Manage access to custom images

To let users create, delete, use, or share your custom images, you mustgrant them the appropriate Identity and Access Management (IAM) roles. This documentdescribes the required IAM permissions for creating and managingcustom images and how to give them to users.

For general information about granting access toCompute Engine resources, seeManaging access to Compute Engine resources.For information about IAM, read theIAMdocumentation.

Before you begin

Required roles

To get the permissions that you need to manage access to custom images, ask your administrator to grant you the following IAM roles:

For more information about granting roles, seeManage access to projects, folders, and organizations.

These predefined roles contain the permissions required to manage access to custom images. To see the exact permissions that are required, expand theRequired permissions section:

Required permissions

The following permissions are required to manage access to custom images:

  • To give users or service accounts the permissions needed to create, share custom images:
    • resourcemanager.projects.getIamPolicy on the project
    • resourcemanager.projects.setIamPolicy on the project
  • To give users or service accounts the permissions needed to delete custom images:
    • resourcemanager.projects.getIamPolicy on the project
    • resourcemanager.projects.setIamPolicy on the project
    • compute.images.getIamPolicyon the image
    • compute.images.setIamPolicy on the image
  • To revoke user or service account access to custom images:
    • resourcemanager.projects.getIamPolicy on the project
    • resourcemanager.projects.setIamPolicy on the project
  • To create an instance using a shared image:
    • compute.instances.create on the project
    • To use a custom image to create the VM:compute.images.useReadOnly on the image
    • To use a snapshot to create the VM:compute.snapshots.useReadOnly on the snapshot
    • To use an instance template to create the VM:compute.instanceTemplates.useReadOnly on the instance template
    • To assign alegacy network to the VM:compute.networks.use on the project
    • To specify a static IP address for the VM:compute.addresses.use on the project
    • To assign an external IP address to the VM when using a legacy network:compute.networks.useExternalIp on the project
    • To specify a subnet for the VM:compute.subnetworks.use on the project or on the chosen subnet
    • To assign an external IP address to the VM when using a VPC network:compute.subnetworks.useExternalIp on the project or on the chosen subnet
    • To set VM instance metadata for the VM:compute.instances.setMetadata on the project
    • To set tags for the VM:compute.instances.setTags on the VM
    • To set labels for the VM:compute.instances.setLabels on the VM
    • To set a service account for the VM to use:compute.instances.setServiceAccount on the VM
    • To create a new disk for the VM:compute.disks.create on the project
    • To attach an existing disk in read-only or read-write mode:compute.disks.use on the disk
    • To attach an existing disk in read-only mode:compute.disks.useReadOnly on the disk

You might also be able to get these permissions withcustom roles or otherpredefined roles.

Limitations

On images, you can't grant roles to the special member typeallUsers.

Give permission to create custom images

You can give users the ability to createcustom imagesin your organization or project.

Compute Engine offers the predefinedCompute Storage Admin role(roles/compute.storageAdmin)that you can assign to users so that they can create, delete, and managestorage-related resources, including images, disks, and snapshots. If you need arole that allows for only image creation, you must create acustomrole. In your customrole, include the following permissions:

  • compute.images.create to create new images
  • compute.images.list to list images in the project
  • compute.disks.use if the image is created from a disk
  • compute.disks.list if users need to list all disks in a project

If you give a user the ability to create custom images at the organizationlevel, the user can create custom images for any project within theorganization.

Console

  1. In the Google Cloud console, go to theIAM page for theproject or organization.

    Go to IAM

  2. To add a new member, clickGrant access.

  3. In theNew principals field, enter the email address of the identitythat you want to grant access to.

    For example:

    • Google Account email:test-user@gmail.com
    • Google group:admins@googlegroups.com
    • Identity from anexternal identity provider:principal://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/subject/raha@altostrat.com
    • Service account:server@example.gserviceaccount.com
    • Google Workspace domain:example.com

  4. In theSelect a role list, selectCompute Engine>Compute Storage Admin, or select a custom role if you created one.

  5. Optional: To further control user's access to Google Cloud resources,add conditional role binding.

  6. Save your changes.

gcloud

To grant theroles/compute.storageAdmin role at an organization level, usethegcloud organizations add-iam-policy-binding command:

gcloud organizations add-iam-policy-bindingORGANIZATION_ID \    --member='MEMBER' \    --role='roles/compute.storageAdmin'

To grant theroles/compute.storageAdmin role at a project level, use thegcloud projects add-iam-policy-binding command:

gcloud projects add-iam-policy-bindingPROJECT_ID \    --member='MEMBER' \    --role='roles/compute.storageAdmin'

Replace the following:

  • ORGANIZATION_ID orPROJECT_ID:the organization ID or the project ID—for example,my-organization-1ormy-project-1

  • MEMBER: a valid identity to which you want togrant the role

    For example:

    • Google Account email:user:user@gmail.com
    • Google group:group:admins@googlegroups.com
    • Identity from anexternal identity provider:principal://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/subject/raha@altostrat.com
    • Service account:serviceAccount:server@example.gserviceaccount.com
    • Google Workspace domain:domain:example.com

REST

  1. Read the existing policy with the resource'sgetIamPolicy method. Forprojects, use theprojects.getIamPolicy method.

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy

    ReplacePROJECT_ID with the projectID—for example,my-project-1.

    For organizations, use theorganizations.getIamPolicy method.

    POST https://cloudresourcemanager.googleapis.com/v1/organizations/ORGANIZATION_ID:getIamPolicy

    ReplaceORGANIZATION_ID with the organizationID—for example,123456578920.

    Compute Engine returns the current policy in the response.

  2. To add or remove members and their associated roles, edit the policy witha text editor. Use the following format to add members:

    • user:test-user@gmail.com
    • group:admins@example.com
    • serviceAccount:test123@example.domain.com
    • domain:example.domain.com

    For example, to grant theroles/compute.storageAdmin role togroup:admins@example.com, add the following binding to the policy:

    { "members": [   "group:admins@example.com" ], "role":"roles/compute.storageAdmin"}

  3. Write the updated policy by using thesetIamPolicy method.

    For example, to seta policy at the project level, use theproject.setIamPolicymethod. Inthe body of the request, provide the updated IAM policyfrom the previous step.

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy

    Replace thePROJECT_ID with the project ID.

Give permissions to delete custom images

Depending on your needs, you can give users permission to do the following:

  • Delete a specific image
  • Delete images owned by a specific project
  • Delete images for any project in an organization

Giving permission at the project level lets users delete all images owned bythat project. Giving permission at the organization level lets the user deleteany images owned by that organization, regardless of the project.

Compute Engine offers the predefinedCompute Storage Adminrole(roles/compute.storageAdmin) that you can assign to users so that they cancreate, delete, and manage storage-related resources, including images, disks,and snapshots. If you need a role that allows for only image deletion, you mustcreate acustom role.In your custom role, include the following permissions:

  • compute.images.delete to delete images
  • compute.images.list if users need to list images in the project ororganization

  • compute.images.get to get the images

Console

To give permission to delete specific images, do the following:

  1. In the Google Cloud console, go to theImages page.

    Go to Images

  2. Select the images that you want to give permissions to.

  3. To expand the permissions column, clickShow info panel.

  4. To add one or more members, clickAdd principal.

  5. In theNew principals field, enter the email address of the identity youwant to share the image with.

    For example:

    • Google Account email:test-user@gmail.com
    • Google group:admins@googlegroups.com
    • Identity from anexternal identity provider:principal://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/subject/raha@altostrat.com
    • Service account:server@example.gserviceaccount.com
    • Google Workspace domain:example.com

  6. In theRole list, hold the pointer overCompute Engine and selectStorage Admin, or select a custom role from theCustom list.

  7. Optional: To further control user's access to Google Cloud resources,add conditional role binding.

  8. Save your changes.

To give permission to delete images for a project or organization, do thefollowing:

  1. Go to theIAM page for the project or organization.

    Go to IAM

  2. ClickGrant access.

  3. In theNew principals field, enter the email address of the identity youwant to grant access to. For example:

    • Google Account email:test-user@gmail.com
    • Google group:admins@googlegroups.com
    • Identity from anexternal identity provider:principal://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/subject/raha@altostrat.com
    • Service account:server@example.gserviceaccount.com
    • Google Workspace domain:example.com

  4. In theRole list, hold the pointer overCompute Engine and selectStorage Admin, or select a custom role from theCustom list.

  5. Optional: To further control user's access to Google Cloud resources,add conditional role binding.

  6. Save your changes.

gcloud

To give permissions to delete images at the organization level, use thegcloud organizations add-iam-policy-bindingcommand:

gcloud organizations add-iam-policy-bindingORGANIZATION_ID \    --member='MEMBER' \    --role='ROLE'

To give permissions to delete images on a project level, use thegcloudprojects add-iam-policy-bindingcommand:

gcloud projects add-iam-policy-bindingPROJECT_ID \    --member='MEMBER' \    --role='ROLE'

To give permissions to delete a specific image, use thegcloud computeimages add-iam-policy-bindingcommand:

gcloud compute images add-iam-policy-bindingIMAGE_NAME \    --member='MEMBER' \    --role='ROLE'

Replace the following:

  • ORGANIZATION_ID orPROJECT_ID orIMAGE_NAME:the 12-digit numeric organization ID, the project ID, or the imagename—for example,123456578920,my-project-1, ormy-custom-image

  • MEMBER: a valid identity to which you want togrant the role

    For example:

    • Google Account email:user:user@gmail.com
    • Google Group:group:admins@googlegroups.com
    • Identity from anexternal identity provider:principal://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/subject/raha@altostrat.com
    • Service account:serviceAccount:server@example.gserviceaccount.com
    • Google Workspace domain:domain:example.com

  • ROLE: the role to assign to thisidentity—for example, theroles/compute.storageAdmin role, or acustom role such asroles/customImageDeletionRole

REST

  1. Read the existing policy with the resource's respectivegetIamPolicymethod. For projects, use theprojects.getIamPolicymethod:

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy

    ReplacePROJECT_ID with the project ID.

    For organizations, use theorganizations.getIamPolicy method:

    POST https://cloudresourcemanager.googleapis.com/v1/organizations/ORGANIZATION_ID:getIamPolicy

    ReplaceORGANIZATION_ID with the 12-digitnumeric organization ID.

    For a specific image, use theimages.getIamPolicy method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:getIamPolicy

    Replace the following:

    • PROJECT_ID: the project ID
    • IMAGE_NAME: the name of the image

    Compute Engine returns the current policy in the response.

  2. To add or remove members and their associated roles, you can edit thepolicy with a text editor. Use the following format to add members:

    • user:test-user@gmail.com
    • group:admins@example.com
    • serviceAccount:test123@example.domain.com
    • domain:example.domain.com

    For example, to grant theroles/compute.storageAdmin role touser:test-email@example.com, add the following binding to thepolicy:

    { "members": [   "user:test-email@example.com" ], "role":"roles/compute.storageAdmin"}

  3. Write the updated policy by using thesetIamPolicy method.

    For example, to set a policy at a project level, use theproject.setIamPolicy method.In the body of the request, provide the updated IAM policyfrom the previous step.

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy

    ReplacePROJECT_ID with the project ID.

Give permissions to share custom images within an organization

If your project belongs to an organization, the organization can have severalother projects with varying levels of access to other projects. When you createcustom images, you can share these images with other users from otherprojects within the organization.

Compute Engine offers the following predefined IAM rolesthat you can use for image management:

  • Compute Image User (roles/compute.imageUser): permission to list, read, anduse images in your requests, without having other permissions on the image
  • Compute Storage Admin (roles/compute.storageAdmin): permissions to create,modify, and delete disks, images, and snapshots

Alternatively, you can also create your owncustom IAM role.

As a best practice, we recommend that you keep all your custom images in asingle project dedicated to host these images.This practice improves the management of those images, and lets you grantspecific teams access to only the images that they need. You can also grantteams access to the entire image project, but because team access to the entireimage project violates the principle of least privilege, we do not recommend it.

The example below shows how to add a group so that users of that group haveaccess to the image.

Console

  1. In the Google Cloud console, go to theImages page.

    Go to Images

  2. Select the image that you want to share with other users.

  3. To expand the permissions column, clickShow info panel.

  4. To add one or more members, clickAdd principal.

  5. In theNew principals field, enter the email address of the identity youwant to share the image with.

    For example:

    • Google Account email:test-user@gmail.com
    • Google group:admins@googlegroups.com
    • Identity from anexternal identity provider:principal://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/subject/raha@altostrat.com
    • Service account:server@example.gserviceaccount.com
    • Google Workspace domain:example.com

  6. In theRole list, hold the pointer overCompute Engine and selectImage User orStorage Admin, or select a custom role.

  7. Optional: To further control user's access to Google Cloudresources,add conditional role binding.

  8. Save your changes.

To let users launch shared custom images from the Google Cloud console,grant users the Viewer IAM role (roles/viewer) for theimage project. Granting this role helps ensure that the shared images appearin the image selection list.

  1. In the Google Cloud console, go to theIAM page.

    Go to IAM

  2. ClickGrant access.

  3. In theNew principals field, enter the email address of the identity youwant to share the image with. For example:

    • Google Account email:test-user@gmail.com
    • Google group:admins@googlegroups.com
    • Identity from anexternal identity provider:principal://iam.googleapis.com/locations/global/workforcePools/altostrat-contractors/subject/raha@altostrat.com
    • Service account:server@example.gserviceaccount.com
    • Google Workspace domain:example.com

  4. In theRole list, hold the pointer overProject and selectViewer.

  5. Optional: To further control user's access to Google Cloudresources,add conditional role binding.

  6. Save your changes.

gcloud

To update the IAM policy for a specific image, use thegcloud compute images add-iam-policy-binding command:

gcloud compute images add-iam-policy-bindingIMAGE_NAME \    --member='MEMBER' \    --role='ROLE'

Replace the following:

  • IMAGE_NAME: the name of theimage—for example,custom-centos-8

  • MEMBER: a valid identity for which you want togrant the role

    For example:

    • user:test-user@gmail.com
    • group:admins@example.com
    • serviceAccount:test123@example.domain.com
    • domain:example.domain.com

  • ROLE: the role to assign this identity to, such asroles/compute.imageUser,roles/compute.storageAdmin, or a custom role

Optionally, to let users see these shared images in theirimages.listrequests, grant users the Viewer IAM role (roles/viewer)for the image project by using thegcloud projects add-iam-policy-bindingcommand. If you don'tneed your users to be able to view the list of shared images, you can skipthis step.

gcloud projects add-iam-policy-bindingPROJECT_ID \    --member='MEMBER' \    --role='roles/viewer'

REST

  1. Read the existing policy with the resource'sgetIamPolicymethod. For example, to get the policy on a specific image, use theimages.getIamPolicy method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:getIamPolicy

    Replace the following:

    • PROJECT_ID: the project ID of the project this image belongs to
    • IMAGE_NAME: the name of the image

    Compute Engine returns the current policy in the response.

  2. To add or remove members and their associated roles, edit the policy with atext editor. Use the following format to add members:

    • user:test-user@gmail.com
    • group:admins@example.com
    • serviceAccount:test123@example.domain.com
    • domain:example.domain.com

    For example, to grantroles/compute.imageUser totest-email@example.com,add the following binding to the policy:

    { "members": [   "user:test-email@example.com" ], "role":"roles/compute.imageUser"}

  3. Write the updated policy by using thesetIamPolicy method. For example,to set policy on a specific image, use theproject.setIamPolicymethod.In the body of the request, provide the updated IAM policyfrom the previous step.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:setIamPolicy

    Replace the following:

    • PROJECT_ID: the project ID of the project this image belongs to
    • IMAGE_NAME: the name of the image

Optionally, to let users see these shared images in theirimages.listrequests, grant users the Viewer IAM role (roles/viewer) for theimage project by using theprojects.setIamPolicy method.If you don't need your users to be able to view the list of shared images,you can skip this step.

POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy

Give permissions to share custom images between organizations

Creating a catalog of custom images can be useful for sharing images withpartners, users, or contractors that are outside of your organization. To shareyour images with users outside of the organization, add them as Image Usersto your project:

Console

  1. In the Google Cloud console, go to theImages page.

    Go to Images

  2. Select the image that you want to share with other users.

  3. To expand the permissions column, clickShow info panel.

  4. To add one or more members, clickAdd principal.

  5. In theNew principals field, enter the email address of the group youwant to share the image with. For example,admins@example.com.

  6. In theRole list, hold the pointer overCompute Engine and selectCompute Image User.

  7. Optional: To further control user's access to Google Cloudresources,add conditional role binding.

  8. Save your changes.

To let users launch shared custom images from the Google Cloud console,grant users the Viewer IAM role (roles/viewer) for theimage project. Grantingthis role helps ensure that the shared images appear in the image selectionlist.

  1. In the Google Cloud console, go to theIAM page.

    Go to IAM

  2. ClickGrant access.

  3. In theNew principals field, enter the email address of the identity youwant to share the image with. For example,admins@example.com.

  4. In theRole list, hold the pointer overProject and selectViewer.

  5. Optional: To further control user's access to Google Cloudresources,add conditional role binding.

  6. Save your changes.

gcloud

To grant theroles/compute.imageUser role to users, use thegcloudcompute images add-iam-policy-binding command:

gcloud compute images add-iam-policy-bindingIMAGE_NAME \    --member='MEMBER' \    --role='roles/compute.imageUser'

Replace the following:

  • IMAGE_NAME: the name of the image—forexample,custom-centos-8
  • MEMBER: a valid identity for which you want togrant the role—for example,group:admins@example.com

Optionally, to let users see these shared images in theirimages.listrequests, grant users the Viewer IAM role (roles/viewer)for the image project by using thegcloud projects add-iam-policy-bindingcommand. If youdon't need your users to be able to view the list of shared images, you canskip this step.

gcloud projects add-iam-policy-bindingPROJECT_ID \    --member='MEMBER' \    --role='roles/viewer'

REST

  1. Read the existing policy with the resource'sgetIamPolicymethod. For example, to get the policy on a specific image, use theimages.getIamPolicy method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:getIamPolicy

    Replace the following:

    • PROJECT_ID: the project ID of the project this image belongs to
    • IMAGE_NAME: the name of the image

    Compute Engine returns the current policy in the response.

  2. To add or remove members and their associated roles, you can edit thepolicy with a text editor. Use the following format to add members:

    • user:test-user@gmail.com
    • group:admins@example.com
    • serviceAccount:test123@example.domain.com
    • domain:example.domain.com

    For example, to grantroles/compute.imageUser totest-user@example.com, add the following binding to the policy:

    {  "members": [    "user:test-user@example.com"  ],  "role":"roles/compute.imageUser"}

  3. Write the updated policy by using thesetIamPolicy method. For example,to set a policy on a specific image, use theimages.setIamPolicymethod.In the body of the request, provide the updated IAM policyfrom the previous step.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:setIamPolicy

    Replace the following:

    • PROJECT_ID: the project ID of the project this image belongs to
    • IMAGE_NAME: the name of the image

    Optionally, to let users see these shared images in theirimages.listrequests, grant users the Viewer IAM role (roles/viewer)for the image project by using theprojects.setIamPolicymethod. If youdon't need your users to be able to view the list of shared images, you canskip this step.

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy

Give permissions to share custom images publicly

You can share your custom images with all authenticated Compute Engineusers, regardless of whether they are part of your organization or project.

You can only share resources, such as images, with all authenticated users;you cannot share projects or organizations with all authenticatedusers. This restriction, and the resource hierarchy, helps prevent anorganization from inadvertently sharing their entire project with allauthenticated Compute Engine users.

The following example shows how to grant all authenticated Compute Engineusers the Compute Image User role (roles/compute.imageUser) to a custom image.

Caution: Publicly shared images do not appear in the images list for users.Users must know the image name explicitly. Users cannot rely on getting theinformation by making animages.list request.

gcloud

To make images public, use thegcloud compute images add-iam-policy-binding command:

gcloud compute images add-iam-policy-bindingIMAGE_NAME \    --member='allAuthenticatedUsers' \    --role='roles/compute.imageUser'

ReplaceIMAGE_NAME with the name of the resource—for example,my_image.

REST

  1. Read the existing policy with thegetIamPolicymethod. For example, to get the policy on a specific image, use theimages.getIamPolicy method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:getIamPolicy

    Replace the following:

    • PROJECT_ID: the project ID of the project this image belongs to
    • IMAGE_NAME: the name of the image

    Compute Engine returns the current policy in the response.

  2. To add or remove members and their associated roles, edit the policy with a text editor:

    { "members": [   "allAuthenticatedUsers" ], "role":"roles/compute.imageUser"}

  3. Write the updated policy by using thesetIamPolicy method. For example,to set a policy on a specific image, use theimages.setIamPolicymethod.In the body of the request, provide the updated IAM policyfrom the previous step.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:setIamPolicy

    Replace the following:

    • PROJECT_ID: the project ID of the project this image belongs to
    • IMAGE_NAME: the name of the image

Grant a managed instance group access to images

Compute Engine lets you create groups of instances, either asmanaged orunmanagedinstance groups. If you create a managed instance group (MIG),Compute Engine uses theGoogle APIs Service Agentto call the Compute Engine API and perform actions related tothe group, such as recreating unhealthy instances and updating instances.

If you want to create a MIG using an image from anotherproject, grant the Compute Image User role (roles/compute.imageUser) to theAPIs service account belonging to the project that creates the MIG. For example:

  1. Project A wants to create a MIG using images owned byProject B.
  2. Project B grants Project A's service account the Compute Image User role.
  3. Project A can now use images from Project B to create MIGs.

After granting the Compute Image User role, you can access the imagefrom the other projects by using the console or the image's URL when youcreate theinstance templatefor the managed group.

Get the email address of the service account

  1. In the Google Cloud console, go to theIAM page of the project whoseservice account you want to grant access to.

    Go to IAM

  2. If prompted, select your project from the list.

  3. Look for theGoogle APIs Service Agent, which has the emailaddress in the following format:

    PROJECT_NUMBER@cloudservices.gserviceaccount.com
    Note: This email address requires the projectnumber, not theproject ID. To learn how to identify the project number, seeIdentifying projects.

After retrieving the email address of the service account, you can go to one ofthe following sections:

Grant a MIG access to all images in a project

Now that you have the email address of a service account, you can add theaddress to another project and grant it the Compute Image User role(roles/compute.imageUser).

Console

  1. In the Google Cloud console, go to theIAM page of the imageproject.

    Go to IAM

  2. To add a new member, clickGrant access.

  3. In theNew principals field, add the service account email address.

  4. In theRole list, hold the pointer overCompute and selectCompute Image User.

  5. Optional: To further control user's access to Google Cloudresources,add conditional role binding.

  6. ClickSave.

  7. Switch back to the service account's project.

You can nowcreate an instance templatebased on an image from the image project andcreate a MIGbased on the instance template.

gcloud

Add a service account from image project using thegcloud projectsadd-iam-policy-binding command:

gcloud projects add-iam-policy-bindingPROJECT_ID \    --member='serviceAccount:SERVICE_ACCOUNT_EMAIL' --role='roles/compute.imageUser'

Replace the following:

  • PROJECT_ID: the ID of the project containingimages you want to share
  • SERVICE_ACCOUNT_EMAIL: the email of theservice account

You can nowcreate an instance templatebased on an image from the image project andcreate a MIGbased on the instance template.

REST

  1. Get the IAM policy of the image project, by using theprojects.getIamPolicy method:

     POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:getIamPolicy

    ReplacePROJECT_ID with the project ID of theimage project.

  2. To grant theroles/compute.imageUser role to the service account, edit the policy with a text editor:

    {  "bindings": [     {      "role": "roles/compute.imageUser",      "members": [        "serviceAccount:SERVICE_ACCOUNT_EMAIL"      ]    }  ]}

    Replace theSERVICE_ACCOUNT_EMAIL with theservice account email.

  3. Write the updated policy by using theprojects.setIamPolicy.In the body of the request, provide the updated IAM policyfrom the previous step.

    POST https://cloudresourcemanager.googleapis.com/v1/projects/PROJECT_ID:setIamPolicy

    ReplacePROJECT_ID with the product ID of theimage project.

    You can nowcreate an instance templatebased on an image from the image project andcreate a MIGbased on the instance template.

Grant a MIG access to specific images in a project

Now that you have the email address of a service account, you can add theaddress to another project and grant the Compute Image User role (roles/compute.imageUser)for certain images.

Console

  1. In the Google Cloud console, go to theImages page of the imageproject.

    Go to Images

  2. Select the checkboxes next to the images you want to share.

  3. To expand the permissions column, clickShow info panel.

  4. In thePermissions panel, clickAdd principal.

  5. In theNew principals field, enter the service account email that you want to share the image with.For example,test123@example.domain.com.

  6. In theRole list, chooseCompute and selectCompute Image User.

  7. Optional: To further control user's access to Google Cloud resources,add conditional role binding.

  8. ClickSave.

  9. Switch back to the service account's project.

You can nowcreate an instance templatebased on an image from the image project andcreate a MIGbased on the instance template.

gcloud

To grant a service account access to a specific image, use thegcloud compute images add-iam-policy-binding command:

gcloud compute images add-iam-policy-bindingIMAGE_NAME \    --member='serviceAccount:SERVICE_ACCOUNT_EMAIL' \    --role='roles/compute.imageUser'

Replace the following:

  • IMAGE_NAME: the image name you want to share
  • SERVICE_ACCOUNT_EMAIL: the email of theservice account

You can nowcreate an instance templatebased on an image from the image project andcreate a MIGbased on the instance template.

REST

  1. Get the IAM policy of an image by using theimages.getIamPolicy method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:getIamPolicy

    Replace the following:

    • PROJECT_ID: the project ID of the imageproject
    • IMAGE_NAME: the name of the image you wantto share

  2. To grant theroles/compute.imageUser role to the service account, editthe policy with a text editor:

    {  "bindings": [     {      "role": "roles/compute.imageUser",      "members": [        "serviceAccount:SERVICE_ACCOUNT_EMAIL"      ]    }  ]}

    Replace theSERVICE_ACCOUNT_EMAIL with theservice account email.

  3. Write the updated policy by using theimages.setIamPolicy method.In the body of the request, provide the updated IAM policyfrom the previous step.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:setIamPolicy

    Replace the following:

    • PROJECT_ID: the project ID of the imageproject
    • IMAGE_NAME: the name of the image you wantto share

    You can nowcreate an instance templatebased on an image from the image project andcreate a MIGbased on the instance template.

Control the use of your shared images and snapshots

After sharing your images with other users, you can control where those usersemploy those resources within your organization. Set theconstraints/compute.storageResourceUseRestrictions constraintto define the projects where users are permitted to use your storage resources.

You must have permission to modify your organization's policies to set theseconstraints. For example, theresourcemanager.organizationAdmin rolehas permission to set these constraints.

  1. Find the organization ID for your organization by using thegcloudorganization list command:

    gcloud organizations list

  2. Get the existing policy settings for your organization by using thegcloudresource-manager org-policies describe command:

    gcloud resource-manager org-policies describe \    compute.storageResourceUseRestrictions \    --organizationORGANIZATION_ID > org-policy.yaml

    ReplaceORGANIZATION_ID with your 12-digit numericorganization ID.

  3. Open theorg-policy.yaml file in a text editor and modify thecompute.storageResourceUseRestrictions constraint. Add the restrictionsthat you need, or remove the restrictions that you no longer require.When you finish editing the file, save your changes. For example,you might set the following constraint entry in your policy file:

    constraint: compute.storageResourceUseRestrictionslistPolicy:  allowedValues:    - under:organization/organization-id
    Note: You can also specify a folder ID using theunder:folder/FOLDER_ID format to organizeall projects into a folder.

  4. Apply theorg-policy.yaml file to your organization by using thegcloud resource-manager org-policies set-policy command:

    gcloud resource-manager org-policies set-policy \   --organization=ORGANIZATION_ID org-policy.yaml

    ReplaceORGANIZATION_ID with your 12-digit numericorganization ID.

When you finish configuring the constraints in your organization policy, testthose constraints to ensure that they create the restrictions that you want.

Use images from another project

If someone grants you access to one or more images in another project,you can access these images in the project by specifying the image project inyour requests.

For example, to create an instance using a shared image from another project,follow the steps listed inCreate an instance from a shared image.

You can also create boot disk volumes from images in another project. Forinformation about creating a boot disk from an image, seeCreating a standalone boot persistent disk.

Revoke access to shared images

After a user no longer needs access to your Compute Engine resources,revoke their access by using the Google Cloud console, the Google Cloud CLI, orREST.

Console

  1. In the Google Cloud console, go to theImages page of the imageproject.

    Go to Images

  2. Select the checkboxes next to the images you want to update.

  3. To expand the permissions column, clickShow info panel.

  4. Expand the role for which you want to remove users.

  5. To remove a user from that role, clickDelete.

gcloud

To remove a user from a role on an image, use thegcloud compute imagesremove-iam-policy-bindingcommandwith the--member and--role flags:

gcloud compute images remove-iam-policy-bindingIMAGE_NAME \    --member='MEMBER' \    --role='ROLE'

Replace the following:

  • IMAGE_NAME: the name of the image—forexample,my_image

  • MEMBER: the identity you want to remove

    Must be of the formuser|group|serviceAccount:email ordomain:domain.For example:

    • user:test-user@gmail.com
    • group:admins@example.com
    • serviceAccount:test123@example.domain.com
    • domain:example.domain.com

  • ROLE: the role from which you want to removethe identity

If you are revoking access to a resource that is in beta, useagcloud beta compute command instead.

REST

  1. Read the existing policy with theimages.getIamPolicy method:

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/images/IMAGE_NAME:getIamPolicy

    Replace the following:

    • PROJECT_ID: the project ID this imagebelongs to
    • IMAGE_NAME: the name of the image

    Compute Engine returns the current policy in the response.

  2. To remove members and their associated roles, edit the policy with a texteditor.

  3. Write the updated policy by using theimages.setIamPolicy method.In the body of the request, provide the updated IAM policyfrom the previous step.

    POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/zones/global/images/IMAGE_NAME:setIamPolicy

    Replace the following:

    • PROJECT_ID: the project ID this imagebelongs to
    • IMAGE_NAME: the name of the image

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.