Access Control with IAM

Service Usage uses Identity and Access Management (IAM) to control access to services. This page explains the IAM roles and permissions related to Service Usage and how to use them to control access.

Resource model

For Service Usage, there are three relevant resources:

1. The service you are using.

2. The project from which you are using the service.

3. The operation or long-running operation returned by certain methods.

Each Service Usage method requires a permission on one or more of these resources.

IAM permissions

The following table shows the required permissions for each Service Usage API method. You can also find this information in the API reference.

Method	Required permissions
services.batchEnable	On the project: serviceusage.services.enable On the services: servicemanagement.services.bind
services.enable	On the project: serviceusage.services.enable On the service: servicemanagement.services.bind
services.disable	On the project: serviceusage.services.disable
services.get	On the project: serviceusage.services.get
services.list	On the project: serviceusage.services.list
services.consumerQuotaMetrics.list services.consumerQuotaMetrics.get services.consumerQuotaMetrics.limits.get services.consumerQuotaMetrics.limits.consumerOverrides.list services.consumerQuotaMetrics.limits.adminOverrides.list services.consumerQuotaMetrics.limits.producerOverrides.list	On the project: serviceusage.quota.get On the service: servicemanagement.services.bind
services.consumerQuotaMetrics.consumerOverrides.create services.consumerQuotaMetrics.consumerOverrides.patch services.consumerQuotaMetrics.consumerOverrides.delete services.adminQuotaMetrics.adminOverrides.create services.adminQuotaMetrics.adminOverrides.patch services.adminQuotaMetrics.adminOverrides.delete	On the project: serviceusage.quota.update On the service: servicemanagement.services.bind
To use a project for quota and billing purposes. For more information, see System parameters.	On the project: serviceusage.services.use

IAM roles

With IAM, you give users permission by granting them a role. The following tables list IAM basic and predefined roles, and the permissions related to Service Usage that those roles include.

For more information about roles, see Understanding roles.

Basic roles

Name	Title	Permissions
roles/viewer	Viewer	serviceusage.services.get serviceusage.services.list serviceusage.quotas.get
roles/editor roles/owner	Editor Owner	serviceusage.services.get serviceusage.services.list serviceusage.services.disable serviceusage.services.enable serviceusage.services.use serviceusage.quotas.get serviceusage.quotas.update

Predefined roles

Role	Permissions
API Keys Admin (roles/serviceusage.apiKeysAdmin) Ability to create, delete, update, get and list API keys for a project.	apikeys.* apikeys.keys.create apikeys.keys.delete apikeys.keys.get apikeys.keys.getKeyString apikeys.keys.list apikeys.keys.lookup apikeys.keys.undelete apikeys.keys.update orgpolicy.policy.get serviceusage.apiKeys.* serviceusage.apiKeys.regenerate serviceusage.apiKeys.revert
API Keys Viewer (roles/serviceusage.apiKeysViewer) Ability to get and list API keys for a project.	apikeys.keys.get apikeys.keys.getKeyString apikeys.keys.list apikeys.keys.lookup
Service Usage Admin (roles/serviceusage.serviceUsageAdmin) Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.	monitoring.timeSeries.list serviceusage.quotas.* serviceusage.quotas.get serviceusage.quotas.update serviceusage.services.* serviceusage.services.disable serviceusage.services.enable serviceusage.services.get serviceusage.services.list serviceusage.services.use
Service Usage Consumer (roles/serviceusage.serviceUsageConsumer) Ability to inspect service states and operations, and consume quota and billing for a consumer project.	monitoring.timeSeries.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list serviceusage.services.use
Service Usage Viewer (roles/serviceusage.serviceUsageViewer) Ability to inspect service states and operations for a consumer project.	monitoring.timeSeries.list serviceusage.quotas.get serviceusage.services.get serviceusage.services.list