Manage access to other resources

This page describes the general process for granting, changing, and revokingaccess to resources that accept allow policies.

Note: The process for managing access to certain resources might vary slightly from the process described on this page. For resource-specific instructions, see the following guides:

In Identity and Access Management (IAM), access is granted throughallow policies, alsoknown as IAM policies. An allow policy is attached to aGoogle Cloud resource. Each allow policy contains a collection ofrolebindings that associate one or more principals, such as users or serviceaccounts, with an IAM role. These role bindings grant thespecified roles to the principals, both on the resource that the allow policy isattached to and on all of that resource'sdescendants. Formore information about allow policies, seeUnderstanding allow policies.

Note: You can get AI-powered help from the IAM role picker (Preview) to find and grant the right predefined roles to your principals. For more information, seeGet predefined role suggestions with Gemini assistance.

This page describes how to manage access to resources using theGoogle Cloud console, the Google Cloud CLI, and the REST API. You can also manageaccess using the Google Cloud client libraries.

Note: You can also use deny policies to prevent principals from using specific IAM permissions. For more information, seeDeny policies.

Before you begin

Required roles

To manage access to a resource, you need permissions to get the resource, and toget and set the allow policy for the resource. These permissions have thefollowing form, whereSERVICE is the name of the servicethat owns the resource andRESOURCE_TYPE is the name ofthe resource type that you want to manage access to:

  • SERVICE.RESOURCE_TYPE.get
  • SERVICE.RESOURCE_TYPE.getIamPolicy
  • SERVICE.RESOURCE_TYPE.setIamPolicy

For example, to manage access to a Compute Engine instance, you need thefollowing permissions:

  • compute.instances.get
  • compute.instances.getIamPolicy
  • compute.instances.setIamPolicy

To gain the required permissions, ask your administrator to grant you apredefined or custom role that includes the permissions. For example, youradministrator could grant you the Security Admin role(roles/iam.securityAdmin), which includes permissions to manage access toalmost all Google Cloud resources.

Note: When you create some resources, such as projects, roles might beautomatically granted on the resources. These roles are granted even if you donot have permission to manage the allow policy for the new resource. For moreinformation, seeDefault policies.

View current access

The following section shows you how to use the Google Cloud console, thegcloud CLI, and the REST API to view who has access to aresource. You can also view access by using the Google Cloud clientlibraries to get the resource's allow policy.

Note: If you grant access to a user's email alias or a secondary domain, then the values in your allow policy might not match the values that you initially entered. If you grant access to an email alias, then the allow policy displays the user's primary email address. If you grant access to a secondary domain, then the allow policy displays the primary domain.

Console

Note: The Google Cloud console shows access in a list form, rather thandirectly showing the resource's allow policy.

  1. In the Google Cloud console, go to the page that lists the resource thatyou want to view access to.

    For example, to manage access to a Compute Engine instance, go to theVM instances page.

    Go to VM instances

  2. Select the checkbox next to the resource that you want to view access to.

  3. Ensure that the info panel is visible. If it is not visible, clickShow info panel. The info panel'spermissions tab lists allprincipals who have access to the resource.

    If theShow inherited permissions switch is on, the list includesprincipals with inherited roles; that is, principals whose access comes fromroles on parent resources rather than roles on the resource itself. For moreinformation about policy inheritance, seePolicy inheritance and theresource hierarchy.

gcloud

To see who has access to your resource, get the allow policy for the resource.To learn how to interpret allow policies, seeUnderstanding allow policies.

Note: A resource's allow policy does not show any roles gained throughpolicy inheritance. To view inherited roles, use the Google Cloud console, or follow the instructions onViewing effective IAM policies.

To get the allow policy for the resource, run theget-iam-policy command forthe resource.

The format for this command varies depending on the resource type you'remanaging access to. To find the format for your resource, find the referencefor the resource'sget-iam-policy command in theGoogle Cloud CLIreference. This reference is organized by service, then resource.For example, to get the allow policy of a Compute Engine VM instance,follow the format described in thegcloud compute instances get-iam-policyreference.

Optionally, add the following arguments to the command to specify theformat and export the results:

--format=FORMAT>PATH

Provide the following values:

  • FORMAT: The desired format for the policy. Usejsonoryaml.
  • PATH: The path to a new output file for thepolicy.

When you run the command, the resource's allow policy is either printed to theconsole or exported to the specified file.

REST

To see who has access to your resource, get the resource's allow policy. Tolearn how to interpret allow policies, seeUnderstanding allow policies.

Note: A resource's allow policy does not show any roles gained throughpolicy inheritance. To view inherited roles, use the Google Cloud console, or follow the instructions onViewing effective IAM policies.

To get the resource's allow policy, use the resource'sgetIamPolicy method.

The HTTP method, URL, and request body depend on the resource that you want toview access to. To find these details, find the API reference for the servicethat owns the resource, then find the reference for the resource'sgetIamPolicy method. For example, the HTTP method, URL, and request body for aCompute Engine instance are specified in theinstancesgetIamPolicyreference.

The response for any resource'sgetIamPolicy method contains the resource'sallow policy.

Grant or revoke a single IAM role

You can use the Google Cloud console and the gcloud CLI to quicklygrant or revoke a single role for a single principal, without editing theresource's allow policy directly.Common types of principals include GoogleAccounts, service accounts, Google groups, and domains.For a list of all principal types, seePrincipal types.

Note: If theiam.allowedPolicyMemberDomains organization policy constraint is enforced in your organization, then you might not be able to grant roles to newly created groups. If you get afailedPrecondition error when trying to grant a role to a newly created group, wait 24 hours, and then try granting the role again.

In general, policy changes take effect within 2 minutes. However, in some cases, itcan take 7 minutes or more for changes to propagate across the system.

If you need help to identify the most appropriate predefined role, seeFind the right predefined roles.

Grant a single IAM role

To grant a single role to a principal, do the following:

Console

  1. In the Google Cloud console, go to the page listing the resource that youwant to view access to.

    For example, to manage access to a Compute Engine instance, go to theVM instances page.

    Go to VM instances

  2. Select the checkbox next to the resource that you want to manage access to.

  3. Ensure that the info panel is visible. If it is not visible, clickShow info panel.

  4. Select a principal to grant a role to:

  5. Select a role to grant from the drop-down list. For best security practices,choose a role that includes only the permissions that your principal needs.

  6. Optional: Add acondition to the role.

  7. ClickSave. The principal is granted the role on the resource.

gcloud

To quickly grant a role to a principal, run theadd-iam-policy-bindingcommand.

The format for this command varies depending on the resource type you'remanaging access to. To find the format for your resource, find the referencefor the resource'sadd-iam-policy-binding command in theGoogle Cloud CLIreference. This reference is organized by service, then resource.For example, to grant a principal a role on a Compute Engine instance,follow the format described in thegcloud compute instances add-iam-policy-binding reference.

Note: If you grant access to a user's email alias or a secondary domain, then the values in your allow policy might not match the values that you initially entered. If you grant access to an email alias, then the allow policy displays the user's primary email address. If you grant access to a secondary domain, then the allow policy displays the primary domain.

Revoke a single IAM role

To revoke a single role from a principal, do the following:

Console

  1. In the Google Cloud console, go to the page listing the resource that youwant to revoke access from.

    For example, to manage access to a Compute Engine instance, go to theVM instances page:

    Go to VM instances

  2. Select the checkbox next to the resource that you want to manage access to.

  3. Ensure that the info panel is visible. If it is not visible, clickShow info panel.

  4. Find the row containing the principal whose access you want to revoke. Then clickEditprincipal in that row.

    Note: You cannot edit inherited roles when managing access to a resource. To edit inherited roles, go to the resource where the role was granted.

  5. Click theDelete button forthe role that you want to revoke, and then clickSave.

gcloud

To quickly revoke a role from a principal, run theremove-iam-policy-bindingcommand.

The format for this command varies depending on the resource type you'remanaging access to. To find the format for your resource, find the referencefor the resource'sremove-iam-policy-binding command in theGoogle Cloud CLIreference. This reference is organized by service, then resource.For example, to grant a principal a role on a Compute Engine instance,follow the format described in thegcloud compute instancesremove-iam-policy-binding reference.

Grant or revoke multiple IAM roles using Google Cloud console

You can use the Google Cloud console to grant and revoke multiple roles fora single principal:

  1. In the Google Cloud console, go to the page listing the resource that youwant to view access to.

    For example, to manage access to a Compute Engine instance, go to theVM instances page.

    Go to VM instances

  2. Select the checkbox next to the resource that you want to manage access to.

  3. If the info panel is not visible, clickShow info panel.

  4. Select the principal whose roles you want to modify:

  5. Modify the principal's roles:

    You can alsoadd a condition to a role,modify a role'scondition, orremove a role'scondition.

  6. ClickSave.

Note: If you grant access to a user's email alias or a secondary domain, then the values in your allow policy might not match the values that you initially entered. If you grant access to an email alias, then the allow policy displays the user's primary email address. If you grant access to a secondary domain, then the allow policy displays the primary domain.

Grant or revoke multiple IAM roles programmatically

To make large-scale access changes that involve granting and revoking multipleroles for multiple principals, use theread-modify-write pattern to update theresource's allow policy:

  1. Read the current allow policy by callinggetIamPolicy().
  2. Edit the allow policy, either by using a text editor or programmatically, toadd or remove any principals or role bindings.
  3. Write the updated allow policy by callingsetIamPolicy().

This section shows how to use the gcloud CLI and the REST API toupdate the allow policy. You can also update the allow policy using theGoogle Cloud client libraries.

Note: If theiam.allowedPolicyMemberDomains organization policy constraint is enforced in your organization, then you might not be able to grant roles to newly created groups. If you get afailedPrecondition error when trying to grant a role to a newly created group, wait 24 hours, and then try granting the role again.

In general, policy changes take effect within 2 minutes. However, in some cases, itcan take 7 minutes or more for changes to propagate across the system.

Get the current allow policy

gcloud

To get the allow policy for the resource, run theget-iam-policy command forthe resource.

The format for this command varies depending on the resource type you'remanaging access to. To find the format for your resource, find the referencefor the resource'sget-iam-policy command in theGoogle Cloud CLIreference. This reference is organized by service, then resource.For example, to get the allow policy of a Compute Engine VM instance,follow the format described in thegcloud compute instances get-iam-policyreference.

Optionally, add the following arguments to the command to specify theformat and export the results:

--format=FORMAT>PATH

Provide the following values:

  • FORMAT: The desired format for the allow policy. Usejson oryaml.
  • PATH: The path to a new output file for the allowpolicy.

When you run the command, the resource's allow policy is either printed to theconsole or exported to the specified file.

REST

To get the resource's allow policy, use the resource'sgetIamPolicy method.

The HTTP method, URL, and request body depend on the resource that you want toview access to. To find these details, find the API reference for the servicethat owns the resource, then find the reference for the resource'sgetIamPolicy method. For example, the HTTP method, URL, and request body for aCompute Engine VM instance are specified in theinstancesgetIamPolicy reference.

The response for any resource'sgetIamPolicy method contains the resource'sallow policy. Save the response in a file of the appropriate type (json oryaml).

Modify the allow policy

Programmatically or using a text editor, modify the local copy of yourresource's allow policy to reflect the roles you want to grant or revoke.

To ensure that you do not overwrite other changes, do not edit or remove theallow policy'setag field. Theetag field identifies the current state ofthe allow policy. When youset the updated allow policy,IAM compares theetag value in the request with theexistingetag, and only writes the allow policy if the values match.

Important: None of your changes will take effect until youset the updated allow policy.

To edit the roles that an allow policy grants, you need to edit the rolebindings in the allow policy. Role bindings have the following format:

{"role":"ROLE_NAME","members":["PRINCIPAL_1","PRINCIPAL_2",..."PRINCIPAL_N"],"conditions:"{CONDITIONS}}

The placeholders have the following values:

  • ROLE_NAME: The name of the role that you want togrant. Use one of the following formats:

    • Predefined roles:roles/SERVICE.IDENTIFIER
    • Project-level custom roles:projects/PROJECT_ID/roles/IDENTIFIER
    • Organization-level custom roles:organizations/ORG_ID/roles/IDENTIFIER

    For a list of predefined roles, seeUnderstandingroles.

  • PRINCIPAL_1,PRINCIPAL_2,...PRINCIPAL_N: Identifiers for the principals thatyou want to grant the role to.

    Principal identifiers usually have the following form:PRINCIPAL-TYPE:ID.For example,user:my-user@example.com orprincipalSet://iam.googleapis.com/locations/global/workforcePools/example-pool/group/example-group@example.com.For a full list of the values thatPRINCIPAL can have,seePrincipal identifiers.

    For the principal typeuser, the domain name in the identifier must bea Google Workspace domain or a Cloud Identity domain. To learn how to setup a Cloud Identity domain, see theoverview of Cloud Identity.

  • CONDITIONS: Optional. Anyconditionsthat specify when access will be granted.

Grant a role

To grant roles to your principals, modify the role bindings in the allow policy.To learn what roles you can grant, seeUnderstanding roles, orview grantable roles for the resource. If you need help toidentify the most appropriate predefined roles, seeFind the right predefined roles.

Optionally, you can useconditions to grant roles only whencertain requirements are met.

To grant a role that is already included in the allow policy, add the principalto an existing role binding:

gcloud

Edit the allow policy by adding the principal to an existing role binding. Notethat this change will not take effect until youset the updated allow policy.

For example, imagine the allow policy contains the following role binding, whichgrants the Compute Instance Admin role (roles/compute.instanceAdmin) toKai:

{"role":"roles/compute.instanceAdmin","members":["user:kai@example.com"]}

To grant that same role to Raha, add Raha's principal identifier to theexisting role binding:

{"role":"roles/compute.instanceAdmin","members":["user:kai@example.com","user:raha@example.com"]}

REST

Edit the allow policy by adding the principal to an existing role binding. Notethat this change will not take effect until youset the updated allow policy.

For example, imagine the allow policy contains the following role binding, whichgrants the Compute Instance Admin role (roles/compute.instanceAdmin) toKai:

{"role":"roles/compute.instanceAdmin","members":["user:kai@example.com"]}

To grant that same role to Raha, add Raha's principal identifier to theexisting role binding:

{"role":"roles/compute.instanceAdmin","members":["user:kai@example.com","user:raha@example.com"]}

To grant a role that is not yet included in the allow policy, add a new rolebinding:

gcloud

Edit the allow policy by adding a new role binding that grants the role to theprincipal. This change will not take effect until youset the updated allow policy.

For example, to grant the Compute Load Balancer Admin role(roles/compute.loadBalancerAdmin) to Raha, add the followingrole binding to thebindings array for the allow policy:

{"role":"roles/compute.loadBalancerAdmin","members":["user:raha@example.com"]}

REST

Edit the allow policy by adding a new role binding that grants the role to theprincipal. This change will not take effect until youset the updated allow policy.

For example, to grant the Compute Load Balancer Admin role(roles/compute.loadBalancerAdmin) to Raha, add the followingrole binding to thebindings array for the allow policy:

{"role":"roles/compute.loadBalancerAdmin","members":["user:raha@example.com"]}

Revoke a role

To revoke a role, remove the principal from the role binding. If there are noother principals in the role binding, remove the entire role binding.

Note: Role bindings with no principals are not allowed and will result in anerror when setting the allow policy.

gcloud

Revoke a role by editing the JSON or YAML allow policy returned by theget-iam-policy command. This change will not take effect until youset the updated allow policy.

To revoke a role from a principal, delete the desired principals or bindingsfrom thebindings array for the allow policy.

REST

Revoke a role by editing the JSON or YAML allow policy returned by theget-iam-policy command. This change will not take effect until youset the updated allow policy.

To revoke a role from a principal, delete the desired principals or bindingsfrom thebindings array for the allow policy.

Set the allow policy

After you modify the allow policy to grant and revoke the desired roles, callsetIamPolicy() to make the updates.

Warning: Setting a new allow policy permanently overwrites the existing allowpolicy on the resource. To avoid removing role bindings unintentionally, alwaysfollow the read-modify-write pattern when updating an allow policy: read theexisting allow policy, modify it as needed, and then write the updated versionof the allow policy.

gcloud

To set the allow policy for the resource, run theset-iam-policy command forthe resource.

The format for this command varies depending on the resource type you'remanaging access to. To find the format for your resource, find the referencefor the resource'sset-iam-policy command in theGoogle Cloud CLIreference. This reference is organized by service, then resource.For example, to get the allow policy of a Compute Engine VM instance,follow the format described in thegcloud compute instances set-iam-policyreference.

The response for any resource'sset-iam-policy command contains the resource'supdated allow policy.

Note: If you treat policies as code and store them in a version-control system, you should store the policy that is returned, not the policy that you sent in the request.

REST

To set the resource's allow policy, use the resource'ssetIamPolicy method.

The HTTP method, URL, and request body depend on the resource that you want toview access to. To find these details, find the API reference for the servicethat owns the resource, then find the reference for the resource'ssetIamPolicy method. For example, the HTTP method, URL, and request body for aCompute Engine VM instance are specified in theinstancessetIamPolicy reference.

The response for any resource'ssetIamPolicy method contains the resource'supdated allow policy.

Note: If you treat policies as code and store them in a version-control system, you should store the policy that is returned, not the policy that you sent in the request.

Note: If you grant access to a user's email alias or a secondary domain, then the values in your allow policy might not match the values that you initially entered. If you grant access to an email alias, then the allow policy displays the user's primary email address. If you grant access to a secondary domain, then the allow policy displays the primary domain.

What's next

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Get started for free

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.