Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-07-26。"],[],[],null,["# Give access\n\nAs a hub administrator, you can grant specific users the ability to create spokes\nin other projects associated with the hub, and retain full control over which\nspokes are accepted into the hub. Spokes do not become active until you\nexplicitly accept them. You can also reject spokes at any time, if necessary.\n\nTo grant another user the ability to create spokes in other projects associated\nwith the hub, you can grant the\n`roles/networkconnectivity.groupUser` role to that user. A user with the\n`groupUser` role on a hub automatically has the role on all groups in the hub\nthrough the Identity and Access Management (IAM) resource hierarchy. As the hub\nadministrator, you can also revoke a user's access.\n\nBefore you begin\n----------------\n\nBefore you get started, review the following sections.\n\n### Create or select a project\n\nTo make it easier to configure Network Connectivity Center, start by identifying a valid\nproject.\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n1. If you are using the Google Cloud CLI, set your project\n ID by using the\n [`gcloud config set` command](/sdk/gcloud/reference/config/set).\n\n ```\n gcloud config set project PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your unique project ID.\n\n The gcloud CLI instructions on this page assume that you have set your project ID.\n2. To confirm that you set the project ID correctly, use the\n [`gcloud config list` command](/sdk/gcloud/reference/config/list).\n\n ```\n gcloud config list --format='text(core.project)'\n ```\n\n### Enable the Network Connectivity API\n\nBefore you can perform *any* tasks using Network Connectivity Center, you must enable the\nNetwork Connectivity API. \n\n### Console\n\nTo enable the Network Connectivity API:\n\n1. In the Google Cloud console, go to the **Network Connectivity Center** page.\n\n [Go to Network Connectivity Center](https://console.cloud.google.com/hybrid/hubs/list)\n2. Click **Enable**.\n\nAlternatively, you can enable the API by\nusing the\n[Google Cloud console API Library](https://console.cloud.google.com/apis/library?project=_),\nas described in [Enabling APIs](/apis/docs/getting-started#enabling_apis).\n\n#### Permissions required for this task\n\nTo perform this task, you must have been granted the following permissions\n*or* the following IAM roles.\n\n**Permissions**\n\n- `networkconnectivity.hubs.getIamPolicy`\n- `networkconnectivity.hubs.setIamPolicy`\n\n**Roles**\n\n- `roles/networkconnectivity.hubAdmin`\n\nManage access to create spokes in hubs across projects\n------------------------------------------------------\n\nThe following sections describe how to grant, revoke, or view permissions to\ncreate spokes in different projects than a hub.\n\n### Grant the `groupUser` role on a hub to another user\n\nTo grant the `networkconnectivity.groupUser` role on a hub to another user,\nfollow these steps. \n\n### Console\n\n1. In the Google Cloud console, go to the **Network Connectivity Center** page.\n\n [Go to Network Connectivity Center](https://console.cloud.google.com/hybrid/hubs/list)\n2. In the project menu, select a project.\n\n3. Click the **Hubs** tab.\n\n4. In the hubs list, select the hub to which you to add access.\n\n5. Click **Permissions**.\n\n6. In the **Permissions** dialog, click **Add principal**.\n\n7. Enter the username of the administrator that you want to add.\n\n8. In the **Manage roles** dialog, from the **Network Connectivity** roles list,\n select the role that you want to assign, such as **Spoke Admin**.\n\n9. Click **Save**.\n\n### gcloud\n\nRun the\n[`gcloud network-connectivity hubs add-iam-policy-binding` command](/sdk/gcloud/reference/network-connectivity/hubs/add-iam-policy-binding). \n\n```\ngcloud network-connectivity hubs add-iam-policy-binding HUB_NAME \\\n --member=MEMBER_DETAILS \\\n --role='roles/networkconnectivity.groupUser'\n\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eHUB_NAME\u003c/var\u003e: the hub for the spoke, such as `my-hub`.\n- \u003cvar translate=\"no\"\u003eMEMBER_DETAILS\u003c/var\u003e: details about the user to whom you want to grant access. For detailed information about identifiers and format, see [Principal identifiers](/iam/docs/principal-identifiers#v1).\n\n### Revoke the `groupUser` role on a hub from a user\n\nTo revoke the `roles/networkconnectivity.groupUser` role on a hub from a user,\nfollow these steps. \n\n### gcloud\n\nRun the\n[`gcloud network-connectivity hubs remove-iam-policy-binding` command](/sdk/gcloud/reference/network-connectivity/hubs/remove-iam-policy-binding). \n\n```\ngcloud network-connectivity hubs remove-iam-policy-binding HUB_NAME \\\n --member=MEMBER_DETAILS \\\n --role='roles/networkconnectivity.groupUser'\n\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eHUB_NAME\u003c/var\u003e: the hub for the spoke, such as `my-hub`.\n- \u003cvar translate=\"no\"\u003eMEMBER_DETAILS\u003c/var\u003e: details about the user that you want to remove access from. For detailed information about identifiers and format, see [Principal identifiers](/iam/docs/principal-identifiers#v1).\n\n### View permissions for a user\n\nTo view permissions that have been granted to a user on a hub, follow these\nsteps. \n\n### gcloud\n\nRun the\n[`gcloud network-connectivity hubs get-iam-policy` command](/sdk/gcloud/reference/network-connectivity/hubs/get-iam-policy). \n\n```\ngcloud network-connectivity hubs get-iam-policy HUB_NAME\n```\n\nReplace \u003cvar translate=\"no\"\u003eHUB_NAME\u003c/var\u003e with the name of the hub for which\nyou want to view permissions, such as `my-hub`.\n\nWhat's next\n-----------\n\n- To create hubs and spokes, see [Work with hubs and spokes](/network-connectivity/docs/network-connectivity-center/how-to/working-with-hubs-spokes).\n- To view a list of partners whose solutions are integrated with Network Connectivity Center, see [Network Connectivity Center partners](/network-connectivity/docs/network-connectivity-center/partners).\n- To find solutions for common issues, see [Troubleshooting](/network-connectivity/docs/network-connectivity-center/support/troubleshooting).\n- To get details about API and `gcloud` commands, see [APIs and reference](/network-connectivity/docs/network-connectivity-center/apis)."]]
