Quickstart: Write an allow policy by using client libraries (original) (raw)

Grant roles using client libraries

Learn how to get started with the IAM methods from the Resource Manager API in your favorite programming language.

To follow step-by-step guidance for this task directly in the Google Cloud console, click Guide me:

Guide me

Before you begin

Create a Google Cloud project

For this quickstart, you need a new Google Cloud project.

1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

2. Install the Google Cloud CLI.

3. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

4. To initialize the gcloud CLI, run the following command:
   gcloud init

5. Create or select a Google Cloud project.
   Roles required to select or create a project

   • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
   • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission. Learn how to grant roles.
   • Create a Google Cloud project:
     gcloud projects create PROJECT_ID
     Replace PROJECT_ID with a name for the Google Cloud project you are creating.
   • Select the Google Cloud project that you created:
     gcloud config set project PROJECT_ID
     Replace PROJECT_ID with your Google Cloud project name.

6. Enable the Resource Manager API:
   Roles required to enable APIs
   To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission. Learn how to grant roles.
   gcloud services enable cloudresourcemanager.googleapis.com

7. Create local authentication credentials for your user account:
   gcloud auth application-default login
   If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.

8. Grant roles to your user account. Run the following command once for each of the following IAM roles:roles/resourcemanager.projectIamAdmin
   gcloud projects add-iam-policy-binding PROJECT_ID --member="user:USER_IDENTIFIER" --role=ROLE
   Replace the following:

   • PROJECT_ID: Your project ID.
   • USER_IDENTIFIER: The identifier for your user account. For example, myemail@example.com.
   • ROLE: The IAM role that you grant to your user account.

9. Install the Google Cloud CLI.

10. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

11. To initialize the gcloud CLI, run the following command:
    gcloud init

12. Create or select a Google Cloud project.
    Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission. Learn how to grant roles.
• Create a Google Cloud project:
  gcloud projects create PROJECT_ID
  Replace PROJECT_ID with a name for the Google Cloud project you are creating.
• Select the Google Cloud project that you created:
  gcloud config set project PROJECT_ID
  Replace PROJECT_ID with your Google Cloud project name.

1. Enable the Resource Manager API:
   Roles required to enable APIs
   To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission. Learn how to grant roles.
   gcloud services enable cloudresourcemanager.googleapis.com
2. Create local authentication credentials for your user account:
   gcloud auth application-default login
   If an authentication error is returned, and you are using an external identity provider (IdP), confirm that you have signed in to the gcloud CLI with your federated identity.
3. Grant roles to your user account. Run the following command once for each of the following IAM roles:roles/resourcemanager.projectIamAdmin
   gcloud projects add-iam-policy-binding PROJECT_ID --member="user:USER_IDENTIFIER" --role=ROLE
   Replace the following:

• PROJECT_ID: Your project ID.
• USER_IDENTIFIER: The identifier for your user account. For example, myemail@example.com.
• ROLE: The IAM role that you grant to your user account.

Install the client library

C#

For more on setting up your C# development environment, refer to the C# Development Environment Setup Guide.

install-package Google.Apis.Iam.v1 install-package Google.Apis.CloudResourceManager.v1

Go

go get golang.org/x/oauth2/google go get google.golang.org/api/cloudresourcemanager/v1

Java

For more on setting up your Java development environment, refer to the Java Development Environment Setup Guide.

If you are using Maven, add this to your pom.xmlfile.

Python

For more on setting up your Python development environment, refer to the Python Development Environment Setup Guide.

pip install --upgrade google-api-python-client google-auth google-auth-httplib2

Read, modify, and write an allow policy

The code snippet in this quickstart does the following:

• Initializes the Resource Manager service, which manages Google Cloud projects.
• Reads the allow policy for your project.
• Modifies the allow policy by granting the Log Writer role (roles/logging.logWriter) to your Google Account.
• Writes the updated allow policy.
• Prints all the principals that have the Log Writer role (roles/logging.logWriter) at the project level.
• Revokes the Log Writer role.

Replace the following values before running the code snippet:

• your-project: The ID of your project.
• your-member: The email address for your user account. For example,user:my-user@example.com.

C#

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries. For more information, see theResource Manager C# API reference documentation.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.

Go

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries. For more information, see theResource Manager Go API reference documentation.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.

Java

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries. For more information, see theResource Manager Java API reference documentation.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.

Python

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries. For more information, see theResource Manager Python API reference documentation.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.

Congratulations! You used the IAM methods in the Resource Manager API to modify access for a project.

How did it go?

Clean up

1. Optional: Revoke the authentication credentials that you created, and delete the local credential file.
   gcloud auth application-default revoke
2. Optional: Revoke credentials from the gcloud CLI.
   gcloud auth revoke

What's next

• Read about how IAM works.
• Learn more aboutgranting, changing, and revoking access.
• Troubleshoot access issues with the Policy Troubleshooter.