Grant an IAM role by using the Trusted Cloud console

Learn how to use the Trusted Cloud console to grant IAM roles to principals at the project level.

See the following video for a quick walkthrough:

A video showing how to grant IAM roles to principals using the Trusted Cloud console.

Before you begin

Create a Trusted Cloud project

For this quickstart, you need a new Trusted Cloud project.

  1. In the Trusted Cloud console, go to the project selector page.

    Go to project selector

  2. Click Create project.

  3. Name your project. Make a note of your generated project ID.

  4. Edit the other fields as needed.

  5. Click Create.

Ensure that you have the required roles

  1. Make sure that you have the following role or roles on the project: Project IAM Admin

    Check for the roles

    1. In the Trusted Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.

    3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Trusted Cloud console, go to the IAM page.

      Go to IAM
    2. Select the project.
    3. Click Grant access.

    4. In the New principals field, enter your user identifier. This is typically the identifier for a user in a workforce identity pool. For details, see Represent workforce pool users in IAM policies, or contact your administrator.

    5. In the Select a role list, select a role.
    6. To grant additional roles, click Add another role and add each additional role.
    7. Click Save.

Enable the APIs

  • Enable the IAM and Resource Manager APIs.

    Enable the APIs

    • Grant an IAM role

    Grant a principal the Logs Viewer role on the project.

    1. In the Trusted Cloud console, go to the IAM page.

      Go to IAM

    2. Select your new project.

    3. Click Grant access.

    4. Enter an identifier for the principal. For example, //iam.googleapis.com/locations/global/workforcePools/my-pool/subject/my-user@example.com.

    5. From the Select a role drop-down menu, search for Logs Viewer, then click Logs Viewer.

    6. Click Save.

    7. Verify that the principal and the corresponding role are listed in the IAM page.

    You have successfully granted an IAM role to a principal.

    Observe the effects of IAM roles

    Verify that the principal you granted a role to can access the expected Trusted Cloud console pages by doing the following:

    1. Send the following URL to the principal to whom you granted the role in the preceding step:

      https://console.cloud.s3nscloud.fr/logs?project=PROJECT_ID

      This URL takes the principal to the Logs Explorer page for your project.

    2. Verify that the principal is able to access and view the URL.

    If the principal tries to access a different Trusted Cloud console page that they don't have access to, they see an error message.

    Grant additional roles to the same principal

    Grant the principal the Compute Viewer role in addition to their Logs Viewer role.

    1. In the Trusted Cloud console, go to the IAM page.

      Go to IAM

    2. Locate the row that contains the principal to whom you want to grant another role, and click Edit principal in that row.

    3. In the Edit permissions pane, click Add another role.

    4. From the Select a role drop-down menu, search for Compute Viewer, then click Compute Viewer. Click Save.

    5. Click Save.

    The principal now has a second IAM role.

    Revoke IAM roles

    Revoke the roles you granted to the principal in the preceding steps by doing the following:

    1. Locate the row that contains the principal that you granted roles to and click Edit principal in that row.

    2. In the Edit permissions pane, click the delete icon next to the Logs Viewer and Compute Viewer roles.

    3. Click Save.

    You have now removed the principal from both of the roles. If they try to view the Logs Explorer page, they see the following error message:

    You don't have permissions to view logs.

    Clean up

    To avoid incurring charges to your Trusted Cloud account for the resources used on this page, follow these steps.

    Clean up by deleting the project that you created for this quickstart.

    1. In the Trusted Cloud console, go to the Manage resources page.

      Go to Manage resources

    2. In the project list, select the project that you want to delete, and then click Delete.
    3. In the dialog, type the project ID, and then click Shut down to delete the project.

    What's next