Stay organized with collectionsSave and categorize content based on your preferences.
Controlling who has access to an API is an integral part of development. For
example, as you test your API, you might want to automate redeploying updated
Cloud Endpoints configurations by using a service account that has the
permission to do so. By default, only the project owner can manage access to an
API. This page shows you how to grant and revoke access to your API by using the
Google Cloud console or the Google Cloud CLI.
Endpoints usesIdentity and Access Managementroles to grant and revoke access at the API level. You can grant and revoke
access to a user, service account, or to aGoogle Group.
Google Groups are a convenient way to grant or revoke access to a collection of
users. You can grant or revoke access for a whole group at once, instead of
granting or revoking access one at a time for individual users or service
accounts. You can also easily add members to and remove members from a
Google Group instead of granting or revoking the IAM role for
each member.
Granting access
Google Cloud console
In the Google Cloud console, go to theEndpoints > Servicespage
for your project.
If you have more than one API, click the name of the API.
If thePermissionsside panel isn't open, clickaddPermissions.
In theAdd membersbox, enter the email address of a user, service
account, or Google Group.
In theSelect a roledrop-down, clickService Management, and
select one of the following roles:
Service Consumer:This role contains the
permissions for a non-project member to view and enable the API in their
own project. If you have created aportalfor your
API, this role lets your API users access the portal.
Service Controller:This role contains the
permissions to make calls to thecheckandreportmethods in theService InfrastructureAPI during runtime.
Service Config Editor:This role contains the minimum permissions
that Service Management requires to deploy an Endpoints
configuration to an existing service.
Service Management Administrator:This role contains the
permissions in the Service Config Editor, Service Consumer, and Service
Controller roles, plus the permissions required to grant access to
this API by usinggcloudor the programmatic methods
described inGranting, changing, and revoking access to resources.
See theService Management API access controltopic for information about this role. Although the Google Cloud console allows you to select other roles,
those roles aren't useful for managing your API.
To add the member to the specified IAM role, clickAdd.
Repeat adding members and selecting the role, as needed.
The Service Management roles don't allow users to access theEndpoints>Servicespage in the Google Cloud console. If you want users to be
able access theEndpoints>Servicespage, you must grant them theProject Viewerrole or a higher role on the project. SeeGranting, changing,
and revoking access to resourcesfor details.
gcloud
Open Cloud Shell, or if you have the Google Cloud CLI installed, open a
terminal window.
Enter the applicablegcloudcommand:
If you are granting access to a user, run the following:
For the role, specify one of the following IAM roles:
roles/servicemanagement.configEditor: This role contains
the minimum permissions that Service Management requires to
deploy an Endpoints configuration to an existing
service.
roles/servicemanagement.admin: This role contains the
permissions inroles/servicemanagement.configEditor,roles/servicemanagement.serviceConsumer, androles/servicemanagement.serviceController, plus the
permissions required to grant access to this API by usinggcloudor the programmatic methods described inGranting,
changing, and revoking access to resources.
The Service Management roles don't allow users to access theEndpoints>Servicespage in the Google Cloud console. If you
want users to be able access theEndpoints>Servicespage, you
must grant them theProject Viewerrole or a higher role on the project. SeeGranting, changing,
and revoking access to resourcesfor details.
Revoking access
To revoke access to your API, remove the IAM role from the member
who previously had the role.
Google Cloud console
In the Google Cloud console, go to theEndpoints>Servicespage
for your project.
If you have more than one API, click the name of the API.
If thePermissionsside panel isn't open, clickaddPermissions.
Locate the member for whom you want to revoke access. You can either click
the applicableRolecard to see a list of members, or you can enter
a name or role in theSearch membersbox.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eAPI access can be managed by granting or revoking Identity and Access Management (IAM) roles to users, service accounts, or Google Groups, controlling who can interact with the API.\u003c/p\u003e\n"],["\u003cp\u003eGoogle Groups provide a streamlined way to manage access for multiple users simultaneously, simplifying the process of adding or removing permissions for a collection of individuals.\u003c/p\u003e\n"],["\u003cp\u003eAccess can be granted or revoked via the Google Cloud console by navigating to the Endpoints Services page, or by using the \u003ccode\u003egcloud\u003c/code\u003e command-line tool with specific commands for users, service accounts, and groups.\u003c/p\u003e\n"],["\u003cp\u003eService Management roles control different levels of access, such as Service Consumer, Service Controller, Service Config Editor, and Service Management Administrator, each providing a unique level of control.\u003c/p\u003e\n"],["\u003cp\u003eGranting Service Management roles does not give users access to the \u003cstrong\u003eEndpoints > Services\u003c/strong\u003e page in the Google Cloud Console, to access the page users must be granted the \u003cstrong\u003eProject Viewer\u003c/strong\u003e role or a higher role.\u003c/p\u003e\n"]]],[],null,["# Granting and revoking access to the API\n\n\u003cbr /\u003e\n\nControlling who has access to an API is an integral part of development. For\nexample, as you test your API, you might want to automate redeploying updated\nCloud Endpoints configurations by using a service account that has the\npermission to do so. By default, only the project owner can manage access to an\nAPI. This page shows you how to grant and revoke access to your API by using the\nGoogle Cloud console or the Google Cloud CLI.\n\nEndpoints uses\n[Identity and Access Management](/iam/docs/overview)\nroles to grant and revoke access at the API level. You can grant and revoke\naccess to a user, service account, or to a\n[Google Group](https://support.google.com/groups/answer/2464926).\n\nGoogle Groups are a convenient way to grant or revoke access to a collection of\nusers. You can grant or revoke access for a whole group at once, instead of\ngranting or revoking access one at a time for individual users or service\naccounts. You can also easily add members to and remove members from a\nGoogle Group instead of granting or revoking the IAM role for\neach member.\n\nGranting access\n---------------\n\n### Google Cloud console\n\n1. In the Google Cloud console, go to the **Endpoints \\\u003e Services** page for your project.\n\n [Go to the Endpoints Services page](https://console.cloud.google.com/endpoints)\n2. If you have more than one API, click the name of the API.\n3. If the **Permissions** side panel isn't open, click **addPermissions**.\n4. In the **Add members** box, enter the email address of a user, service account, or Google Group.\n5. In the **Select a role** drop-down, click **Service Management** , and select one of the following roles:\n - **Service Consumer:** This role contains the permissions for a non-project member to view and enable the API in their own project. If you have created a [portal](/endpoints/docs/openapi/dev-portal-overview) for your API, this role lets your API users access the portal.\n - **Service Controller:** This role contains the permissions to make calls to the `check` and `\n report` methods in the [Service Infrastructure](/service-infrastructure/docs/checking-status) API during runtime.\n - **Service Config Editor:** This role contains the minimum permissions that Service Management requires to deploy an Endpoints configuration to an existing service.\n - **Service Management Administrator:** This role contains the permissions in the Service Config Editor, Service Consumer, and Service Controller roles, plus the permissions required to grant access to this API by using `gcloud` or the programmatic methods described in [Granting, changing, and revoking access to resources](/iam/docs/granting-changing-revoking-access).\n\n\n See the [Service Management API access control](/service-infrastructure/docs/service-management/access-control#roles)\n topic for information about this role. Although the Google Cloud console allows you to select other roles,\n those roles aren't useful for managing your API.\n6. To add the member to the specified IAM role, click **Add**.\n7. Repeat adding members and selecting the role, as needed.\n8. The Service Management roles don't allow users to access the **Endpoints** \\\u003e **Services** page in the Google Cloud console. If you want users to be able access the **Endpoints** \\\u003e **Services** page, you must grant them the **Project Viewer** role or a higher role on the project. See [Granting, changing,\n and revoking access to resources](/iam/docs/granting-changing-revoking-access) for details.\n\n### gcloud\n\n1. Open Cloud Shell, or if you have the Google Cloud CLI installed, open a terminal window.\n2. Enter the applicable `gcloud` command:\n - If you are granting access to a user, run the following: \n\n ```transact-sql\n gcloud endpoints services add-iam-policy-binding [SERVICE-NAME] \\\n --member='user:[EMAIL-ADDRESS]' \\\n --role='[ROLE]'\n ```\n\n For the role, specify one of the following IAM roles:\n - `roles/servicemanagement.configEditor`: This role contains the minimum permissions that Service Management requires to deploy an Endpoints configuration to an existing service.\n - `roles/servicemanagement.admin`: This role contains the permissions in `roles/servicemanagement.configEditor`, `roles/servicemanagement.serviceConsumer`, and `roles/servicemanagement.serviceController`, plus the permissions required to grant access to this API by using `gcloud` or the programmatic methods described in [Granting,\n changing, and revoking access to resources](/iam/docs/granting-changing-revoking-access).\n\n \u003cbr /\u003e\n\n For example: \n\n ```transact-sql\n gcloud endpoints services add-iam-policy-binding example-service-name \\\n --member='user:example-user@gmail.com' \\\n --role='roles/servicemanagement.admin'\n ```\n\n \u003cbr /\u003e\n\n - If you are granting access to a service account, run the following: \n\n ```transact-sql\n gcloud endpoints services add-iam-policy-binding [SERVICE-NAME] \\\n --member='serviceAccount:[EMAIL-ADDRESS]' \\\n --role='[ROLE]'\n ```\n\n For example: \n\n ```transact-sql\n gcloud endpoints services add-iam-policy-binding example-service-name \\\n --member='serviceAccount:example-service-account@example-project.iam.gserviceaccount.com' \\\n --role='roles/servicemanagement.configEditor'\n ```\n\n \u003cbr /\u003e\n\n - If you are granting access to a Google Group, run the following: \n\n ```transact-sql\n gcloud endpoints services add-iam-policy-binding [SERVICE-NAME] \\\n --member='group:[GROUP-NAME]@googlegroups.com' \\\n --role='[ROLE]'\n ```\n\n For example: \n\n ```transact-sql\n gcloud endpoints services add-iam-policy-binding example-service-name \\\n --member='group:example-group@googlegroups.com' \\\n --role='roles/servicemanagement.configEditor'\n ```\n\n \u003cbr /\u003e\n\n3. The Service Management roles don't allow users to access the **Endpoints** \\\u003e **Services** page in the Google Cloud console. If you want users to be able access the **Endpoints** \\\u003e **Services** page, you must grant them the **Project Viewer** role or a higher role on the project. See [Granting, changing,\n and revoking access to resources](/iam/docs/granting-changing-revoking-access) for details.\n\nRevoking access\n---------------\n\nTo revoke access to your API, remove the IAM role from the member\nwho previously had the role. \n\n### Google Cloud console\n\n1. In the Google Cloud console, go to the **Endpoints** \\\u003e **Services** page for your project.\n\n [Go to the Endpoints Services page](https://console.cloud.google.com/endpoints)\n2. If you have more than one API, click the name of the API.\n3. If the **Permissions** side panel isn't open, click **addPermissions**.\n4. Locate the member for whom you want to revoke access. You can either click the applicable **Role** card to see a list of members, or you can enter a name or role in the **Search members** box.\n5. Click **Delete** delete.\n6. If you also want to revoke a user's access to your Google Cloud project, see [Granting,\n changing, and revoking access to resources](/iam/docs/granting-changing-revoking-access) for details.\n\n### gcloud\n\n1. Open Cloud Shell, or, if you have the gcloud CLI installed, open a terminal window.\n2. Enter the applicable `gcloud` command:\n - If you are revoking access for a user, run the following: \n\n ```text\n gcloud endpoints services remove-iam-policy-binding [SERVICE-NAME] \\\n --member='user:[EMAIL-ADDRESS]' \\\n --role='[ROLE-NAME]'\n ```\n\n For example: \n\n ```transact-sql\n gcloud endpoints services remove-iam-policy-binding example-service-name \\\n --member='user:example-user@gmail.com' \\\n --role='roles/editor'\n ```\n - If you are revoking access for a service account, run the following: \n\n ```text\n gcloud endpoints services remove-iam-policy-binding [SERVICE-NAME] \\\n --member='serviceAccount:[EMAIL-ADDRESS]' \\\n --role='[ROLE-NAME]'\n ```\n\n For example: \n\n ```transact-sql\n gcloud endpoints services remove-iam-policy-binding example-service-name \\\n --member='serviceAccount:example-service-account@example-project.iam.gserviceaccount.com' \\\n --role='roles/servicemanagement.configEditor'\n ```\n - If you are revoking access for a Google Group, run the following: \n\n ```transact-sql\n gcloud endpoints services remove-iam-policy-binding [SERVICE-NAME] \\\n --member='group:[GROUP-NAME]@googlegroups.com' \\\n --role='[ROLE-NAME]'\n ```\n\n For example: \n\n ```transact-sql\n gcloud endpoints services remove-iam-policy-binding example-service-name \\\n --member='group:example-group@googlegroups.com' \\\n --role='roles/viewer'\n ```\n3. If you also want to revoke a user's access to your Google Cloud project, see [Granting,\n changing, and revoking access to resources](/iam/docs/granting-changing-revoking-access) for details.\n\nWhat's next\n-----------\n\nLearn about:\n\n- [Creating a service account](/iam/docs/creating-managing-service-accounts#creating_a_service_account)\n- [`gcloud` commands](/sdk/gcloud/reference) referenced on this page."]]
