Cloud Deployment Manager will reach end of support on December 31, 2025. If you currently use Deployment Manager, please migrate to Infrastructure Manager or an alternative deployment technology by December 31, 2025 to ensure your services continue without interruption.
Stay organized with collections
Save and categorize content based on your preferences.
To control access to your resources in Google Cloud, you use
Identity and Access Management (IAM). With IAM, you set permissions
specifying who has what kind of access to which resources in your
project. For an introduction to IAM, see the IAM Overview.
When you deploy resources, you can also control who has access to these
resources by setting an IAM policy preemptively in your configuration. For
example, if you plan to create Pub/Sub Topics that can be managed by specific
users, you can express this to Deployment Manager by specifying an
IAM policy in your configuration. When you create or update your deployment,
Deployment Manager calls the IAM API to set the appropriate permissions on
the resource.
If you want to use the API examples in this guide, set up API access.
Using IAM policies in Deployment Manager
An IAM policy is a collection of users and their roles. You set an IAM policy at
the project level, using either basic or predefined roles. Some services,
such as Cloud Pub/Sub, also support setting IAM policies at the resource level.
If a service does not support setting IAM policies at the resource level,
Deployment Manager returns a NO_METHOD_TO_UPDATE_ACCESS_CONTROL error.
For a list of roles and the resources you can apply them to, see Understanding
Roles.
Granting Deployment Manager permission to set IAM policies
Deployment Manager uses the
Google APIs Service Account
to call other Google APIs and manage Google Cloud resources on your
behalf. You must grant your project's Google APIs service account the basic
roles/owner role so it can apply the IAM policies you define in your
configurations.
Go to the IAM page in the Google Cloud console of your project.
The request body should contain the list of bindings you want to apply
to this project. The roles/owner role should be part
of the binding. For example:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eIAM in Google Cloud controls who has what access to which resources within a project.\u003c/p\u003e\n"],["\u003cp\u003eDeployment Manager can set IAM policies preemptively during resource deployment, specifying user access rights.\u003c/p\u003e\n"],["\u003cp\u003eThe Google APIs service account, with the \u003ccode\u003eroles/owner\u003c/code\u003e role, is necessary for Deployment Manager to apply IAM policies.\u003c/p\u003e\n"],["\u003cp\u003eIAM policies are set using the \u003ccode\u003eaccessControl\u003c/code\u003e section within resource configurations, binding users or service accounts to specific roles.\u003c/p\u003e\n"],["\u003cp\u003eSetting up the \u003ccode\u003eaccessControl\u003c/code\u003e section in Deployment Manager's resource configuration allows you to add bindings that assign specific roles to different users.\u003c/p\u003e\n"]]],[],null,["# Setting access control in a configuration\n\nTo control access to your resources in Google Cloud, you use\n[Identity and Access Management (IAM)](/iam). With IAM, you set permissions\nspecifying **who** has **what** kind of access to **which** resources in your\nproject. For an introduction to IAM, see the [IAM Overview](/iam/docs/overview).\n\nWhen you deploy resources, you can also control who has access to these\nresources by setting an IAM policy preemptively in your configuration. For\nexample, if you plan to create Pub/Sub Topics that can be managed by specific\nusers, you can express this to Deployment Manager by specifying an\nIAM policy in your configuration. When you create or update your deployment,\nDeployment Manager calls the IAM API to set the appropriate permissions on\nthe resource.\n\nBefore you begin\n----------------\n\n- If you want to use the command-line examples in this guide, install the [\\`gcloud\\` command-line tool](/sdk).\n- If you want to use the API examples in this guide, set up [API access](/deployment-manager/docs/reference/latest).\n\nUsing IAM policies in Deployment Manager\n----------------------------------------\n\nAn IAM policy is a collection of users and their roles. You set an IAM policy at\nthe project level, using either basic or predefined roles. Some services,\nsuch as Cloud Pub/Sub, also support setting IAM policies at the resource level.\n\nIf a service does not support setting IAM policies at the resource level,\nDeployment Manager returns a `NO_METHOD_TO_UPDATE_ACCESS_CONTROL` error.\n\nFor a list of roles and the resources you can apply them to, see [Understanding\nRoles](/iam/docs/understanding-roles).\n\nGranting Deployment Manager permission to set IAM policies\n----------------------------------------------------------\n\nDeployment Manager uses the\n[Google APIs Service Account](/deployment-manager/docs/access-control#access_control_for_deployment_manager)\nto call other Google APIs and manage Google Cloud resources on your\nbehalf. You must grant your project's Google APIs service account the basic\n`roles/owner` role so it can apply the IAM policies you define in your\nconfigurations.\n\n1. Go to the IAM page in the Google Cloud console of your project. [Go to the IAM page](https://console.cloud.google.com/iam-admin/iam/)\n\n2. If prompted, select your project from the list.\n3. Look for the **Google APIs service account**, which has the email\n address in the following format:\n\n [PROJECT_NUMBER]@cloudservices.gserviceaccount.com\n\n | **Note:** This email address requires the project number, not the project ID. To learn how to identify the project number, see [Identifying projects](/compute/docs/projects#projectids).\n4. Grant the APIs service account the `roles/owner` roles:\n\n\n ### Console\n\n 1. While still in the Google Cloud console, expand the **Roles** dropdown for the Google APIs service account and select **Project \\\u003e Owner**.\n 2. Click **Save** to save your changes.\n\n ### gcloud\n\n With the Google Cloud CLI, add a binding to the IAM policy for the project: \n\n ```\n gcloud projects add-iam-policy-binding [PROJECT_ID] \\\n --member serviceAccount:[SERVICE_ACCOUNT_EMAIL] --role roles/owner\n ```\n\n where:\n - `[PROJECT_ID]` is the ID of the project.\n - `[SERVICE_ACCOUNT_EMAIL]` is the email of the service account.\n\n For example: \n\n ```\n gcloud projects add-iam-policy-binding database-images \\\n --member serviceAccount:123456789012@cloudservices.gserviceaccount.com \\\n --role roles/owner\n ```\n\n ### API\n\n In the API, make a `POST` request to the following URL, where\n `[PROJECT_ID]` is the ID of the project: \n\n POST https://cloudresourcemanager.googleapis.com/v1/projects/$[PROJECT_ID]:setIamPolicy\n\n The request body should contain the list of bindings you want to apply\n to this project. The `roles/owner` role should be part\n of the binding. For example: \n\n {\n \"policy\": {\n \"version\": \"0\",\n \"bindings\": [\n {\n \"role\": \"roles/owner\",\n \"members\": [\n \"user:example@gmail.com\",\n \"serviceAccount:123456789012@cloudservices.gserviceaccount.com\"\n ]\n }\n ]\n }\n }\n\n \u003cbr /\u003e\n\nSetting an IAM policy in your configuration\n-------------------------------------------\n\nNext, in your configuration or template, you can set an IAM policy by following\nthese instructions:\n\n1. Add the `accessControl` section to the top-level configuration for each\n resource for which you want to apply access control policies.\n\n2. Specify the desired `gcpIamPolicy` for the resource. Each IAM policy can\n contain a list of bindings. Each binding binds a list of members to a role.\n\n | **Note:** If you use the `accessControl` section to grant roles to accounts, including service accounts, we recommend that you use Deployment Manager to manage roles for that account. If you change the account's roles outside Deployment Manager and then update the original deployment, the roles from the deployment configuration are applied to the account.\n\n If you're using `accessControl` to manage service accounts,\n [learn more about managing service accounts](/iam/docs/creating-managing-service-accounts).\n\nFor example, the following `accessControl` section adds bindings that grant\nthese roles to users:\n\n resources:\n - name: a-new-pubsub-topic\n type: pubsub.v1.topic\n properties:\n ...\n\n accessControl:\n gcpIamPolicy:\n bindings:\n - role: roles/pubsub.editor\n members:\n - \"user:alice@example.com\"\n - role: roles/pubsub.publisher\n members:\n - \"user:jane@example.com\"\n - \"serviceAccount:my-other-app@appspot.gserviceaccount.com\"\n\nFor more information on IAM policies, read the\n[IAM documentation](/iam/docs/granting-changing-revoking-access)."]]