Controlar quem pode acessar uma API é uma parte importante do seu desenvolvimento. Por exemplo, ao testar sua API, convém automatizar a reimplantação das configurações atualizadas do Cloud Endpoints usando uma conta de serviço que tenha permissão para isso. Por padrão, somente o proprietário do projeto pode gerenciar o acesso a uma API. Nesta página, mostramos como conceder e revogar acesso à API usando o
consoleGoogle Cloud ou a CLI do Google Cloud.
O Endpoints usa os papéis
Identity e Access Management
para conceder e revogar o acesso no nível da API. É possível conceder e revogar acesso a um usuário, conta de serviço ou grupo do Google.
Os Grupos do Google são uma maneira prática de gerenciar o acesso de um conjunto de usuários. Em vez de conceder ou revogar o acesso a cada usuário ou conta de serviço, faça-o a um grupo inteiro de uma só vez. Também é possível adicionar e remover membros de um
Grupo do Google facilmente, em vez de conceder ou revogar o papel do IAM para
cada um.
conceder acesso
Console doGoogle Cloud
No Google Cloud console, acesse a página Endpoints > Services do seu projeto.
Se tiver mais de uma API, clique no nome da que desejar.
Se o painel lateral Permissões não estiver aberto, clique em addPermissões.
Na caixa Adicionar membros, insira o endereço de e-mail de um usuário, conta de serviço ou Grupo do Google.
No menu suspenso Selecionar um papel, clique em Service Management e selecione um dos seguintes papéis:
Consumidor de serviço: esse papel contém as permissões para que um membro que não pertença ao projeto visualize e ative a API em seu próprio projeto. Se você criou um portal para sua API, esse papel permite que os usuários da API acessem o portal.
Controlador de serviço: esse papel contém as permissões para fazer chamadas para os métodos check e
report na API Service Infrastructure
no ambiente de execução.
Editor de configuração do serviço: esse papel contém as permissões mínimas exigidas pelo Service Management para implantar uma configuração do Endpoints em um serviço atual.
Administrador do Service Management: esse papel contém as permissões dos papéis Editor de configuração do serviço, Consumidor de serviço e Controlador de serviço, além das permissões necessárias para conceder acesso a essa API usando gcloud ou os métodos programáticos descritos em Como conceder, alterar e revogar o acesso a recursos.
Para mais informações sobre esse papel, consulte o tópico Controle de acesso à API Service Management. Embora o console Google Cloud permita selecionar outros papéis, eles não são úteis para gerenciar a API.
Para adicionar o membro ao papel de IAM especificado, clique em Adicionar.
Adicione quantos membros e papéis forem necessários.
Os papéis do Service Management não permitem que os usuários acessem a página Endpoints >
Serviços no Google Cloud console. Se você quiser que os usuários acessem a página Endpoints > Services, conceda a eles o papel de Leitor do projeto ou superior. Para mais detalhes, consulte
Como conceder, alterar e revogar acesso a recursos.
gcloud
Abra o Cloud Shell ou, se você tiver a CLI do Google Cloud instalada, abra uma
janela de terminal.
Digite o comando gcloud aplicável:
Se estiver concedendo acesso a um usuário, execute o seguinte comando:
Para o papel, especifique um dos papéis de IAM a seguir:
roles/servicemanagement.configEditor: esse papel contém as permissões mínimas exigidas pelo Service Management para implantar uma configuração do Endpoints em um serviço atual.
roles/servicemanagement.admin: esse papel contém as permissões em roles/servicemanagement.configEditor, roles/servicemanagement.serviceConsumer e roles/servicemanagement.serviceController, além das permissões necessárias para conceder acesso a essa API usando gcloud ou os métodos programáticos descritos em Como conceder, alterar e revogar o acesso a recursos .
Os papéis do Service Management não permitem que os usuários acessem a página Endpoints > Serviços no Google Cloud console. Se você
quiser que os usuários acessem a página Endpoints > Services, conceda a eles o
papel de Leitor do projeto ou superior. Para mais detalhes, consulte
Como conceder, alterar e revogar acesso a recursos.
Como revogar o acesso
Para revogar o acesso à API, remova o papel do IAM do membro
que tinha a função anteriormente.
Console doGoogle Cloud
No Google Cloud console, acesse a página Endpoints > Services do seu projeto.
Se tiver mais de uma API, clique no nome da que desejar.
Se o painel lateral Permissões não estiver aberto, clique em addPermissões.
Localize o membro para quem você quer revogar o acesso. É possível clicar no cartão Papel aplicável para ver uma lista de membros ou digitar um nome ou papel na caixa Pesquisar membros.
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-09-04 UTC."],[[["\u003cp\u003eThis document details how to manage API access using Google Cloud Endpoints, emphasizing the importance of controlling who can interact with your API.\u003c/p\u003e\n"],["\u003cp\u003eAccess to an API can be granted or revoked for individual users, service accounts, or Google Groups via Identity and Access Management (IAM) roles.\u003c/p\u003e\n"],["\u003cp\u003eThe Google Cloud console and the Google Cloud CLI (\u003ccode\u003egcloud\u003c/code\u003e) are the tools that are provided for managing API access, which includes various Service Management roles to configure specific permission levels.\u003c/p\u003e\n"],["\u003cp\u003eRevoking access involves removing the assigned IAM role from the user, service account, or Google Group, through either the Google Cloud console or the \u003ccode\u003egcloud\u003c/code\u003e command-line tool.\u003c/p\u003e\n"],["\u003cp\u003eUsers may require the "Project Viewer" role, in addition to the Service Management roles, in order to view the "Endpoints > Services" page on the Google Cloud console.\u003c/p\u003e\n"]]],[],null,["# Granting and revoking access to the API\n\n[OpenAPI](/endpoints/docs/openapi/control-api-access \"View this page for the Cloud Endpoints OpenAPI docs\") \\| gRPC\n\n\u003cbr /\u003e\n\nControlling who has access to an API is an integral part of development. For\nexample, as you test your API, you might want to automate redeploying updated\nCloud Endpoints configurations by using a service account that has the\npermission to do so. By default, only the project owner can manage access to an\nAPI. This page shows you how to grant and revoke access to your API by using the\nGoogle Cloud console or the Google Cloud CLI.\n\nEndpoints uses\n[Identity and Access Management](/iam/docs/overview)\nroles to grant and revoke access at the API level. You can grant and revoke\naccess to a user, service account, or to a\n[Google Group](https://support.google.com/groups/answer/2464926).\n\nGoogle Groups are a convenient way to grant or revoke access to a collection of\nusers. You can grant or revoke access for a whole group at once, instead of\ngranting or revoking access one at a time for individual users or service\naccounts. You can also easily add members to and remove members from a\nGoogle Group instead of granting or revoking the IAM role for\neach member.\n\nGranting access\n---------------\n\n### Google Cloud console\n\n1. In the Google Cloud console, go to the **Endpoints \\\u003e Services** page for your project.\n\n [Go to the Endpoints Services page](https://console.cloud.google.com/endpoints)\n2. If you have more than one API, click the name of the API.\n3. If the **Permissions** side panel isn't open, click **addPermissions**.\n4. In the **Add members** box, enter the email address of a user, service account, or Google Group.\n5. In the **Select a role** drop-down, click **Service Management** , and select one of the following roles:\n - **Service Consumer:** This role contains the permissions for a non-project member to view and enable the API in their own project. If you have created a [portal](/endpoints/docs/openapi/dev-portal-overview) for your API, this role lets your API users access the portal.\n - **Service Controller:** This role contains the permissions to make calls to the `check` and `\n report` methods in the [Service Infrastructure](/service-infrastructure/docs/checking-status) API during runtime.\n - **Service Config Editor:** This role contains the minimum permissions that Service Management requires to deploy an Endpoints configuration to an existing service.\n - **Service Management Administrator:** This role contains the permissions in the Service Config Editor, Service Consumer, and Service Controller roles, plus the permissions required to grant access to this API by using `gcloud` or the programmatic methods described in [Granting, changing, and revoking access to resources](/iam/docs/granting-changing-revoking-access).\n\n\n See the [Service Management API access control](/service-infrastructure/docs/service-management/access-control#roles)\n topic for information about this role. Although the Google Cloud console allows you to select other roles,\n those roles aren't useful for managing your API.\n6. To add the member to the specified IAM role, click **Add**.\n7. Repeat adding members and selecting the role, as needed.\n8. The Service Management roles don't allow users to access the **Endpoints** \\\u003e **Services** page in the Google Cloud console. If you want users to be able access the **Endpoints** \\\u003e **Services** page, you must grant them the **Project Viewer** role or a higher role on the project. See [Granting, changing,\n and revoking access to resources](/iam/docs/granting-changing-revoking-access) for details.\n\n### gcloud\n\n1. Open Cloud Shell, or if you have the Google Cloud CLI installed, open a terminal window.\n2. Enter the applicable `gcloud` command:\n - If you are granting access to a user, run the following: \n\n ```transact-sql\n gcloud endpoints services add-iam-policy-binding [SERVICE-NAME] \\\n --member='user:[EMAIL-ADDRESS]' \\\n --role='[ROLE]'\n ```\n\n For the role, specify one of the following IAM roles:\n - `roles/servicemanagement.configEditor`: This role contains the minimum permissions that Service Management requires to deploy an Endpoints configuration to an existing service.\n - `roles/servicemanagement.admin`: This role contains the permissions in `roles/servicemanagement.configEditor`, `roles/servicemanagement.serviceConsumer`, and `roles/servicemanagement.serviceController`, plus the permissions required to grant access to this API by using `gcloud` or the programmatic methods described in [Granting,\n changing, and revoking access to resources](/iam/docs/granting-changing-revoking-access).\n\n \u003cbr /\u003e\n\n For example: \n\n ```transact-sql\n gcloud endpoints services add-iam-policy-binding example-service-name \\\n --member='user:example-user@gmail.com' \\\n --role='roles/servicemanagement.admin'\n ```\n\n \u003cbr /\u003e\n\n - If you are granting access to a service account, run the following: \n\n ```transact-sql\n gcloud endpoints services add-iam-policy-binding [SERVICE-NAME] \\\n --member='serviceAccount:[EMAIL-ADDRESS]' \\\n --role='[ROLE]'\n ```\n\n For example: \n\n ```transact-sql\n gcloud endpoints services add-iam-policy-binding example-service-name \\\n --member='serviceAccount:example-service-account@example-project.iam.gserviceaccount.com' \\\n --role='roles/servicemanagement.configEditor'\n ```\n\n \u003cbr /\u003e\n\n - If you are granting access to a Google Group, run the following: \n\n ```transact-sql\n gcloud endpoints services add-iam-policy-binding [SERVICE-NAME] \\\n --member='group:[GROUP-NAME]@googlegroups.com' \\\n --role='[ROLE]'\n ```\n\n For example: \n\n ```transact-sql\n gcloud endpoints services add-iam-policy-binding example-service-name \\\n --member='group:example-group@googlegroups.com' \\\n --role='roles/servicemanagement.configEditor'\n ```\n\n \u003cbr /\u003e\n\n3. The Service Management roles don't allow users to access the **Endpoints** \\\u003e **Services** page in the Google Cloud console. If you want users to be able access the **Endpoints** \\\u003e **Services** page, you must grant them the **Project Viewer** role or a higher role on the project. See [Granting, changing,\n and revoking access to resources](/iam/docs/granting-changing-revoking-access) for details.\n\nRevoking access\n---------------\n\nTo revoke access to your API, remove the IAM role from the member\nwho previously had the role. \n\n### Google Cloud console\n\n1. In the Google Cloud console, go to the **Endpoints** \\\u003e **Services** page for your project.\n\n [Go to the Endpoints Services page](https://console.cloud.google.com/endpoints)\n2. If you have more than one API, click the name of the API.\n3. If the **Permissions** side panel isn't open, click **addPermissions**.\n4. Locate the member for whom you want to revoke access. You can either click the applicable **Role** card to see a list of members, or you can enter a name or role in the **Search members** box.\n5. Click **Delete** delete.\n6. If you also want to revoke a user's access to your Google Cloud project, see [Granting,\n changing, and revoking access to resources](/iam/docs/granting-changing-revoking-access) for details.\n\n### gcloud\n\n1. Open Cloud Shell, or, if you have the gcloud CLI installed, open a terminal window.\n2. Enter the applicable `gcloud` command:\n - If you are revoking access for a user, run the following: \n\n ```text\n gcloud endpoints services remove-iam-policy-binding [SERVICE-NAME] \\\n --member='user:[EMAIL-ADDRESS]' \\\n --role='[ROLE-NAME]'\n ```\n\n For example: \n\n ```transact-sql\n gcloud endpoints services remove-iam-policy-binding example-service-name \\\n --member='user:example-user@gmail.com' \\\n --role='roles/editor'\n ```\n - If you are revoking access for a service account, run the following: \n\n ```text\n gcloud endpoints services remove-iam-policy-binding [SERVICE-NAME] \\\n --member='serviceAccount:[EMAIL-ADDRESS]' \\\n --role='[ROLE-NAME]'\n ```\n\n For example: \n\n ```transact-sql\n gcloud endpoints services remove-iam-policy-binding example-service-name \\\n --member='serviceAccount:example-service-account@example-project.iam.gserviceaccount.com' \\\n --role='roles/servicemanagement.configEditor'\n ```\n - If you are revoking access for a Google Group, run the following: \n\n ```transact-sql\n gcloud endpoints services remove-iam-policy-binding [SERVICE-NAME] \\\n --member='group:[GROUP-NAME]@googlegroups.com' \\\n --role='[ROLE-NAME]'\n ```\n\n For example: \n\n ```transact-sql\n gcloud endpoints services remove-iam-policy-binding example-service-name \\\n --member='group:example-group@googlegroups.com' \\\n --role='roles/viewer'\n ```\n3. If you also want to revoke a user's access to your Google Cloud project, see [Granting,\n changing, and revoking access to resources](/iam/docs/granting-changing-revoking-access) for details.\n\nWhat's next\n-----------\n\nLearn about:\n\n- [Creating a service account](/iam/docs/creating-managing-service-accounts#creating_a_service_account)\n- [`gcloud` commands](/sdk/gcloud/reference) referenced on this page."]]
