Grant access to your project with IAM

1. Before you begin

This codelab shows you how to set up an OAuth client and how to use the Google Cloud Console to grant Identity and Access Management (IAM) roles to principals for your project.


  • Ability to navigate the Cloud Console.

What you'll learn

  • How to set up your app as an OAuth client.
  • How to restrict access to your app with Identity and Access Management (IAM).

What you'll need

2. Create a Google Cloud project and set up a billing account

  1. Sign in to the Cloud Console.
  1. Go to the project- selector page.
  2. Click Create project.
  3. Name your project and then make a note of the generated project ID.
  4. Edit the other fields as needed.
  1. Click Create.
  2. If you haven't already, enable billing in the Cloud Console to use Google Cloud resources.

Although this codelab shouldn't cost much, if anything, follow the instructions in the Clean up section to shut down resources and avoid costs beyond this codelab. Note that new users of Google Cloud are eligible for the US$300 free trial.

3. Grant access with IAM

IAM lets you grant role-based access to users for your project and resources. In this section, you use IAM to grant a user access to a couple of roles for your project.

Enable the IAM and Resource Manager APIs

  1. In the navigation menu in the Cloud Console, click APIs & Services.

Navigation menu in the Cloud Console showing APIs & Services option.



  1. Search for the IAM API and then enable it.
  2. Search for Resource Manager API and then enable it.

Grant a role with IAM

  1. Go to the IAM page.

The name of your project appears in the project selector. The project selector tells you what project you're in.

IAM page showing the project name selector.

If you don't see the name of your project, use the project selector to select it.

  1. Click Add.
  2. Enter the email address of a principal.
  3. From the Select a role drop-down menu, select Logging > Logs Viewer > Save.

IAM page showing "Add principals and roles" options.

  1. Verify that the principal and the role are listed on the IAM page.

That's it—you granted an identity and access management role to a principal!

Observe the effects of identity and access management roles

In this section, you verify that the principal to whom you granted a role can access the expected Cloud Console pages:

  1. Send this URL to the principal to whom you granted the role:

  1. Verify that the principal can access and view the URL.

The principal can't access a Cloud Console page for which they haven't been granted the appropriate role. Instead, they see an error message like this example:

You don't have permissions to view logs.

Grant other roles to the same principal

  1. In the Cloud Console, go to the IAM page.
  2. Locate the principal to whom you want to grant another role and then click Edit d489bd059474ae59.png.
  3. In the Edit permissions pane, click Add another role.

Edit permissions pane, showing the Add another role option.

  1. In the Select a role drop-down menu, click Project > Viewer > Save.

Edit permissions pane, showing role options.

The principal now has a second identity and access management role.

Revoke the roles granted to the principal

  1. Locate the principal whose role you want to revoke and then click d489bd059474ae59.pngEdit .
  2. In the Edit permissions pane, click 17033682fbdcca9c.png next to both roles that you previously granted to the principal.
  3. Click Save.

You removed the principal from both of the roles. If this person tries to view any of the pages that they could previously access, they see an error message.

4. Clean up

To avoid charges to your Google Cloud account for the resources used in this codelab:

  1. In the Cloud Console, go to the Manage resources page.
  2. In the project list, select the project that you want to delete and then click Delete.
  3. In the dialog, type the project ID and then click Shut down to delete the project.

5. Congratulations

Congratulations! You learned how to set up an OAuth client and use the Cloud Console to grant identity and access management roles to principals for your project.