Could Not Switch Roles Using the Provided Information Please Check Your Settings and Try Again

• Why Google
• Solutions
• Products
• Pricing
• Getting started
• Docs
  • Overview
  • Guides
  • Reference
  • Samples
  • Back up
  • Resources
• Back up
• Panel
• Contact U.s.a.
• Go started for free

Manage admission to projects, folders, and organizations

This page describes how to grant, alter, and revoke admission to projects, folders, and organizations. To larn how to manage admission to other resources, see the following guides:

• Manage access to service accounts
• Manage admission to other resources

In Identity and Access Direction (IAM), access is granted through let policies, too known as IAM policies. An allow policy is fastened to a Google Cloud resources. Each allow policy contains a collection of role bindings that associate ane or more principals, such as users or service accounts, with an IAM office. These role bindings grant the specified roles to the principals, both on the resources that the permit policy is attached to and on all of that resource's descendants. For more information about allow policies, see Agreement permit policies.

You tin manage access to projects, folders, and organizations with the Google Cloud console, the Google Cloud CLI, the REST API, or the Resource Managing director client libraries.

Before you brainstorm

• Enable the Resources Manager API.

  Enable the API

Required roles

To get the permissions that you need to manage access to a project, folder, or system, ask your administrator to grant you the following IAM roles on the resources that you want to manage access for (project, binder, or organization):

• To manage access to a project: Project IAM Admin (roles/resourcemanager.projectIamAdmin)
• To manage access to a binder: Folder Admin (roles/resourcemanager.folderAdmin)
• To manage admission to projects, folders, and organizations: Organization Admin (roles/resourcemanager.organizationAdmin)
• To manage access to most all Google Cloud resources: Security Admin (roles/iam.securityAdmin)

For more information about granting roles, see Manage admission.

These predefined roles contain the permissions required to manage access to a project, folder, or organization. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

• To manage access to projects:
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy
• To manage access to folders:
  • resourcemanager.folders.getIamPolicy
  • resourcemanager.folders.setIamPolicy
• To manage access to organizations:
  • resourcemanager.organizations.getIamPolicy
  • resourcemanager.organizations.setIamPolicy

You might besides be able to get these permissions with custom roles or other predefined roles.

View current admission

You lot can view who has access to your project, folder, or organization using the Cloud panel, the gcloud CLI, the Residual API, or the Resource Manager client libraries.

Panel

1. In the Cloud console, get to the IAM page.

   Go to IAM

2. Select a project, binder, or organization.

   The Cloud console lists all the principals who have been granted roles on your project, folder, or organisation. This list includes principals who have inherited roles on the resources from parent resources. For more information nearly policy inheritance, see Policy inheritance and the resource hierarchy.

3. Optional: To view role grants for Google-managed service accounts, select the Include Google-provided office grants checkbox.

   

   

gcloud

To see who has access to your projection, folder, or organization, get the allow policy for the resource. To acquire how to interpret permit policies, see Understanding allow policies.

To get the allow policy for the resources, run the become-iam-policy command for the resources:

gcloud                        RESOURCE_TYPE                        go-iam-policy                        RESOURCE_ID                        --format=FORMAT                        >                        PATH                      

Provide the following values:

• RESOURCE_TYPE : The type of the resource that yous want to view access to. Utilise one of these values: projects, resource-manager folders, or organizations.
• RESOURCE_ID : Your Google Deject project, folder, or arrangement ID. Project IDs are alphanumeric, similar my-project. Binder and organisation IDs are numeric, similar 123456789012.
• FORMAT : The desired format for the policy. Use json or yaml.
• PATH : The path to a new output file for the policy.

For example, the following command gets the policy for the project my-project and saves it to your home directory in JSON format:

gcloud projects get-iam-policy my-projection --format=json > ~/policy.json                      

REST

To see who has access to your project, folder, or system, go the allow policy for the resource. To learn how to interpret let policies, encounter Agreement permit policies.

The Resource Manager API'southward getIamPolicy method gets a projection'southward, folder'southward, or organization'south permit policy.

Before using any of the request data, make the following replacements:

• API_VERSION : The API version to use. For projects and organizations, use v1. For folders, use v2.
• RESOURCE_TYPE : The resource blazon whose policy you want to manage. Use the value projects, folders, or organizations.
• RESOURCE_ID : Your Google Cloud project, organization, or binder ID. Project IDs are alphanumeric strings, similar my-project. Folder and organisation IDs are numeric, similar 123456789012.
• POLICY_VERSION : The policy version to be returned. Requests should specify the most recent policy version, which is policy version 3. Meet Specifying a policy version when getting a policy for details.

HTTP method and URL:

POST https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy

Request JSON body:

{   "options": {     "requestedPolicyVersion":                          POLICY_VERSION                          } }                        

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Trounce)

Save the request body in a file chosen request.json, and execute the following command:

curl -X Postal service \
-H "Dominance: Bearer "$(gcloud auth application-default print-access-token) \
-H "Content-Blazon: application/json; charset=utf-8" \
-d @request.json \
"https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy"

PowerShell (Windows)

Save the request body in a file called request.json, and execute the post-obit command:

$cred = gcloud auth application-default print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
                              -Method Mail `
                              -Headers $headers `
                              -ContentType: "awarding/json; charset=utf-8" `
                              -InFile request.json `
                              -Uri "https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy" | Select-Object -Aggrandize Content
                          

API Explorer (browser)

Copy the request body and open the method reference page. The API Explorer panel opens on the right side of the page. You tin can interact with this tool to send requests. Paste the request body in this tool, complete any other required fields, and click Execute.

The response contains the resource'southward allow policy. For example:

{   "version": 1,   "etag": "BwWKmjvelug=",   "bindings": [     {       "office": "roles/owner",       "members": [         "user:possessor@example.com"       ]     }   ] }                        

C#

Java

Python

Grant or revoke a single function

You tin use the Cloud console and the gcloud CLI to speedily grant or revoke a single role for a unmarried main, without editing the resource's let policy straight. Mutual types of principals include Google accounts, service accounts, Google groups, and domains. For a list of all primary types, see Concepts related to identity.

If yous need aid identifying the near advisable predefined role, see Cull predefined roles.

Grant a single role

To grant a unmarried function to a main, do the following:

Console

1. In the Cloud console, get to the IAM page.

   Go to IAM

2. Select a projection, folder, or organization.

3. Select a chief to grant a role to:

   • To grant a function to a principal who already has other roles on the resources, find the row containing the master'south email address, click Edit main in that row, and click Add another role.

     To grant a part to a Google-managed service account, select the Include Google-provided function grants checkbox to see its email address.

   • To grant a role to a principal who does not already have other roles on the resource, click Add, and so enter the master's electronic mail accost.

4. Select a role to grant from the drib-down list. For best security practices, cull a office that includes only the permissions that your principal needs.

5. Optional: Add a condition to the office.

6. Click Save. The principal is granted the role on the resource.

To grant a role to a main for more than one project, folder, or organization, exercise the following:

1. In the Cloud console, go to the Manage resources page.

   Go to Manage resources

2. Select all the resource for which you want to grant permissions.

3. If the info panel is not visible, click Show info panel. Then, click Permissions.

4. Select a principal to grant a part to:

   • To grant a function to a chief who already has other roles, find a row with the principal's email address, click Edit primary in that row, and click Add some other role.

   • To grant a role to a chief who does non already have other roles, click Add together principal, then enter the master's email address.

5. Select a function to grant from the driblet-down list.

6. Optional: Add a condition to the role.

7. Click Save. The principal is granted the selected role on each of the selected resource.

gcloud

To speedily grant a role to a principal, run the add-iam-policy-binding command:

gcloud                        RESOURCE_TYPE                        add-iam-policy-binding                        RESOURCE_ID                        \     --member=PRINCIPAL                        --role=ROLE_ID                        \     --condition=Status                      

Provide the following values:

• RESOURCE_TYPE : The resource type that you lot want to manage admission to. Employ projects, resource-manager folders, or organizations.
• RESOURCE_ID : Your Google Cloud project, folder, or organization ID. Project IDs are alphanumeric, similar my-projection. Folder and organization IDs are numeric, like 123456789012.

• Main : An identifier for the principal, or member, which usually has the following grade: PRINCIPAL_TYPE:ID . For example, user:my-user@example.com. For a full list of the values that PRINCIPAL tin can have, see the Policy Binding reference.

  For the principal type user, the domain name in the identifier must be a Google Workspace domain or a Cloud Identity domain. To learn how to ready a Cloud Identity domain, see the overview of Cloud Identity.

• ROLE_ID : The name of the function that you want to grant. For example, roles/resourcemanager.projectCreator. For a listing of roles, encounter Understanding roles.

• CONDITION : Optional. The status to add to the role binding. For more information about conditions, run across the weather condition overview.

For instance, to grant the Projection Creator part to the user my-user@example.com for the project my-project:

gcloud projects add-iam-policy-binding my-project \     --fellow member=user:my-user@instance.com --part=roles/resourcemanager.projectCreator                      

Revoke a single role

To revoke a single part from a principal, exercise the following:

Console

1. In the Cloud console, go to the IAM page.

   Go to IAM

2. Select a project, binder, or arrangement.

3. Find the row with the email address of the main whose admission you lot want to revoke. Then, click Edit chief in that row.

4. Click the Delete push for each role you desire to revoke, and then click Salve.

gcloud

To quickly revoke a function from a user, run the remove-iam-policy-bounden control:

gcloud                        RESOURCE_TYPE                        remove-iam-policy-binding                        RESOURCE_ID                        \     --fellow member=PRINCIPAL                        --office=ROLE_ID                      

Provide the post-obit values:

• RESOURCE_TYPE : The resources type that you want to manage admission to. Utilize projects, resource-director folders, or organizations.
• RESOURCE_ID : Your Google Cloud project, folder, or organization ID. Projection IDs are alphanumeric, like my-project. Folder and organization IDs are numeric, like 123456789012.

• Main : An identifier for the principal, or member, which usually has the following grade: PRINCIPAL_TYPE:ID . For example, user:my-user@example.com. For a full listing of the values that Master tin can have, see the Policy Binding reference.

  For the principal type user, the domain name in the identifier must be a Google Workspace domain or a Cloud Identity domain. To larn how to fix a Cloud Identity domain, see the overview of Cloud Identity.

• ROLE_ID : The name of the function that you want to revoke. For example, roles/resourcemanager.projectCreator. For a listing of roles, see Understanding roles.

For example, to revoke the Project Creator role from the user my-user@example.com for the project my-projection:

gcloud projects remove-iam-policy-binding my-project \     --member=user:my-user@example.com --role=roles/resourcemanager.projectCreator                      

Grant or revoke multiple roles

To make large-calibration access changes that involve granting and revoking multiple roles, apply the read-change-write design to update the resource's let policy:

1. Read the current let policy by calling getIamPolicy().
2. Edit the permit policy, either by using a text editor or programmatically, to add or remove whatsoever principals or role bindings.
3. Write the updated permit policy by calling setIamPolicy().

You can employ the gcloud CLI, the REST API, or the Resource Director customer libraries to update the allow policy.

Get the current allow policy

gcloud

To get the allow policy for the resources, run the get-iam-policy command for the resource:

gcloud                        RESOURCE_TYPE                        get-iam-policy                        RESOURCE_ID                        --format=FORMAT                        >                        PATH                      

Provide the post-obit values:

• RESOURCE_TYPE : The type of the resource that you lot want to get the allow policy for. Utilize one of the post-obit values: projects, resource-director folders, or organizations.
• RESOURCE_ID : Your Google Deject project, folder, or arrangement ID. Project IDs are alphanumeric, similar my-projection. Binder and organization IDs are numeric, like 123456789012.
• FORMAT : The desired format for the allow policy. Employ json or yaml.
• PATH : The path to a new output file for the allow policy.

For example, the following control gets the allow policy for the project my-projection and saves it to your domicile directory in JSON format:

gcloud projects become-iam-policy my-project --format json > ~/policy.json                      

REST

The Resources Director API'due south getIamPolicy method gets a project's, folder's, or organization'south allow policy.

Earlier using any of the request information, make the following replacements:

• API_VERSION : The API version to use. For projects and organizations, use v1. For folders, use v2.
• RESOURCE_TYPE : The resources type whose policy you want to manage. Use the value projects, folders, or organizations.
• RESOURCE_ID : Your Google Cloud projection, organization, or folder ID. Project IDs are alphanumeric strings, like my-project. Folder and organization IDs are numeric, like 123456789012.
• POLICY_VERSION : The policy version to be returned. Requests should specify the most recent policy version, which is policy version iii. See Specifying a policy version when getting a policy for details.

HTTP method and URL:

Mail https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy

Asking JSON trunk:

{   "options": {     "requestedPolicyVersion":                          POLICY_VERSION                          } }                        

To send your asking, expand one of these options:

whorl (Linux, macOS, or Deject Shell)

Salve the request body in a file called request.json, and execute the post-obit command:

scroll -X Mail \
-H "Authorization: Bearer "$(gcloud auth application-default print-admission-token) \
-H "Content-Blazon: application/json; charset=utf-8" \
-d @asking.json \
"https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy"

PowerShell (Windows)

Save the request trunk in a file called request.json, and execute the following command:

$cred = gcloud auth application-default print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
                              -Method Mail service `
                              -Headers $headers `
                              -ContentType: "application/json; charset=utf-8" `
                              -InFile request.json `
                              -Uri "https://cloudresourcemanager.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:getIamPolicy" | Select-Object -Expand Content
                          

API Explorer (browser)

Copy the request torso and open the method reference page. The API Explorer console opens on the right side of the page. Yous can interact with this tool to send requests. Paste the request torso in this tool, complete whatever other required fields, and click Execute.

The response contains the resource'southward permit policy. For case:

{   "version": 1,   "etag": "BwWKmjvelug=",   "bindings": [     {       "office": "roles/possessor",       "members": [         "user:possessor@example.com"       ]     }   ] }                        

Salvage the response in a file of the appropriate type (json or yaml).

C#

Java

Python

Modify the allow policy

Programmatically or using a text editor, alter the local copy of your resource's permit policy to reflect the roles that you want to grant or revoke.

To ensure that you do non overwrite other changes, do not edit or remove the allow policy'southward etag field. The etag field identifies the current state of the allow policy. When yous set the updated allow policy, IAM compares the etag value in the asking with the existing etag, and only writes the allow policy if the values lucifer.

Grant a office

To grant roles to your principals, change the role bindings in the let policy. To learn what roles you tin can grant, see Understanding roles, or view grantable roles for the resources. If you need help to identify the most advisable predefined roles, see Choose predefined roles.

Optionally, you lot can use conditions to grant roles just when certain requirements are met.

To grant a role that is already included in the allow policy, add together the master to an existing role binding:

gcloud

Edit the returned let policy by adding the chief to an existing role binding. Note that this change will not take effect until yous set the updated allow policy.

For example, imagine the allow policy contains the post-obit office binding, which grants the Security Reviewer role (roles/iam.securityReviewer) to kai@example.com:

                        {   "function": "roles/iam.securityReviewer",   "members": [     "user:kai@instance.com"   ] }                                              

To grant that same role to raha@instance.com, add raha@instance.com to the existing role bounden:

{   "office": "roles/iam.securityReviewer",   "members": [     "user:kai@instance.com",                        "user:raha@example.com"                        ] }                      

Remainder

Edit the returned let policy by calculation the principal to an existing function binding. Note that this change volition not take result until you set the updated permit policy.

For example, imagine the allow policy contains the following role binding, which grants the Security Reviewer role (roles/iam.securityReviewer) to kai@example.com:

                        {   "office": "roles/iam.securityReviewer",   "members": [     "user:kai@instance.com"   ] }                                              

To grant that same role to raha@example.com, add together raha@example.com to the existing role bounden:

{   "role": "roles/iam.securityReviewer",   "members": [     "user:kai@example.com",                        "user:raha@example.com"                        ] }                      

C#

To learn how to install and utilize the client library for Resources Manager, run across Resource Manager customer libraries.

Java

To learn how to install and use the client library for Resource Managing director, see Resources Manager client libraries.

Python

To acquire how to install and use the client library for Resource Manager, see Resource Manager client libraries.

To grant a role that is not all the same included in the allow policy, add a new role bounden:

gcloud

Edit the allow policy by adding a new role binding that grants the role to the chief. This change will not have effect until yous set the updated permit policy.

For example, to grant the Compute Storage Admin role (roles/compute.storageAdmin) to raha@example.com, add together the following office binding to the bindings array for the allow policy:

                        {   "role": "roles/compute.storageAdmin",   "members": [     "user:raha@example.com"   ] }                                              

Residuum

Edit the permit policy by calculation a new part bounden that grants the office to the main. This modify volition non take effect until you set the updated allow policy.

For example, to grant the Compute Storage Admin role (roles/compute.storageAdmin) to raha@example.com, add the following role binding to the bindings assortment for the let policy:

                        {   "part": "roles/compute.storageAdmin",   "members": [     "user:raha@example.com"   ] }                                              

C#

To learn how to install and use the client library for Resource Director, run into Resource Managing director client libraries.

Coffee

To learn how to install and use the client library for Resource Manager, run across Resources Managing director client libraries.

Python

To learn how to install and use the client library for Resource Manager, see Resource Managing director client libraries.

Yous can only grant roles related to activated API services. If a service, such as Compute Engine, is non active, yous cannot grant roles exclusively related to Compute Engine. For more information, run into Enable and disable APIs.

There are some unique constraints when granting permissions on projects, peculiarly when granting the Owner (roles/owner) role. Meet the projects.setIamPolicy()reference documentation for more information.

Revoke a role

To revoke a role, remove the chief from the function binding. If there are no other principals in the role bounden, remove the entire role bounden.

gcloud

Revoke a function by editing the JSON or YAML allow policy returned past the become-iam-policy command. This change volition non take consequence until you prepare the updated permit policy.

To revoke a role from a chief, delete the desired principals or bindings from the bindings array for the allow policy.

Residue

Revoke a role by editing the JSON or YAML allow policy returned by the get-iam-policy command. This change volition non accept effect until yous set the updated allow policy.

To revoke a function from a principal, delete the desired principals or bindings from the bindings array for the allow policy.

C#

To acquire how to install and use the client library for Resource Manager, encounter Resources Manager client libraries.

Java

To learn how to install and utilize the client library for Resource Manager, run across Resources Managing director client libraries.

Python

To larn how to install and employ the client library for Resource Managing director, run into Resource Managing director client libraries.

Set the let policy

After you lot modify the let policy to grant and revoke the desired roles, call setIamPolicy() to make the updates.

gcloud

To set the allow policy for the resource, run the set-iam-policy command for the resources:

gcloud                        RESOURCE_TYPE                        set-iam-policy                        RESOURCE_ID                        PATH                      

Provide the post-obit values:

• RESOURCE_TYPE : The type of the resource that you want to set up the allow policy for. Use one of the following values: projects, resource-director folders, or organizations.
• RESOURCE_ID : Your Google Cloud projection, folder, or system ID. Project IDs are alphanumeric, similar my-project. Folder and organization IDs are numeric, like 123456789012.
• PATH : The path to a file that contains the new allow policy.

The response contains the updated allow policy.

For example, the post-obit command sets the allow policy stored in policy.json equally the allow policy for the project my-project:

gcloud projects prepare-iam-policy my-project ~/policy.json                      

REST

The Resources Manager API'southward setIamPolicy method sets the policy in the request every bit the new allow policy for the projection, folder, or organization.

Earlier using any of the request data, brand the following replacements:

• API_VERSION : The API version to use. For projects and organizations, use v1. For folders, use v2.
• RESOURCE_TYPE : The resource type whose policy you want to manage. Use the value projects, folders, or organizations.
• RESOURCE_ID : Your Google Cloud project, organization, or folder ID. Project IDs are alphanumeric strings, similar my-project. Folder and system IDs are numeric, like 123456789012.

• POLICY : A JSON representation of the policy that you desire to set. For more information most the format of a policy, see the Policy reference.

  For example, to gear up the let policy shown in the previous step, replace POLICY with the following:

  {   "version": one,   "etag": "BwUqLaVeua8=",   "bindings": [     {       "function": "roles/iam.serviceAccountUser",       "members": [         "user:robin@example.com"       ]     },     {       "role": "roles/owner",       "members": [         "user:possessor@example.com"       ]     }   ] }                          

HTTP method and URL:

POST https://iam.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:setIamPolicy

Asking JSON body:

{   "policy":                          POLICY                          }                        

To send your request, expand i of these options:

curl (Linux, macOS, or Cloud Shell)

Salve the request body in a file chosen request.json, and execute the following command:

curl -X POST \
-H "Dominance: Bearer "$(gcloud auth awarding-default print-access-token) \
-H "Content-Type: awarding/json; charset=utf-eight" \
-d @request.json \
"https://iam.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:setIamPolicy"

PowerShell (Windows)

Save the request body in a file called request.json, and execute the following command:

$cred = gcloud auth application-default impress-access-token
$headers = @{ "Say-so" = "Bearer $cred" }
Invoke-WebRequest `
                              -Method Post `
                              -Headers $headers `
                              -ContentType: "awarding/json; charset=utf-8" `
                              -InFile request.json `
                              -Uri "https://iam.googleapis.com/API_VERSION/RESOURCE_TYPE/RESOURCE_ID:setIamPolicy" | Select-Object -Expand Content
                          

API Explorer (browser)

Copy the asking body and open the method reference page. The API Explorer panel opens on the correct side of the folio. You can collaborate with this tool to send requests. Paste the asking body in this tool, complete any other required fields, and click Execute.

The response contains the updated allow policy.

C#

Java

Python

What'due south next

• Larn how to manage access to service accounts.
• Learn the general steps for managing access to other resources.
• Discover out how to cull the most advisable predefined roles.
• Use the Policy Troubleshooter to empathise why a user does or doesn't have admission to a resource or have permission to call an API.
• Observe how to view the roles that y'all can grant on a particular resource.
• Learn how to make a chief's access provisional with conditional function bindings.
• Explore ways to secure your applications with Identity-Aware Proxy.

If you're new to Google Cloud, create an account to evaluate how our products perform in real-globe scenarios. New customers also get $300 in complimentary credits to run, examination, and deploy workloads.

Get started for free

Except every bit otherwise noted, the content of this page is licensed nether the Artistic Commons Attribution iv.0 License, and code samples are licensed under the Apache 2.0 License. For details, meet the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2022-05-12 UTC.

lanningbansespoll1947.blogspot.com

Source: https://cloud.google.com/iam/docs/granting-changing-revoking-access

Share this post