Give access

As a hub administrator, you can grant specific users the ability to create spokes in other projects associated with the hub, and retain full control over which spokes are accepted into the hub. Spokes do not become active until you explicitly accept them. You can also reject spokes at any time, if necessary.

To grant another user the ability to create spokes in other projects associated with the hub, you can grant the roles/networkconnectivity.groupUser role to that user. A user with the groupUser role on a hub automatically has the role on all groups in the hub through the Identity and Access Management (IAM) resource hierarchy. As the hub administrator, you can also revoke a user's access.

Before you begin

Before you get started, review the following sections.

Create or select a project

To make it easier to configure Network Connectivity Center, start by identifying a valid project.

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Install the Google Cloud CLI.

  5. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  6. To initialize the gcloud CLI, run the following command: 

    gcloud init

  7. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  8. Verify that billing is enabled for your Google Cloud project.

  9. Install the Google Cloud CLI.

  10. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  11. To initialize the gcloud CLI, run the following command: 

    gcloud init

  12. If you are using the Google Cloud CLI, set your project ID by using the gcloud config set command.

    gcloud config set project PROJECT_ID

    Replace PROJECT_ID with your unique project ID.

    The gcloud CLI instructions on this page assume that you have set your project ID.

  13. To confirm that you set the project ID correctly, use the gcloud config list command.

    gcloud config list --format='text(core.project)'

Enable the Network Connectivity API

Before you can perform any tasks using Network Connectivity Center, you must enable the Network Connectivity API.

Console

To enable the Network Connectivity API:

  1. In the Google Cloud console, go to the Network Connectivity Center page.

    Go to Network Connectivity Center

  2. Click Enable.

Alternatively, you can enable the API by using the Google Cloud console API Library, as described in Enabling APIs.

Manage access to create spokes in hubs across projects

The following sections describe how to grant, revoke, or view permissions to create spokes in different projects than a hub.

Grant the groupUser role on a hub to another user

To grant the networkconnectivity.groupUser role on a hub to another user, follow these steps.

Console

  1. In the Google Cloud console, go to the Network Connectivity Center page.

    Go to Network Connectivity Center

  2. In the project menu, select a project.

  3. Click the Hubs tab.

  4. In the hubs list, select the hub to which you to add access.

  5. Click Permissions.

  6. In the Permissions dialog, click Add principal.

  7. Enter the username of the administrator that you want to add.

  8. In the Manage roles dialog, from the Network Connectivity roles list, select the role that you want to assign, such as Spoke Admin.

  9. Click Save.

gcloud

Run the gcloud network-connectivity hubs add-iam-policy-binding command.

gcloud network-connectivity hubs add-iam-policy-binding HUB_NAME \
    --member=MEMBER_DETAILS \
    --role='roles/networkconnectivity.groupUser'

Replace the following:

  • HUB_NAME: the hub for the spoke, such as my-hub.
  • MEMBER_DETAILS: details about the user to whom you want to grant access. For detailed information about identifiers and format, see Principal identifiers.

Revoke the groupUser role on a hub from a user

To revoke the roles/networkconnectivity.groupUser role on a hub from a user, follow these steps.

gcloud

Run the gcloud network-connectivity hubs remove-iam-policy-binding command.

gcloud network-connectivity hubs remove-iam-policy-binding HUB_NAME \
    --member=MEMBER_DETAILS \
    --role='roles/networkconnectivity.groupUser'

Replace the following:

  • HUB_NAME: the hub for the spoke, such as my-hub.
  • MEMBER_DETAILS: details about the user that you want to remove access from. For detailed information about identifiers and format, see Principal identifiers.

View permissions for a user

To view permissions that have been granted to a user on a hub, follow these steps.

gcloud

Run the gcloud network-connectivity hubs get-iam-policy command.

gcloud network-connectivity hubs get-iam-policy HUB_NAME

Replace HUB_NAME with the name of the hub for which you want to view permissions, such as my-hub.

What's next