Console

1. In the Google Cloud console, go to theIAM page.

   Go to IAM

2. Select a project, folder, or organization.

   The Google Cloud console lists all the principals who have been grantedroles on your project, folder, or organization. This list includesprincipals who have inherited roles on the resource from parent resources.For more information about policy inheritance, seePolicy inheritance andthe resource hierarchy.

3. Optional: To view role grants forservice agents, selecttheInclude Google-provided role grants checkbox.

   

   

gcloud

1. In the Google Cloud console, activate Cloud Shell.

   Activate Cloud Shell

   At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

2. To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, seeUnderstanding allow policies.

   Note: A resource's allow policy does not show any roles gained throughpolicy inheritance. To view inherited roles, use the Google Cloud console, or follow the instructions onViewing effective IAM policies.

   To get the allow policy for the resource, run theget-iam-policy command for the resource:

   gcloudRESOURCE_TYPEget-iam-policyRESOURCE_ID--format=FORMAT >PATH

   Provide the following values:

   • RESOURCE_TYPE: The type of the resource that you want to view access to. Use one of these values:projects,resource-manager folders, ororganizations.

   • RESOURCE_ID: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, likemy-project. Folder and organization IDs are numeric, like123456789012.

   • FORMAT: The desired format for the policy. Usejson oryaml.

   • PATH: The path to a new output file for the policy.

   For example, the following command gets the policy for the projectmy-project and saves it to your home directory in JSON format:

   gcloudprojectsget-iam-policymy-project--format=json >~/policy.json

C#

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, seeUnderstanding allow policies.

The following example shows how to get the allow policy for a project. To learn how to get the allow policy for a folder or organization, review theResource Manager client library documentation for your programming language.

usingGoogle.Apis.Auth.OAuth2;usingGoogle.Apis.CloudResourceManager.v1;usingGoogle.Apis.CloudResourceManager.v1.Data;publicpartialclassAccessManager{publicstaticPolicyGetPolicy(stringprojectId){varcredential=GoogleCredential.GetApplicationDefault().CreateScoped(CloudResourceManagerService.Scope.CloudPlatform);varservice=newCloudResourceManagerService(newCloudResourceManagerService.Initializer{HttpClientInitializer=credential});varpolicy=service.Projects.GetIamPolicy(newGetIamPolicyRequest(),projectId).Execute();returnpolicy;}}

Java

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, seeUnderstanding allow policies.

The following example shows how to get the allow policy for a project. To learn how to get the allow policy for a folder or organization, review theResource Manager client library documentation for your programming language.

importcom.google.cloud.resourcemanager.v3.ProjectsClient;importcom.google.iam.admin.v1.ProjectName;importcom.google.iam.v1.GetIamPolicyRequest;importcom.google.iam.v1.Policy;importjava.io.IOException;publicclassGetProjectPolicy{publicstaticvoidmain(String[]args)throwsIOException{// TODO(developer): Replace the variables before running the sample.// TODO: Replace with your project ID.StringprojectId="your-project-id";getProjectPolicy(projectId);}// Gets a project's policy.publicstaticPolicygetProjectPolicy(StringprojectId)throwsIOException{// Initialize client that will be used to send requests.// This client only needs to be created once, and can be reused for multiple requests.try(ProjectsClientprojectsClient=ProjectsClient.create()){GetIamPolicyRequestrequest=GetIamPolicyRequest.newBuilder().setResource(ProjectName.of(projectId).toString()).build();returnprojectsClient.getIamPolicy(request);}}}

Python

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

To see who has access to your project, folder, or organization, get the allow policy for the resource. To learn how to interpret allow policies, seeUnderstanding allow policies.

The following example shows how to get the allow policy for a project. To learn how to get the allow policy for a folder or organization, review theResource Manager client library documentation for your programming language.

fromgoogle.cloudimportresourcemanager_v3fromgoogle.iam.v1importiam_policy_pb2,policy_pb2defget_project_policy(project_id:str)->policy_pb2.Policy:"""Get policy for project.    project_id: ID or number of the Google Cloud project you want to use.    """client=resourcemanager_v3.ProjectsClient()request=iam_policy_pb2.GetIamPolicyRequest()request.resource=f"projects/{project_id}"policy=client.get_iam_policy(request)print(f"Policy retrieved:{policy}")returnpolicy

REST

To see who has access to your project, folder, or organization, get the allowpolicy for the resource. To learn how to interpret allow policies, seeUnderstanding allow policies.

Note: A resource's allow policy does not show any roles gained throughpolicy inheritance. To view inherited roles, use the Google Cloud console, or follow the instructions onViewing effective IAM policies.

The Resource Manager API'sgetIamPolicy method gets a project's, folder's, or organization's allow policy.

Before using any of the request data, make the following replacements:

• API_VERSION: The API version to use. Forprojects and organizations, usev1. For folders, usev2.
• RESOURCE_TYPE: The resource type whosepolicy you want to manage. Use the valueprojects,folders, ororganizations.
• RESOURCE_ID: Your Google Cloudproject, organization, or folder ID. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.
• POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.

HTTP method and URL:

POST https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy

Request JSON body:

{  "options": {    "requestedPolicyVersion":POLICY_VERSION  }}

To send your request, expand one of these options:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy" | Select-Object -Expand Content

The response contains the resource's allow policy. For example:

{  "version": 1,  "etag": "BwWKmjvelug=",  "bindings": [    {      "role": "roles/owner",      "members": [        "user:my-user@example.com"      ]    }  ]}

Console

1. In the Google Cloud console, go to theIAM page.

   Go to IAM

2. Select a project, folder, or organization.

3. Select a principal to grant a role to:

   • To grant a role to a principal who already has other roles on the resource,find a row containing the principal, clickeditEdit principal in that row,and clickaddAdd another role.

     To grant a role to aservice agent, select theIncludeGoogle-provided role grants checkbox to see its email address.

     Note: You cannot edit inherited roles when managing access to aresource. To edit inherited roles, go to the resource where therole was granted.

   • To grant a role to a principal who doesn't have any existing roles on theresource, clickperson_addGrantAccess, then enter aprincipal identifier—forexample,my-user@example.com or//iam.googleapis.com/locations/global/workforcePools/example-pool/group/example-group@example.com.

4. Select a role to grant from the drop-down list. For best security practices,choose a role that includes only the permissions that your principal needs.

5. Optional: Add acondition to the role.

6. ClickSave. The principal is granted the role on the resource.

To grant a role to a principal for more than one project, folder, ororganization, do the following:

1. In the Google Cloud console, go to theManage resources page.

   Go toManage resources

2. Select all the resources for which you want to grant permissions.

3. If the info panel is not visible, clickShow info panel. Then, clickPermissions.

4. Select a principal to grant a role to:

   • To grant a role to a principal who already has other roles, find a rowcontaining the principal, clickeditEdit principal in that row,and clickaddAdd another role.
   • To grant a role to a principal who does not already have other roles,clickperson_addAdd principal,then enter aprincipalidentifier—for example,my-user@example.com or//iam.googleapis.com/locations/global/workforcePools/example-pool/group/example-group@example.com.

5. Select a role to grant from the drop-down list.

6. Optional: Add acondition to the role.

7. ClickSave. The principal is granted the selected role on each of theselected resources.

gcloud

1. In the Google Cloud console, activate Cloud Shell.

   Activate Cloud Shell

   At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

2. Theadd-iam-policy-binding command lets you quickly grant a role to a principal.

   Before using any of the command data below, make the following replacements:

   • RESOURCE_TYPE: The resource type that you want to manage access to. Useprojects,resource-manager folders, ororganizations.

   • RESOURCE_ID: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, likemy-project. Folder and organization IDs are numeric, like123456789012.

   • PRINCIPAL: An identifier for the principal, or member, which usually has the following form:PRINCIPAL_TYPE:ID. For example,user:my-user@example.com orprincipalSet://iam.googleapis.com/locations/global/workforcePools/example-pool/group/example-group@example.com. For a full list of the values thatPRINCIPAL can have, seePrincipal identifiers.

     For the principal typeuser, the domain name in the identifier must be a Google Workspace domain or a Cloud Identity domain. To learn how to set up a Cloud Identity domain, see theoverview of Cloud Identity.

   • ROLE_NAME: The name of the role that you want to revoke. Use one of the following formats:

     • Predefined roles:roles/SERVICE.IDENTIFIER
     • Project-level custom roles:projects/PROJECT_ID/roles/IDENTIFIER
     • Organization-level custom roles:organizations/ORG_ID/roles/IDENTIFIER

     For a list of predefined roles, seeUnderstanding roles.

   • CONDITION: The condition to add to the role binding. If you don't want to add a condition, use the valueNone. For more information about conditions, see theconditions overview.

   Execute the following command:

   Linux, macOS, or Cloud Shell

   gcloudRESOURCE_TYPEadd-iam-policy-bindingRESOURCE_ID\--member=PRINCIPAL--role=ROLE_NAME\--condition=CONDITION

   Windows (PowerShell)

   gcloudRESOURCE_TYPEadd-iam-policy-bindingRESOURCE_ID`--member=PRINCIPAL--role=ROLE_NAME`--condition=CONDITION

   Windows (cmd.exe)

   gcloudRESOURCE_TYPEadd-iam-policy-bindingRESOURCE_ID^--member=PRINCIPAL--role=ROLE_NAME^--condition=CONDITION

   The response contains the updated IAM policy.

Console

1. In the Google Cloud console, go to theIAM page.

   Go to IAM

2. Select a project, folder, or organization.

3. Find the row containing the principal whose access you want to revoke. Then,click editEdit principal in thatrow.

   Note: You cannot edit inherited roles when managing access to aresource. To edit inherited roles, go to the resource where therole was granted.

4. Click theDeletedelete button forthe role that you want to revoke, and then clickSave.

gcloud

1. In the Google Cloud console, activate Cloud Shell.

   Activate Cloud Shell

   At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

2. To quickly revoke a role from a user, run theremove-iam-policy-binding command:

   gcloudRESOURCE_TYPEremove-iam-policy-bindingRESOURCE_ID
   --member=PRINCIPAL--role=ROLE_NAME

   Provide the following values:

   • RESOURCE_TYPE: The resource type that you want to manage access to. Useprojects,resource-manager folders, ororganizations.

   • RESOURCE_ID: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, likemy-project. Folder and organization IDs are numeric, like123456789012.

   • PRINCIPAL: An identifier for the principal, or member, which usually has the following form:PRINCIPAL_TYPE:ID. For example,user:my-user@example.com orprincipalSet://iam.googleapis.com/locations/global/workforcePools/example-pool/group/example-group@example.com.

     For the principal typeuser, the domain name in the identifier must be a Google Workspace domain or a Cloud Identity domain. To learn how to set up a Cloud Identity domain, see theoverview of Cloud Identity.

   • ROLE_NAME: The name of the role that you want to revoke. Use one of the following formats:

     • Predefined roles:roles/SERVICE.IDENTIFIER
     • Project-level custom roles:projects/PROJECT_ID/roles/IDENTIFIER
     • Organization-level custom roles:organizations/ORG_ID/roles/IDENTIFIER

     For a list of predefined roles, seeUnderstanding roles.

   For example, to revoke the Project Creator role from the service accountexample-service-account@example-project.iam.gserviceaccount.com for the projectexample-project:

   gcloudprojectsremove-iam-policy-bindingexample-project
   --member=serviceAccount:example-service-account@example-project.iam.gserviceaccount.com
   --role=roles/resourcemanager.projectCreator

gcloud

1. In the Google Cloud console, activate Cloud Shell.

   Activate Cloud Shell

   At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

2. To get the allow policy for the resource, run theget-iam-policy command for the resource:

   gcloudRESOURCE_TYPEget-iam-policyRESOURCE_ID--format=FORMAT >PATH

   Provide the following values:

   • RESOURCE_TYPE: The type of the resource that you want to get the allow policy for. Use one of the following values:projects,resource-manager folders, ororganizations.

   • RESOURCE_ID: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, likemy-project. Folder and organization IDs are numeric, like123456789012.

   • FORMAT: The desired format for the allow policy. Usejson oryaml.

   • PATH: The path to a new output file for the allow policy.

   For example, the following command gets the allow policy for the projectmy-project and saves it to your home directory in JSON format:

   gcloudprojectsget-iam-policymy-project--formatjson >~/policy.json

C#

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

The following example shows how to get the allow policy for a project. To learn how to get the allow policy of a folder or organization, review theResource Managerclient library documentation for your programming language.

usingGoogle.Apis.Auth.OAuth2;usingGoogle.Apis.CloudResourceManager.v1;usingGoogle.Apis.CloudResourceManager.v1.Data;publicpartialclassAccessManager{publicstaticPolicyGetPolicy(stringprojectId){varcredential=GoogleCredential.GetApplicationDefault().CreateScoped(CloudResourceManagerService.Scope.CloudPlatform);varservice=newCloudResourceManagerService(newCloudResourceManagerService.Initializer{HttpClientInitializer=credential});varpolicy=service.Projects.GetIamPolicy(newGetIamPolicyRequest(),projectId).Execute();returnpolicy;}}

Java

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

The following example shows how to get the allow policy for a project. To learn how to get the allow policy of a folder or organization, review theResource Managerclient library documentation for your programming language.

importcom.google.cloud.resourcemanager.v3.ProjectsClient;importcom.google.iam.admin.v1.ProjectName;importcom.google.iam.v1.GetIamPolicyRequest;importcom.google.iam.v1.Policy;importjava.io.IOException;publicclassGetProjectPolicy{publicstaticvoidmain(String[]args)throwsIOException{// TODO(developer): Replace the variables before running the sample.// TODO: Replace with your project ID.StringprojectId="your-project-id";getProjectPolicy(projectId);}// Gets a project's policy.publicstaticPolicygetProjectPolicy(StringprojectId)throwsIOException{// Initialize client that will be used to send requests.// This client only needs to be created once, and can be reused for multiple requests.try(ProjectsClientprojectsClient=ProjectsClient.create()){GetIamPolicyRequestrequest=GetIamPolicyRequest.newBuilder().setResource(ProjectName.of(projectId).toString()).build();returnprojectsClient.getIamPolicy(request);}}}

Python

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

The following example shows how to get the allow policy for a project. To learn how to get the allow policy of a folder or organization, review theResource Managerclient library documentation for your programming language.

fromgoogle.cloudimportresourcemanager_v3fromgoogle.iam.v1importiam_policy_pb2,policy_pb2defget_project_policy(project_id:str)->policy_pb2.Policy:"""Get policy for project.    project_id: ID or number of the Google Cloud project you want to use.    """client=resourcemanager_v3.ProjectsClient()request=iam_policy_pb2.GetIamPolicyRequest()request.resource=f"projects/{project_id}"policy=client.get_iam_policy(request)print(f"Policy retrieved:{policy}")returnpolicy

REST

The Resource Manager API'sgetIamPolicy method gets a project's, folder's, or organization's allow policy.

Before using any of the request data, make the following replacements:

• API_VERSION: The API version to use. Forprojects and organizations, usev1. For folders, usev2.
• RESOURCE_TYPE: The resource type whosepolicy you want to manage. Use the valueprojects,folders, ororganizations.
• RESOURCE_ID: Your Google Cloudproject, organization, or folder ID. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.
• POLICY_VERSION: The policy version to bereturned. Requests should specify the most recent policy version, which is policy version3. SeeSpecifyinga policy version when getting a policy for details.

HTTP method and URL:

POST https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy

Request JSON body:

{  "options": {    "requestedPolicyVersion":POLICY_VERSION  }}

To send your request, expand one of these options:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy" | Select-Object -Expand Content

The response contains the resource's allow policy. For example:

{  "version": 1,  "etag": "BwWKmjvelug=",  "bindings": [    {      "role": "roles/owner",      "members": [        "user:my-user@example.com"      ]    }  ]}

Save the response in a file of the appropriate type (json oryaml).

gcloud

Edit the returned allow policy by adding the principal to an existing rolebinding. This change won't take effect until youset the updated allow policy.

For example, imagine the allow policy contains the following role binding, whichgrants the Security Reviewer role (roles/iam.securityReviewer) toKai:

{"role":"roles/iam.securityReviewer","members":["user:kai@example.com"]}

To grant that same role to Raha, add Raha's principal identifier to theexisting role binding:

{"role":"roles/iam.securityReviewer","members":["user:kai@example.com","user:raha@example.com"]}

C#

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

usingSystem.Linq;usingGoogle.Apis.CloudResourceManager.v1.Data;publicpartialclassAccessManager{publicstaticPolicyAddMember(Policypolicy,stringrole,stringmember){varbinding=policy.Bindings.First(x=>x.Role==role);binding.Members.Add(member);returnpolicy;}}

Go

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

import("fmt""io""google.golang.org/api/iam/v1")// addMember adds a member to a role binding.funcaddMember(wio.Writer,policy*iam.Policy,role,memberstring){for_,binding:=rangepolicy.Bindings{ifbinding.Role!=role{continue}for_,m:=rangebinding.Members{ifm!=member{continue}fmt.Fprintf(w,"Role %q found. Member already exists.\n",role)return}binding.Members=append(binding.Members,member)fmt.Fprintf(w,"Role %q found. Member added.\n",role)return}fmt.Fprintf(w,"Role %q not found. Member not added.\n",role)}

Java

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

importcom.google.iam.v1.Binding;importcom.google.iam.v1.Policy;importjava.util.ArrayList;importjava.util.List;publicclassAddMember{publicstaticvoidmain(String[]args){// TODO(developer): Replace the variables before running the sample.// TODO: Replace with your policy, GetPolicy.getPolicy(projectId, serviceAccount).Policypolicy=Policy.newBuilder().build();// TODO: Replace with your role.Stringrole="roles/existing-role";// TODO: Replace with your principal.// For examples, see https://cloud.google.com/iam/docs/principal-identifiersStringmember="principal-id";addMember(policy,role,member);}// Adds a principal to a pre-existing role.publicstaticPolicyaddMember(Policypolicy,Stringrole,Stringmember){List<Binding>newBindingsList=newArrayList<>();for(Bindingb:policy.getBindingsList()){if(b.getRole().equals(role)){newBindingsList.add(b.toBuilder().addMembers(member).build());}else{newBindingsList.add(b);}}// Update the policy to add the principal.PolicyupdatedPolicy=policy.toBuilder().clearBindings().addAllBindings(newBindingsList).build();System.out.println("Added principal: "+updatedPolicy.getBindingsList());returnupdatedPolicy;}}

Python

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

fromgoogle.iam.v1importpolicy_pb2fromsnippets.get_policyimportget_project_policyfromsnippets.set_policyimportset_project_policydefmodify_policy_add_principal(project_id:str,role:str,principal:str)->policy_pb2.Policy:"""Add a principal to certain role in project policy.    project_id: ID or number of the Google Cloud project you want to use.    role: role to which principal need to be added.    principal: The principal requesting access.    For principal ID formats, see https://cloud.google.com/iam/docs/principal-identifiers    """policy=get_project_policy(project_id)forbindinpolicy.bindings:ifbind.role==role:bind.members.append(principal)breakreturnset_project_policy(project_id,policy)

REST

Edit the returned allow policy by adding the principal to an existing rolebinding. This change won't take effect until youset the updated allow policy.

For example, imagine the allow policy contains the following role binding, whichgrants the Security Reviewer role (roles/iam.securityReviewer) toKai:

{"role":"roles/iam.securityReviewer","members":["user:kai@example.com"]}

To grant that same role to Raha, add Raha's principal identifier to theexisting role binding:

{"role":"roles/iam.securityReviewer","members":["user:kai@example.com","user:raha@example.com"]}

gcloud

Edit the allow policy by adding a new role binding that grants the role to theprincipal. This change won't take effect until youset the updated allow policy.

For example, to grant the Compute Storage Admin role(roles/compute.storageAdmin) to Raha, add the following role binding to thebindings array for the allow policy:

{"role":"roles/compute.storageAdmin","members":["user:raha@example.com"]}

C#

To learn how to install and use the client library for IAM, seeIAM client libraries. For more information, see theIAMC# API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, seeBefore you begin.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

usingSystem.Collections.Generic;usingGoogle.Apis.CloudResourceManager.v1.Data;publicpartialclassAccessManager{publicstaticPolicyAddBinding(Policypolicy,stringrole,stringmember){varbinding=newBinding{Role=role,Members=newList<string>{member}};policy.Bindings.Add(binding);returnpolicy;}}

Java

To learn how to install and use the client library for IAM, seeIAM client libraries. For more information, see theIAMJava API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, seeBefore you begin.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

importcom.google.iam.v1.Binding;importcom.google.iam.v1.Policy;importjava.util.Collections;importjava.util.List;publicclassAddBinding{publicstaticvoidmain(String[]args){// TODO(developer): Replace the variables before running the sample.// TODO: Replace with your policy: GetPolicy.getPolicy(projectId, serviceAccount).Policypolicy=Policy.newBuilder().build();// TODO: Replace with your role.Stringrole="roles/role-to-add";// TODO: Replace with your principals.// For examples, see https://cloud.google.com/iam/docs/principal-identifiersList<String>members=Collections.singletonList("principal-id");addBinding(policy,role,members);}// Adds a principals to a role.publicstaticPolicyaddBinding(Policypolicy,Stringrole,List<String>members){Bindingbinding=Binding.newBuilder().setRole(role).addAllMembers(members).build();// Update bindings for the policy.PolicyupdatedPolicy=policy.toBuilder().addBindings(binding).build();System.out.println("Added binding: "+updatedPolicy.getBindingsList());returnupdatedPolicy;}}

Python

To learn how to install and use the client library for IAM, seeIAM client libraries. For more information, see theIAMPython API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, seeBefore you begin.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

defmodify_policy_add_role(policy:dict,role:str,principal:str)->dict:"""Adds a new role binding to a policy."""binding={"role":role,"members":[principal]}policy["bindings"].append(binding)print(policy)returnpolicy

REST

Edit the allow policy by adding a new role binding that grants the role to theprincipal. This change won't take effect until youset the updated allow policy.

For example, to grant the Compute Storage Admin role(roles/compute.storageAdmin) to Raha, add the following role binding to thebindings array for the allow policy:

{"role":"roles/compute.storageAdmin","members":["user:raha@example.com"]}

Revoke a role by editing the JSON or YAML allow policy returned by theget-iam-policy command. This change won't take effect until youset the updated allow policy.

To revoke a role from a principal, delete the principal or binding from thebindings array for the allow policy.

C#

To learn how to install and use the client library for IAM, seeIAM client libraries. For more information, see theIAMC# API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, seeBefore you begin.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

usingSystem.Linq;usingGoogle.Apis.CloudResourceManager.v1.Data;publicpartialclassAccessManager{publicstaticPolicyRemoveMember(Policypolicy,stringrole,stringmember){try{varbinding=policy.Bindings.First(x=>x.Role==role);if(binding.Members.Count!=0 &&binding.Members.Contains(member)){binding.Members.Remove(member);}if(binding.Members.Count==0){policy.Bindings.Remove(binding);}returnpolicy;}catch(System.InvalidOperationExceptione){System.Diagnostics.Debug.WriteLine("Role does not exist in policy: \n"+e.ToString());returnpolicy;}}}

Go

To learn how to install and use the client library for IAM, seeIAM client libraries. For more information, see theIAMGo API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, seeBefore you begin.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

import("fmt""io""google.golang.org/api/iam/v1")// removeMember removes a member from a role binding.funcremoveMember(wio.Writer,policy*iam.Policy,role,memberstring){bindings:=policy.BindingsbindingIndex,memberIndex:=-1,-1forbIdx:=rangebindings{ifbindings[bIdx].Role!=role{continue}bindingIndex=bIdxformIdx:=rangebindings[bindingIndex].Members{ifbindings[bindingIndex].Members[mIdx]!=member{continue}memberIndex=mIdxbreak}}ifbindingIndex==-1{fmt.Fprintf(w,"Role %q not found. Member not removed.\n",role)return}ifmemberIndex==-1{fmt.Fprintf(w,"Role %q found. Member not found.\n",role)return}members:=removeIdx(bindings[bindingIndex].Members,memberIndex)bindings[bindingIndex].Members=membersiflen(members)==0{bindings=removeIdx(bindings,bindingIndex)policy.Bindings=bindings}fmt.Fprintf(w,"Role %q found. Member removed.\n",role)}// removeIdx removes arr[idx] from arr.funcremoveIdx[Tany](arr[]T,idxint)[]T{returnappend(arr[:idx],arr[idx+1:]...)}

Java

To learn how to install and use the client library for IAM, seeIAM client libraries. For more information, see theIAMJava API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, seeBefore you begin.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

importcom.google.iam.v1.Binding;importcom.google.iam.v1.Policy;importjava.io.IOException;importjava.util.ArrayList;importjava.util.List;publicclassRemoveMember{publicstaticvoidmain(String[]args)throwsIOException{// TODO(developer): Replace the variables before running the sample.// TODO: Replace with your policy, GetPolicy.getPolicy(projectId, serviceAccount).Policypolicy=Policy.newBuilder().build();// TODO: Replace with your role.Stringrole="roles/existing-role";// TODO: Replace with your principal.// For examples, see https://cloud.google.com/iam/docs/principal-identifiersStringmember="principal-id";removeMember(policy,role,member);}// Removes principal from a role; removes binding if binding contains no members.publicstaticPolicyremoveMember(Policypolicy,Stringrole,Stringmember){// Creating new builder with all values copied from origin policyPolicy.BuilderpolicyBuilder=policy.toBuilder();// Getting binding with suitable role.Bindingbinding=null;for(Bindingb:policy.getBindingsList()){if(b.getRole().equals(role)){binding=b;break;}}if(binding!=null &&binding.getMembersList().contains(member)){List<String>newMemberList=newArrayList<>(binding.getMembersList());// Removing principal from the rolenewMemberList.remove(member);System.out.println("Member "+member+" removed from "+role);// Adding all remaining principals to create new bindingBindingnewBinding=binding.toBuilder().clearMembers().addAllMembers(newMemberList).build();List<Binding>newBindingList=newArrayList<>(policyBuilder.getBindingsList());// Removing old binding to replace with new onenewBindingList.remove(binding);// If binding has no more members, binding will not be addedif(!newBinding.getMembersList().isEmpty()){newBindingList.add(newBinding);}// Update the policy to remove the principal.policyBuilder.clearBindings().addAllBindings(newBindingList);}PolicyupdatedPolicy=policyBuilder.build();System.out.println("Exising principals: "+updatedPolicy.getBindingsList());returnupdatedPolicy;}}

Python

To learn how to install and use the client library for IAM, seeIAM client libraries. For more information, see theIAMPython API reference documentation.

To authenticate to IAM, set up Application Default Credentials. For more information, seeBefore you begin.

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

fromgoogle.iam.v1importpolicy_pb2fromsnippets.get_policyimportget_project_policyfromsnippets.set_policyimportset_project_policydefmodify_policy_remove_principal(project_id:str,role:str,principal:str)->policy_pb2.Policy:"""Remove a principal from certain role in project policy.    project_id: ID or number of the Google Cloud project you want to use.    role: role to revoke.    principal: The principal to revoke access from.    For principal ID formats, see https://cloud.google.com/iam/docs/principal-identifiers    """policy=get_project_policy(project_id)forbindinpolicy.bindings:ifbind.role==role:ifprincipalinbind.members:bind.members.remove(principal)breakreturnset_project_policy(project_id,policy,False)

REST

Revoke a role by editing the JSON or YAML allow policy returned by theget-iam-policy command. This change won't take effect until youset the updated allow policy.

To revoke a role from a principal, delete the principal or binding from thebindings array for the allow policy.

1. In the Google Cloud console, activate Cloud Shell.

   Activate Cloud Shell

   At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

2. To set the allow policy for the resource, run theset-iam-policy command for the resource:

   gcloudRESOURCE_TYPEset-iam-policyRESOURCE_IDPATH

   Provide the following values:

   • RESOURCE_TYPE: The type of the resource that you want to set the allow policy for. Use one of the following values:projects,resource-manager folders, ororganizations.

   • RESOURCE_ID: Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, likemy-project. Folder and organization IDs are numeric, like123456789012.

   • PATH: The path to a file that contains the new allow policy.

   The response contains the updated allow policy.

   For example, the following command sets the allow policy stored inpolicy.json as the allow policy for the projectmy-project:

   gcloudprojectsset-iam-policymy-project~/policy.json

Note: If you treat policies as code and store them in a version-control system, you should store the policy that is returned, not the policy that you sent in the request.

C#

usingGoogle.Apis.Auth.OAuth2;usingGoogle.Apis.CloudResourceManager.v1;usingGoogle.Apis.CloudResourceManager.v1.Data;publicpartialclassAccessManager{publicstaticPolicySetPolicy(stringprojectId,Policypolicy){varcredential=GoogleCredential.GetApplicationDefault().CreateScoped(CloudResourceManagerService.Scope.CloudPlatform);varservice=newCloudResourceManagerService(newCloudResourceManagerService.Initializer{HttpClientInitializer=credential});returnservice.Projects.SetIamPolicy(newSetIamPolicyRequest{Policy=policy},projectId).Execute();}}

Java

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

The following example shows how to set the allow policy for a project. To learn how to set the allow policy of a folder or organization, review theResource Manager client library documentation for your programming language.

importcom.google.cloud.resourcemanager.v3.ProjectsClient;importcom.google.iam.admin.v1.ProjectName;importcom.google.iam.v1.Policy;importcom.google.iam.v1.SetIamPolicyRequest;importcom.google.protobuf.FieldMask;importjava.io.IOException;importjava.util.Arrays;importjava.util.List;publicclassSetProjectPolicy{publicstaticvoidmain(String[]args)throwsIOException{// TODO(developer): Replace the variables before running the sample.// TODO: Replace with your project ID.StringprojectId="your-project-id";// TODO: Replace with your policy, GetPolicy.getPolicy(projectId, serviceAccount).Policypolicy=Policy.newBuilder().build();setProjectPolicy(policy,projectId);}// Sets a project's policy.publicstaticPolicysetProjectPolicy(Policypolicy,StringprojectId)throwsIOException{// Initialize client that will be used to send requests.// This client only needs to be created once, and can be reused for multiple requests.try(ProjectsClientprojectsClient=ProjectsClient.create()){List<String>paths=Arrays.asList("bindings","etag");SetIamPolicyRequestrequest=SetIamPolicyRequest.newBuilder().setResource(ProjectName.of(projectId).toString()).setPolicy(policy)// A FieldMask specifying which fields of the policy to modify. Only// the fields in the mask will be modified. If no mask is provided, the// following default mask is used:// `paths: "bindings, etag"`.setUpdateMask(FieldMask.newBuilder().addAllPaths(paths).build()).build();returnprojectsClient.setIamPolicy(request);}}}

Python

To authenticate to Resource Manager, set up Application Default Credentials. For more information, seeBefore you begin.

To learn how to install and use the client library for Resource Manager, seeResource Manager client libraries.

The following example shows how to set the allow policy for a project. To learn how to set the allow policy of a folder or organization, review theResource Manager client library documentation for your programming language.

fromgoogle.cloudimportresourcemanager_v3fromgoogle.iam.v1importiam_policy_pb2,policy_pb2defset_project_policy(project_id:str,policy:policy_pb2.Policy,merge:bool=True)->policy_pb2.Policy:"""    Set policy for project. Pay attention that previous state will be completely rewritten.    If you want to update only part of the policy follow the approach read->modify->write.    For more details about policies check out https://cloud.google.com/iam/docs/policies    project_id: ID or number of the Google Cloud project you want to use.    policy: Policy which has to be set.    merge: The strategy to be used forming the request. CopyFrom is clearing both mutable and immutable fields,    when MergeFrom is replacing only immutable fields and extending mutable.    https://googleapis.dev/python/protobuf/latest/google/protobuf/message.html#google.protobuf.message.Message.CopyFrom    """client=resourcemanager_v3.ProjectsClient()request=iam_policy_pb2.GetIamPolicyRequest()request.resource=f"projects/{project_id}"current_policy=client.get_iam_policy(request)# Etag should as fresh as possible to lower chance of collisionspolicy.ClearField("etag")ifmerge:current_policy.MergeFrom(policy)else:current_policy.CopyFrom(policy)request=iam_policy_pb2.SetIamPolicyRequest()request.resource=f"projects/{project_id}"# request.etag field also will be merged which means you are secured from collision,# but it means that request may fail and you need to leverage exponential retries approach# to be sure policy has been updated.request.policy.CopyFrom(current_policy)policy=client.set_iam_policy(request)returnpolicy

REST

The Resource Manager API'ssetIamPolicy method sets the policy in the request as the new allow policy for the project, folder, or organization.

Before using any of the request data, make the following replacements:

• API_VERSION: The API version to use. Forprojects and organizations, usev1. For folders, usev2.
• RESOURCE_TYPE: The resource type whosepolicy you want to manage. Use the valueprojects,folders, ororganizations.
• RESOURCE_ID: Your Google Cloudproject, organization, or folder ID. Project IDs are alphanumeric strings, likemy-project. Folder and organization IDs are numeric, like123456789012.

• POLICY: A JSON representation of the policy that youwant to set. For more information about the format of a policy, see thePolicy reference.

HTTP method and URL:

POST https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:setIamPolicy

Request JSON body:

{  "policy":POLICY}

To send your request, expand one of these options:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:setIamPolicy"

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:setIamPolicy" | Select-Object -Expand Content

The response contains the updated allow policy.