Stay organized with collections
Save and categorize content based on your preferences.
API Gateway API access overview
This page describes the API access control options available to you in API Gateway.
Overview
API Gateway uses
Identity and Access Management (IAM)
to control access to your API. You can grant access to your API at the project
level and at the service consumer level. For example,
you can:
Grant access to your API users so they can enable your API in their own
Google Cloud project.
Allow principals to view all API Gateway resources.
Allow principals to create, update, or delete API Gateway resources.
Roles that control access to services and resources
You can view and grant roles using the permissions panel on the API Gateway >
APIs or Gateways detail pages in the Google Cloud console. Roles can also be granted
using the API, or with the Google Cloud CLI.
IAM role name
Role title
Description
roles/servicemanagement.serviceConsumer
Service Consumer
Permissions for a Google Account, Google group, or service account to view
and enable the API in their own project. See the
Service Management API access control topic for information about this role.
roles/apigateway.viewer
API Gateway Viewer
Read-only access to an API gateway and its related resources. This role includes permissions to get and list APIs, API configs, gateways, and locations.
roles/apigateway.admin
API Gateway Admin
Full access to an API gateway and its related resources. This role includes permissions to get, create, update, and delete APIs, API configs, gateways, and locations.
API Gateway permissions and roles
The following table lists the project-level roles that grant access to API Gateway resources and their associated permissions:
All permissions included in the API Gateway Viewer role, plus:
apigateway.apiconfigs.create
apigateway.apiconfigs.delete
apigateway.apiconfigs.setIamPolicy
apigateway.apiconfigs.update
apigateway.apis.create
apigateway.apis.delete
apigateway.apis.setIamPolicy
apigateway.apis.update
apigateway.gateways.create
apigateway.gateways.delete
apigateway.gateways.setIamPolicy
apigateway.gateways.update
apigateway.operations.cancel
apigateway.operations.delete
Custom roles
If basic or predefined roles do not meet your specific needs, API Gateway supports the use of custom roles. You can use IAM to create custom roles for API Gateway.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eAPI Gateway uses Identity and Access Management (IAM) to control access to APIs, allowing you to grant access at both the project and service consumer levels.\u003c/p\u003e\n"],["\u003cp\u003eThe Service Consumer role permits users to view and enable an API within their own projects.\u003c/p\u003e\n"],["\u003cp\u003eThe API Gateway Viewer role provides read-only access to API gateways and their associated resources, while the API Gateway Admin role grants full access to manage these resources.\u003c/p\u003e\n"],["\u003cp\u003eCustom roles can be created via IAM for more granular control over API Gateway permissions, if the provided roles do not meet your specific needs.\u003c/p\u003e\n"]]],[],null,["# API Gateway API access overview\n===============================\n\nThis page describes the API access control options available to you in API Gateway.\n\nOverview\n--------\n\nAPI Gateway uses\n[Identity and Access Management (IAM)](/iam/docs)\nto control access to your API. You can grant access to your API at the project\nlevel and at the service consumer level. For example,\nyou can:\n\n- Grant access to your API users so they can enable your API in their own Google Cloud project.\n- Allow principals to view all API Gateway resources.\n- Allow principals to create, update, or delete API Gateway resources.\n\nRoles that control access to services and resources\n---------------------------------------------------\n\nYou can view and grant roles using the permissions panel on the **API Gateway** \\\u003e\n**APIs** or **Gateways** detail pages in the Google Cloud console. Roles can also be granted\nusing the API, or with the Google Cloud CLI.\n\n| **Note:** Although you can grant other roles at the service level, we recommend that you use the roles listed in the previous table to manage your API.\n\nAPI Gateway permissions and roles\n---------------------------------\n\nThe following table lists the project-level roles that grant access to API Gateway resources and their associated permissions:\n\n| **Note:** To view pages in the Google Cloud console, you must grant users the **API Gateway Viewer** role or a higher role at the project level.\n\nCustom roles\n------------\n\nIf basic or predefined roles do not meet your specific needs, API Gateway supports the use of custom roles. You can use IAM to create [custom roles](/iam/docs/creating-custom-roles) for API Gateway."]]
