This page describes the API access control options available to you in
Cloud Endpoints.
Overview
Endpoints usesIdentity and Access Management (IAM)to control access to your API. You can grant access to your API at the project
level and at the individual Endpoints service level. For example,
you can:
Grant access to principals on a per-service basis.
Grant permission to a user or service account to deploy an updated
Endpoints configuration.
Grant access to your API users so they can enable your API in their own
Google Cloud project.
Roles that control access to services
You can grant the following roles for a specific service on theEndpoints>Servicespage in the Google Cloud console, by using the API, or by
using the Google Cloud CLI.
IAM role name
Role title
Description
roles/servicemanagement.serviceConsumer
Service Consumer
Permissions for a principal to view and enable the API in their own
project. You can grant theService Consumerrole only to Google
Accounts, Google Groups, or service accounts.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[[["\u003cp\u003eCloud Endpoints utilizes Identity and Access Management (IAM) to manage access to APIs at both the project and individual service levels.\u003c/p\u003e\n"],["\u003cp\u003ePermissions can be assigned on a per-service basis, allowing for granular control over who can deploy configurations or access the API.\u003c/p\u003e\n"],["\u003cp\u003eThe Service Consumer role enables principals to view and enable an API in their own Google Cloud project.\u003c/p\u003e\n"],["\u003cp\u003eThe Service Controller role grants permissions to make calls to the \u003ccode\u003echeck\u003c/code\u003e and \u003ccode\u003ereport\u003c/code\u003e methods in the Service Infrastructure API during runtime.\u003c/p\u003e\n"],["\u003cp\u003eThe Service Config Editor and Service Management Administrator roles provide varying levels of permissions for deploying configurations and managing API access, with the latter comparable to the Project Owner role.\u003c/p\u003e\n"]]],[],null,["# Overview of API access\n\nOpenAPI \\| [gRPC](/endpoints/docs/grpc/api-access-overview \"View this page for the Cloud Endpoints gRPC docs\")\n\n\u003cbr /\u003e\n\nThis page describes the API access control options available to you in\nCloud Endpoints.\n\nOverview\n--------\n\nEndpoints uses\n[Identity and Access Management (IAM)](/iam/docs)\nto control access to your API. You can grant access to your API at the project\nlevel and at the individual Endpoints service level. For example,\nyou can:\n\n- Grant access to principals on a per-service basis.\n- Grant permission to a user or service account to deploy an updated Endpoints configuration.\n- Grant access to your API users so they can enable your API in their own Google Cloud project.\n\nRoles that control access to services\n-------------------------------------\n\nYou can grant the following roles for a specific service on the **Endpoints** \\\u003e\n**Services** page in the Google Cloud console, by using the API, or by\nusing the Google Cloud CLI.\n\n| **Note:** Although you can grant other roles at the service level, we recommend that you use the roles listed in the previous table to manage your API.\n\nWhat's next\n-----------\n\n- [Controlling who can enable your API](/endpoints/docs/openapi/control-api-callers).\n- [Granting and revoking access to the API](/endpoints/docs/openapi/control-api-access)."]]
