalways" id="curl-linux,-macos,-or-cloud-shell_2" data-text="curl (Linux, macOS, or Cloud Shell)" tabindex="-1">curl (Linux, macOS, or Cloud Shell)</h4> <aside class="note">Note: The following command assumes that you have logged in to the <code translate="no" dir="ltr">gcloud</code> CLI with your user account by running <a href="/sdk/gcloud/reference/init"><code translate="no" dir="ltr">gcloud init</code></a> or <a href="/sdk/gcloud/reference/auth/login"><code translate="no" dir="ltr">gcloud auth login</code></a> , or by using <a href="/shell/docs">Cloud Shell</a>, which automatically logs you into the <code translate="no" dir="ltr">gcloud</code> CLI . You can check the currently active account by running <a href="/sdk/gcloud/reference/auth/list"><code translate="no" dir="ltr">gcloud auth list</code></a>. </aside> Save the request body in a file named <code translate="no" dir="ltr">request.json</code>, and execute the following command: <section><div></div><devsite-code><pre class="devsite-click-to-copy" data-label="setIamPolicy CURL command" translate="no" dir="ltr" is-upgraded>curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d @request.json \ "https://cloudresourcemanager.googleapis.com/<var translate="no">API_VERSION</var>/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:setIamPolicy"</pre></devsite-code></section> </section> <section class="expandable" > <h4 class="showalways" id="powershell-windows_2" data-text="PowerShell (Windows)" tabindex="-1">PowerShell (Windows)</h4> <aside class="note">Note: The following command assumes that you have logged in to the <code translate="no" dir="ltr">gcloud</code> CLI with your user account by running <a href="/sdk/gcloud/reference/init"><code translate="no" dir="ltr">gcloud init</code></a> or <a href="/sdk/gcloud/reference/auth/login"><code translate="no" dir="ltr">gcloud auth login</code></a> . You can check the currently active account by running <a href="/sdk/gcloud/reference/auth/list"><code translate="no" dir="ltr">gcloud auth list</code></a>. </aside> Save the request body in a file named <code translate="no" dir="ltr">request.json</code>, and execute the following command: <section><div></div><devsite-code><pre class="devsite-click-to-copy" data-label="setIamPolicy PowerShell command" translate="no" dir="ltr" is-upgraded>$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -InFile request.json ` -Uri "https://cloudresourcemanager.googleapis.com/<var translate="no">API_VERSION</var>/<var translate="no">RESOURCE_TYPE</var>/<var translate="no">RESOURCE_ID</var>:setIamPolicy" | Select-Object -Expand Content</pre></devsite-code></section> </section> <section class="expandable" > <h4 class="showalways" id="apis-explorer-browser_2" data-text="APIs Explorer (browser)" tabindex="-1">APIs Explorer (browser)</h4> Copy the request body and open the <a href="/resource-manager/reference/rest/v1/projects/setIamPolicy" class="external" target="_blank">method reference page</a>. The APIs Explorer panel opens on the right side of the page. You can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute. </section> The response contains the updated allow policy. <aside class="note"> Note: If you treat policies as code and store them in a version-control system, you should store the policy that is returned, not the policy that you sent in the request. </aside> </section> </div> <h2 id="whats_next" data-text="What's next" tabindex="-1">What's next</h2> <ul> <li>Learn how to <a href="/iam/docs/manage-access-service-accounts">manage access to service accounts</a>.</li> <li>Learn the general steps for <a href="/iam/docs/manage-access-other-resources">managing access to other resources</a>.</li> <li>Find out how to <a href="/iam/docs/choose-predefined-roles">choose the most appropriate predefined roles</a>.</li> <li>Use the <a href="/iam/docs/troubleshooting-access">Policy Troubleshooter</a> to understand why a user does or doesn't have access to a resource or have permission to call an API.</li> <li>Discover how to <a href="/iam/docs/viewing-grantable-roles">view the roles that you can grant on a particular resource</a>.</li> <li>Learn how to make a principal's access conditional with <a href="/iam/docs/conditions-overview">conditional role bindings</a>.</li> <li>Explore ways to secure your applications with <a href="/iap/docs/concepts-overview">Identity-Aware Proxy</a>.</li> </ul> <cloudx-free-trial-eligible-content> <slot slot="eligible"> <div> <h2 class="hide-from-toc" id="try-it-for-yourself" data-text=" Try it for yourself " tabindex="-1"> Try it for yourself </h2> If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads. <a href="https://console.cloud.google.com/freetrial" class="cloud-button cloud-button--primary" track-type="button" track-name="Get started for free" track-metadata-eventdetail="https://console.cloud.google.com/freetrial" track-metadata-modifier="primary" track-metadata-anchor_text="Get started for free" track-metadata-href="https://console.cloud.google.com/freetrial" referrerpolicy="no-referrer-when-downgrade" > Get started for free</a> </div> </slot> <slot slot="ineligible"> </slot> </cloudx-free-trial-eligible-content> <devsite-hats-survey class="nocontent" hats-id="Nd7nTix2o0eU5NUYprb0ThtUc5jf" listnr-id="83405"></devsite-hats-survey> </div> <devsite-thumb-rating position="footer"> </devsite-thumb-rating> <devsite-feedback position="footer" project-name="IAM Documentation" product-id="717553" bucket="documentation" context="" version="t-devsite-webserver-20241114-r00-rc02.464922260396498922" data-label="Send Feedback Button" track-type="feedback" track-name="sendFeedbackLink" track-metadata-position="footer" class="nocontent" project-icon="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/favicons/onecloud/super_cloud.png" > <button> Send feedback </button> </devsite-feedback> <div class="devsite-floating-action-buttons"> </div> </article> <devsite-content-footer class="nocontent"> Except as otherwise noted, the content of this page is licensed under the <a href="https://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution 4.0 License</a>, and code samples are licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache 2.0 License</a>. For details, see the <a href="https://developers.google.com/site-policies">Google Developers Site Policies</a>. Java is a registered trademark of Oracle and/or its affiliates. Last updated 2024-11-26 UTC. </devsite-content-footer> <devsite-notification > </devsite-notification> <div class="devsite-content-data"> <template class="devsite-thumb-rating-feedback"> <devsite-feedback position="thumb-rating" project-name="IAM Documentation" product-id="717553" bucket="documentation" context="" version="t-devsite-webserver-20241114-r00-rc02.464922260396498922" data-label="Send Feedback Button" track-type="feedback" track-name="sendFeedbackLink" track-metadata-position="thumb-rating" class="nocontent" project-icon="https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/favicons/onecloud/super_cloud.png" > <button> Need to tell us more? </button> </devsite-feedback> </template> <template class="devsite-content-data-template"> [[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-11-26 UTC."],[],[]] </template> </div> </devsite-content> </main> <devsite-footer-promos class="devsite-footer"> </devsite-footer-promos> <devsite-footer-linkboxes class="devsite-footer"> <nav class="devsite-footer-linkboxes nocontent" aria-label="Footer links"> <ul class="devsite-footer-linkboxes-list"> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Why Google</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="/why-google-cloud/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" track-metadata-child_headline="why google"track-metadata-position="footer"track-metadata-module="footer"track-name="choosing google cloud"track-type="footer link"track-metadata-eventDetail="cloud.google.com/why-google-cloud/"> Choosing Google Cloud </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/trust-center/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" track-metadata-module="footer"track-type="footer link"track-metadata-eventDetail="cloud.google.com/security/"track-metadata-position="footer"track-name="trust and security"track-metadata-child_headline="why google"> Trust and security </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/modern-infrastructure/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 3)" track-metadata-module="footer"track-name="modern infrastructure cloud"track-metadata-child_headline="why google"track-metadata-position="footer"track-type="footer link"track-metadata-eventDetail="cloud.google.com/solutions/modern-infrastructure/"> Modern Infrastructure Cloud </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/multicloud/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 4)" track-metadata-position="footer"track-metadata-module="footer"track-metadata-eventDetail="cloud.google.com/multicloud/"track-type="footer link"track-name="multicloud"track-metadata-child_headline="why google"> Multicloud </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/infrastructure/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 5)" track-metadata-eventDetail="cloud.google.com/infrastructure/"track-type="footer link"track-metadata-module="footer"track-metadata-position="footer"track-metadata-child_headline="why google"track-name="global infrastructure"> Global infrastructure </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/customers/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 6)" track-metadata-position="footer"track-metadata-child_headline="why google"track-metadata-module="footer"track-name="customers and case studies"track-type="footer link"track-metadata-eventDetail="cloud.google.com/customers/"> Customers and case studies </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/analyst-reports/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 7)" track-type="footer link"track-name="analyst reports"track-metadata-child_headline="why google"track-metadata-position="footer"track-metadata-eventDetail="cloud.google.com/analyst-reports/"track-metadata-module="footer"> Analyst reports </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/whitepapers/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 8)" track-metadata-child_headline="why google"track-metadata-eventDetail="cloud.google.com/whitepapers/"track-type="footer link"track-metadata-module="footer"track-name="whitepapers"track-metadata-position="footer"> Whitepapers </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//cloud.google.com/blog/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 9)" track-metadata-eventDetail="cloud.google.com/blog/"track-metadata-position="footer"track-metadata-module="footer"track-metadata-child_headline="engage"track-type="footer link"track-name="blog"> Blog </a> </li> </ul> </li> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Products and pricing</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="/pricing/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" track-name="google cloud pricing"track-type="footer link"track-metadata-position="footer"track-metadata-module="footer"track-metadata-eventDetail="cloud.google.com/pricing/"track-metadata-child_headline="products and pricing"> Google Cloud pricing </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//workspace.google.com/pricing.html" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" track-metadata-eventDetail="workspace.google.com/pricing.html"track-type="footer link"track-metadata-child_headline="products and pricing"track-metadata-position="footer"target="_blank"track-metadata-module="footer"track-name="google workspace pricing"> Google Workspace pricing </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/products/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 3)" track-type="footer link"track-metadata-eventDetail="cloud.google.com/products/"track-metadata-module="footer"track-name="see all products"track-metadata-position="footer"track-metadata-child_headline="products and pricing"> See all products </a> </li> </ul> </li> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Solutions</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="/solutions/infrastructure-modernization/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" track-name="infrastructure modernization"track-type="footer link"track-metadata-child_headline="solutions"track-metadata-position="footer"track-metadata-module="footer"track-metadata-eventDetail="cloud.google.com/solutions/infrastructure-modernization/"> Infrastructure modernization </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/databases/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" track-type="footer link"track-metadata-module="footer"track-name="databases"track-metadata-eventDetail="cloud.google.com/solutions/databases"track-metadata-child_headline="solutions"track-metadata-position="footer"> Databases </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/application-modernization/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 3)" track-metadata-eventDetail="cloud.google.com/solutions/application-modernization/"track-metadata-module="footer"track-type="footer link"track-name="application development"track-metadata-position="footer"track-metadata-child_headline="solutions"> Application modernization </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/smart-analytics/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 4)" track-name="smart analytics"track-metadata-eventDetail="cloud.google.com/solutions/smart-analytics/"track-metadata-module="footer"track-metadata-position="footer"track-metadata-child_headline="solutions"track-type="footer link"> Smart analytics </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/ai/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 5)" track-name="artificial intelligence"track-metadata-eventDetail="cloud.google.com/solutions/ai/"track-metadata-module="footer"track-metadata-child_headline="solutions"track-metadata-position="footer"track-type="footer link"> Artificial Intelligence </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/security/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 6)" track-name="security"track-metadata-child_headline="solutions"track-metadata-eventDetail="cloud.google.com/solutions/security/"track-type="footer link"track-metadata-module="footer"track-metadata-position="footer"> Security </a> </li> <li class="devsite-footer-linkbox-item"> <a href="https://workspace.google.com/enterprise/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 7)" track-metadata-eventDetail="workspace.google.com/enterprise/"track-metadata-position="footer"track-type="footer link"target="_blank"track-metadata-child_headline="solutions"track-name="productivity and work transformation"track-metadata-module="footer"> Productivity & work transformation </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/#industry-solutions" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 8)" track-metadata-child_headline="solutions"track-metadata-eventDetail="cloud.google.com/solutions/#industry-solutions"track-metadata-position="footer"track-type="footer link"track-name="industry solutions"track-metadata-module="footer"> Industry solutions </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/devops/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 9)" track-metadata-eventDetail="cloud.google.com/solutions/devops/"track-metadata-position="footer"track-metadata-module="footer"track-type="footer link"track-name="devops solutions"track-metadata-child_headline="solutions"> DevOps solutions </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/#section-14" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 10)" track-type="footer link"track-metadata-module="footer"track-metadata-child_headline="solutions"track-name="small business solutions"track-metadata-eventDetail="cloud.google.com/solutions/#section-14"track-metadata-position="footer"> Small business solutions </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/solutions/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 11)" track-metadata-position="footer"track-name="see all solutions"track-metadata-eventDetail="cloud.google.com/solutions/"track-metadata-module="footer"track-type="footer link"track-metadata-child_headline="solutions"> See all solutions </a> </li> </ul> </li> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Resources</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="/affiliate-program/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" track-metadata-child_headline="resources"track-type="footer link"track-metadata-position="footer"track-metadata-eventDetail="cloud.google.com/affiliate-program/"track-name="google cloud affiliate program"track-metadata-module="footer"> Google Cloud Affiliate Program </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/docs/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" track-metadata-position="footer"track-metadata-eventDetail="cloud.google.com/docs/"track-metadata-module="footer"track-name="google cloud documentation"track-type="footer link"track-metadata-child_headline="resources"> Google Cloud documentation </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/docs/get-started/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 3)" track-metadata-eventDetail="cloud.google.com/docs/get-started/"track-metadata-position="footer"track-name="google cloud quickstarts"track-type="footer link"track-metadata-child_headline="resources"track-metadata-module="footer"> Google Cloud quickstarts </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/marketplace/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 4)" track-type="footer link"track-name="google cloud marketplace"track-metadata-module="footer"track-metadata-child_headline="resources"track-metadata-eventDetail="cloud.google.com/marketplace/"track-metadata-position="footer"> Google Cloud Marketplace </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/discover/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 5)" track-metadata-module="footer"track-metadata-position="footer"track-type="footer link"track-metadata-eventDetail="learn/"track-name="learn about cloud computing"track-metadata-child_headline="resources"> Learn about cloud computing </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/support-hub/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 6)" track-metadata-module="footer"track-name="support"track-type="footer link"track-metadata-eventDetail="cloud.google.com/support-hub/"track-metadata-position="footer"track-metadata-child_headline="resources"> Support </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/docs/samples" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 7)" track-metadata-eventDetail="cloud.google.com/docs/samples"track-metadata-module="footer"track-metadata-position="footer"track-name="code samples"track-metadata-child_headline="resources"track-type="footer link"> Code samples </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/architecture/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 8)" track-name="cloud architecture center"track-metadata-eventDetail="cloud.google.com/architecture/"track-metadata-child_headline="resources"track-metadata-position="footer"track-type="footer link"track-metadata-module="footer"> Cloud Architecture Center </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/learn/training/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 9)" track-metadata-module="footer"track-metadata-position="footer"track-name="training"track-metadata-child_headline="resources"track-type="footer link"track-metadata-eventDetail="cloud.google.com/training/"> Training </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/learn/certification/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 10)" track-metadata-position="footer"track-type="footer link"track-metadata-child_headline="resources"track-metadata-module="footer"track-name="certifications"track-metadata-eventDetail="cloud.google.com/certification"> Certifications </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//developers.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 11)" track-metadata-eventDetail="developers.google.com"target="_blank"track-metadata-child_headline="resources"track-metadata-module="footer"track-name="google developers"track-metadata-position="footer"track-type="footer link"> Google for Developers </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/startup/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 12)" track-metadata-child_headline="resources"track-metadata-eventDetail="cloud.google.com/startup/"track-metadata-position="footer"track-metadata-module="footer"track-type="footer link"track-name="google cloud for startups"> Google Cloud for Startups </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//status.cloud.google.com" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 13)" track-metadata-child_headline="resources"track-type="footer link"track-name="system status"track-metadata-module="footer"track-metadata-position="footer"target="_blank"track-metadata-eventDetail="status.cloud.google.com"> System status </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/release-notes" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 14)" track-metadata-position="footer"track-type="footer link"track-metadata-child_headline="resources"track-metadata-module="footer"track-name="release notes"track-metadata-eventDetail="cloud.google.com/release-notes/"> Release Notes </a> </li> </ul> </li> <li class="devsite-footer-linkbox "> <h3 class="devsite-footer-linkbox-heading no-link">Engage</h3> <ul class="devsite-footer-linkbox-list"> <li class="devsite-footer-linkbox-item"> <a href="/contact/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 1)" track-type="footer link"track-metadata-child_headline="engage"track-metadata-module="footer"track-metadata-eventDetail="cloud.google.com/contact/"track-metadata-position="footer"track-name="contact sales"> Contact sales </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//cloud.google.com/find-a-partner" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 2)" track-metadata-eventDetail="cloud.google.com/find-a-partner"track-name="find a partner"track-type="footer link"target="_blank"track-metadata-child_headline="engage"track-metadata-position="footer"track-metadata-module="footer"> Find a Partner </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/partners/become-a-partner/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 3)" track-metadata-module="footer"track-metadata-child_headline="engage"track-type="footer link"track-metadata-eventDetail="cloud.google.com/partners/become-a-partner/"track-metadata-position="footer"track-name="become a partner"> Become a Partner </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/events/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 4)" track-metadata-child_headline="engage"track-metadata-eventDetail="cloud.withgoogle.com/events"track-metadata-module="footer"track-type="footer link"track-metadata-position="footer"track-name="events"> Events </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/podcasts/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 5)" target="_blank"track-metadata-eventDetail="cloud.google.com/podcasts/"track-metadata-position="footer"track-type="footer link"track-name="podcasts"track-metadata-module="footer"rel="noopener"track-metadata-child_headline="engage"> Podcasts </a> </li> <li class="devsite-footer-linkbox-item"> <a href="/developers/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 6)" track-metadata-eventDetail="cloud.google.com/developers/"track-name="developer center"track-metadata-position="footer"track-type="footer link"track-metadata-module="footer"track-metadata-child_headline="engage"> Developer Center </a> </li> <li class="devsite-footer-linkbox-item"> <a href="https://www.googlecloudpresscorner.com/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 7)" track-metadata-child_headline="engage"track-metadata-module="footer"track-type="footer link"track-metadata-eventDetail="www.googlecloudpresscorner.com"target="_blank"track-name="press corner"rel="noopener"track-metadata-position="footer"> Press Corner </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//www.youtube.com/googlecloud" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 8)" track-metadata-module="footer"track-type="footer link"target="_blank"track-metadata-position="footer"track-metadata-eventDetail="www.youtube.com/googlecloud"track-name="google cloud on youtube"track-metadata-child_headline="engage"rel="noopener"> Google Cloud on YouTube </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//www.youtube.com/googlecloudplatform" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 9)" track-metadata-module="footer"target="_blank"track-metadata-eventDetail="www.youtube.com/googlecloudplatform"track-metadata-child_headline="engage"track-type="footer link"rel="noopener"track-metadata-position="footer"track-name="google cloud tech on youtube"> Google Cloud Tech on YouTube </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//x.com/googlecloud" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 10)" track-name="follow on x"track-type="footer link"track-metadata-eventDetail="x.com/googlecloud"track-metadata-child_headline="engage"track-metadata-position="footer"track-metadata-module="footer"target="_blank"rel="noopener"> Follow on X </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//userresearch.google.com/?reserved=1&utm_source=website&Q_Language=en&utm_medium=own_srch&utm_campaign=CloudWebFooter&utm_term=0&utm_content=0&productTag=clou&campaignDate=jul19&pType=devel&referral_code=jk212693" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 11)" target="_blank"track-metadata-position="footer"track-metadata-child_headline="engage"track-type="footer link"track-metadata-module="footer"track-metadata-eventDetail="userresearch.google.com/?reserved=1&utm_source=website&Q_Language=en&utm_medium=own_srch&utm_campaign=CloudWebFooter&utm_term=0&utm_content=0&productTag=clou&campaignDate=jul19&pType=devel&referral_code=jk212693"track-name="join user research"> Join User Research </a> </li> <li class="devsite-footer-linkbox-item"> <a href="//careers.google.com/cloud" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 12)" track-type="footer link"track-metadata-eventDetail="careers.google.com/cloud"track-name="we are hiring join google cloud"track-metadata-child_headline="engage"target="_blank"track-metadata-module="footer"track-metadata-position="footer"> We're hiring. Join Google Cloud! </a> </li> <li class="devsite-footer-linkbox-item"> <a href="https://www.googlecloudcommunity.com/" class="devsite-footer-linkbox-link gc-analytics-event" data-category="Site-Wide Custom Events" data-label="Footer Link (index 13)" track-metadata-position="footer"track-metadata-module="footer"track-name="google cloud community"track-metadata-eventDetail="www.googlecloudcommunity.com"track-metadata-child_headline="engage"rel="noopener"target="_blank"track-type="footer link"> Google Cloud Community </a> </li> </ul> </li> </ul> </nav> </devsite-footer-linkboxes> <devsite-footer-utility class="devsite-footer"> <div class="devsite-footer-utility nocontent"> <nav class="devsite-footer-utility-links" aria-label="Utility links"> <ul class="devsite-footer-utility-list"> <li class="devsite-footer-utility-item "> <a class="devsite-footer-utility-link gc-analytics-event" href="//about.google/" data-category="Site-Wide Custom Events" data-label="Footer About Google link" track-metadata-position="footer" track-name="about google" track-metadata-module="utility footer" target="_blank" track-type="footer link" track-metadata-eventDetail="//about.google/" > About Google </a> </li> <li class="devsite-footer-utility-item devsite-footer-privacy-link"> <a class="devsite-footer-utility-link gc-analytics-event" href="//policies.google.com/privacy" data-category="Site-Wide Custom Events" data-label="Footer Privacy link" track-metadata-eventDetail="//policies.google.com/privacy" track-metadata-module="utility footer" track-type="footer link" track-name="privacy" target="_blank" track-metadata-position="footer" > Privacy </a> </li> <li class="devsite-footer-utility-item "> <a class="devsite-footer-utility-link gc-analytics-event" href="//www.google.com/intl/en/policies/terms/regional.html" data-category="Site-Wide Custom Events" data-label="Footer Site terms link" track-type="footer link" track-metadata-eventDetail="//www.google.com/intl/en/policies/terms/regional.html" track-metadata-module="utility footer" track-metadata-position="footer" track-name="site terms" target="_blank" > Site terms </a> </li> <li class="devsite-footer-utility-item "> <a class="devsite-footer-utility-link gc-analytics-event" href="/product-terms/" data-category="Site-Wide Custom Events" data-label="Footer Google Cloud terms link" track-metadata-module="utility footer" track-metadata-position="footer" track-type="footer link" track-name="google cloud terms" track-metadata-eventDetail="/product-terms/" > Google Cloud terms </a> </li> <li class="devsite-footer-utility-item glue-cookie-notification-bar-control"> <a class="devsite-footer-utility-link gc-analytics-event" href="#" data-category="Site-Wide Custom Events" data-label="Footer Manage cookies link" track-type="footer link" track-metadata-position="footer" track-metadata-module="utility footer" track-name="Manage cookies" track-metadata-eventDetail="#" aria-hidden="true" > Manage cookies </a> </li> <li class="devsite-footer-utility-item devsite-footer-carbon-button"> <a class="devsite-footer-utility-link gc-analytics-event" href="/sustainability" data-category="Site-Wide Custom Events" data-label="Footer Our third decade of climate action: join us link" track-type="footer link" track-metadata-position="footer" track-metadata-module="utility footer" track-metadata-eventDetail="/sustainability/" track-name="Our third decade of climate action: join us" > Our third decade of climate action: join us </a> </li> <li class="devsite-footer-utility-item devsite-footer-utility-button"> Sign up for the Google Cloud newsletter <a class="devsite-footer-utility-link gc-analytics-event" href="/newsletter/" data-category="Site-Wide Custom Events" data-label="Footer Subscribe link" track-metadata-position="footer" track-metadata-module="utility footer" track-metadata-eventDetail="/newsletter/" track-type="footer link" track-name="subscribe" > Subscribe </a> </li> </ul> <devsite-language-selector> <ul role="presentation"> <li role="presentation"> <a role="menuitem" lang="en" >English</a> </li> <li role="presentation"> <a role="menuitem" lang="de" >Deutsch</a> </li> <li role="presentation"> <a role="menuitem" lang="es_419" >Español – América Latina</a> </li> <li role="presentation"> <a role="menuitem" lang="fr" >Français</a> </li> <li role="presentation"> <a role="menuitem" lang="id" >Indonesia</a> </li> <li role="presentation"> <a role="menuitem" lang="it" >Italiano</a> </li> <li role="presentation"> <a role="menuitem" lang="pt_br" >Português – Brasil</a> </li> <li role="presentation"> <a role="menuitem" lang="zh_cn" >中文 – 简体</a> </li> <li role="presentation"> <a role="menuitem" lang="ja" >日本語</a> </li> <li role="presentation"> <a role="menuitem" lang="ko" >한국어</a> </li> </ul> </devsite-language-selector> </nav> </div> </devsite-footer-utility> <devsite-panel></devsite-panel> </section></section> <devsite-sitemask></devsite-sitemask> <devsite-snackbar></devsite-snackbar> <devsite-tooltip ></devsite-tooltip> <devsite-heading-link></devsite-heading-link> <devsite-analytics> <script type="application/json" analytics>[]</script> <script type="application/json" tag-management>{"at": "True", "ga4": [], "ga4p": [], "gtm": [{"id": "GTM-5CVQBG", "purpose": 1}], "parameters": {"internalUser": "False", "language": {"machineTranslated": "False", "requested": "en", "served": "en"}, "pageType": "article", "projectName": "IAM Documentation", "signedIn": "False", "tenant": "cloud", "recommendations": {"sourcePage": "", "sourceType": 0, "sourceRank": 0, "sourceIdenticalDescriptions": 0, "sourceTitleWords": 0, "sourceDescriptionWords": 0, "experiment": ""}, "experiment": {"ids": ""}}}</script> </devsite-analytics> <devsite-badger></devsite-badger> <cloudx-user></cloudx-user> <cloudx-free-trial-eligible-store freeTrialEligible='true'></cloudx-free-trial-eligible-store> <cloudx-pricing-socket></cloudx-pricing-socket> <cloudx-experiments type="TestAACodivertedExperiment" path="/virtual/TestAACodivertedExperiment/configureExperiment" location="SG" variant="variant2" ></cloudx-experiments> <cloudx-experiment-ids userCountry="SG" devsiteExperimentIdList="[39300012, 39300020, 39300118, 39300195, 39300241, 39300319, 39300322, 39300324, 39300345, 39300354, 39300363, 39300373, 39300412, 39300421, 39300436, 39300469, 39300471, 39300488, 39300496, 39300498]"> </cloudx-experiment-ids> <script nonce="H/FW/7wFtmWuAjNWVTyGPrsk+J3U5H"> (function(d,e,v,s,i,t,E){d['GoogleDevelopersObject']=i; t=e.createElement(v);t.async=1;t.src=s;E=e.getElementsByTagName(v)[0]; E.parentNode.insertBefore(t,E);})(window, document, 'script', 'https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/js/app_loader.js', '[2,"en",null,"/js/devsite_app_module.js","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud","https://cloud-dot-devsite-v2-prod.appspot.com",null,null,["/_pwa/cloud/manifest.json","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/images/video-placeholder.svg","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/favicons/onecloud/favicon.ico","https://www.gstatic.com/devrel-devsite/prod/v870e399c64f7c43c99a3043db4b3a74327bb93d0914e84a0c3dba90bbfd67625/cloud/images/cloud-logo.svg","https://fonts.googleapis.com/css?family=Google+Sans:400,500,700|Google+Sans+Text:400,400italic,500,500italic,700,700italic|Roboto:400,400italic,500,500italic,700,700italic|Roboto+Mono:400,500,700&display=swap"],1,null,[1,6,8,12,14,17,21,25,50,52,63,70,75,76,80,87,91,92,93,97,98,100,101,102,103,104,105,107,108,109,110,112,113,116,117,118,120,122,124,125,126,127,129,130,131,132,133,134,135,136,138,140,141,147,148,149,151,152,156,157,158,159,161,163,164,168,169,170,179,180,182,183,186,191,193,196],"AIzaSyAP-jjEJBzmIyKR4F-3XITp8yM9T1gEEI8","AIzaSyB6xiKGDR5O3Ak2okS4rLkauxGUG7XP0hg","cloud.google.com","AIzaSyAQk0fBONSGUqCNznf6Krs82Ap1-NV6J4o","AIzaSyCCxcqdrZ_7QMeLCRY20bh_SXdAYqy70KY",null,null,null,["CloudShell__cloud_shell_button","MiscFeatureFlags__enable_view_transitions","Profiles__enable_public_developer_profiles","Profiles__enable_developer_profiles_callout","Cloud__enable_legacy_calculator_redirect","Analytics__enable_clearcut_logging","MiscFeatureFlags__enable_explain_this_code","TpcFeatures__enable_required_headers","Profiles__enable_awarding_url","BookNav__enable_tenant_cache_key","Cloud__enable_free_trial_server_call","Cloud__enable_cloudx_ping","Profiles__enable_recognition_badges","Search__enable_ai_search_summaries_restricted","EngEduTelemetry__enable_engedu_telemetry","MiscFeatureFlags__developers_footer_dark_image","TpcFeatures__enable_mirror_tenant_redirects","DevPro__enable_developer_subscriptions","Concierge__enable_pushui","Cloud__enable_cloud_dlp_service","Profiles__enable_complete_playlist_endpoint","Profiles__require_profile_eligibility_for_signin","DevPro__enable_cloud_innovators_plus","Cloud__enable_llm_concierge_chat","MiscFeatureFlags__emergency_css","Profiles__enable_release_notes_notifications","Search__enable_page_map","Search__enable_ai_eligibility_checks","Cloud__enable_cloudx_experiment_ids","Profiles__enable_page_saving","Cloud__enable_cloud_shell_fte_user_flow","Experiments__reqs_query_experiments","MiscFeatureFlags__enable_firebase_utm","Search__scope_to_project_tenant","MiscFeatureFlags__enable_variable_operator","Search__enable_ai_search_summaries","MiscFeatureFlags__enable_project_variables","Search__enable_dynamic_content_confidential_banner","Search__enable_suggestions_from_borg","MiscFeatureFlags__developers_footer_image","Cloud__enable_cloud_facet_chat","Profiles__enable_dashboard_curated_recommendations","CloudShell__cloud_code_overflow_menu","Profiles__enable_profile_collections","Concierge__enable_concierge_restricted","Profiles__enable_completecodelab_endpoint","Cloud__enable_cloud_shell"],null,null,"AIzaSyBLEMok-5suZ67qRPzx0qUtbnLmyT_kCVE","https://developerscontentserving-pa.clients6.google.com","AIzaSyCM4QpTRSqP5qI4Dvjt4OAScIN8sOUlO-k","https://developerscontentsearch-pa.clients6.google.com",1,4,1,"https://developerprofiles-pa.clients6.google.com",[2,"cloud","Google Cloud","cloud.google.com",null,"cloud-dot-devsite-v2-prod.appspot.com",null,null,[1,1,null,null,null,null,null,null,null,null,null,[1],null,null,null,null,null,1,[1],[null,null,null,[1,20],"/terms/recommendations"],[1],null,[1],[1,null,1],[1,1,null,null,1,null,["/vertex-ai/"]]],null,[22,null,null,null,null,null,"/images/cloud-logo.svg","/images/favicons/onecloud/apple-icon.png",null,null,null,null,1,1,1,[6,5],[],null,null,[[],[],[],[],[],[],[],[]],null,1,null,null,null,null,[]],[],null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,[6,1,14,15,22,23,29,37],null,[[null,null,null,null,null,null,[1,[["docType","Choose a content type",[["ApiReference",null,null,null,null,null,null,null,null,"API reference"],["Sample",null,null,null,null,null,null,null,null,"Code sample"],["ReferenceArchitecture",null,null,null,null,null,null,null,null,"Reference architecture"],["Tutorial",null,null,null,null,null,null,null,null,"Tutorial"]]],["category","Choose a topic",[["AiAndMachineLearning",null,null,null,null,null,null,null,null,"Artificial intelligence and machine learning (AI/ML)"],["ApplicationDevelopment",null,null,null,null,null,null,null,null,"Application development"],["BigDataAndAnalytics",null,null,null,null,null,null,null,null,"Big data and analytics"],["Compute",null,null,null,null,null,null,null,null,"Compute"],["Containers",null,null,null,null,null,null,null,null,"Containers"],["Databases",null,null,null,null,null,null,null,null,"Databases"],["HybridCloud",null,null,null,null,null,null,null,null,"Hybrid and multicloud"],["LoggingAndMonitoring",null,null,null,null,null,null,null,null,"Logging and monitoring"],["Migrations",null,null,null,null,null,null,null,null,"Migrations"],["Networking",null,null,null,null,null,null,null,null,"Networking"],["SecurityAndCompliance",null,null,null,null,null,null,null,null,"Security and compliance"],["Serverless",null,null,null,null,null,null,null,null,"Serverless"],["Storage",null,null,null,null,null,null,null,null,"Storage"]]]]]],[1],null,1],[[null,null,null,null,null,["GTM-5CVQBG"],null,null,null,null,null,[["GTM-5CVQBG",2]],1],null,null,null,null,null,1],"mwETRvWii0eU5NUYprb0Y9z5GVbc",4,null,null,null,null,null,null,null,null,null,null,null,null,null,"cloud.devsite.google"],null,"pk_live_5170syrHvgGVmSx9sBrnWtA5luvk9BwnVcvIi7HizpwauFG96WedXsuXh790rtij9AmGllqPtMLfhe2RSwD6Pn38V00uBCydV4m"]') </script> <devsite-a11y-announce></devsite-a11y-announce> </body> </html>

CINXE.COM

Manage access to projects, folders, and organizations | IAM Documentation | Google Cloud