Grant access to individual Cloud Workstations ports
Stay organized with collections
Save and categorize content based on your preferences.
You can use IAM Conditions to grant access to individual
workstation ports. This is useful for sharing limited access to individual
workstation ports. For example, you can use IAM Conditions to
grant access to a demo server running on a workstation port.
Cloud Workstations supports destination.port IAM Conditions
attribute.
For more information about IAM Conditions, see the
following:
Before you can grant access to individual workstation ports, you must have the
Cloud Workstations Policy Admin
(roles/workstations.policyAdmin) role on the workstation.
Check IAM roles on the workstation
Be sure that you have the Cloud Workstations User (roles/workstations.user) and
Cloud Workstations Policy Admin (roles/workstations.policyAdmin) roles
on the workstation. If you don't, ask your organization's
Cloud Workstations Admin to grant you those roles on the workstation.
Start a demo server in workstation
Start and connect to your workstations using the Launch workstation
guide. Run the following command on the workstation to start a demo server on
a workstation port.
python3-mhttp.serverWORKSTATIONS_PORT
Replace the following:
WORKSTATIONS_PORT: the port on which the demo server will
listen. For example, use 8081.
Update conditional IAM policy of workstation
To grant access to a workstation port, you can use Google Cloud console or
gcloud CLI iam policies
command.
Console
To grant conditional access to the workstation:
In the Google Cloud console, navigate to the
Cloud Workstations>Workstations
page.
Find your workstation and then click themore_vertMore options menu, and select Add Users.
To grant conditional access, enter the email for the principal. For example,
222larabrown@gmail.com.
Ensure Cloud Workstations User is selected as a Role.
Update the IAM condition to grant port-specific access:
Click Add IAM Condition.
Specify a title such as Port WORKSTATIONS_PORT.
In the Condition Editor tab, enter the following condition:
destination.port == WORKSTATIONS_PORT
Click Save to finalize granting conditional access to the
specific port to the principal.
gcloud
Get the workstation IAM policy by using the
gcloud CLI workstations get-iam-policy
command. This command outputs the policy to the file:
/tmp/WORKSTATIONS_NAME.yaml. If the file
exists, it will be overwritten.
To grant conditional access to a principal, add the following highlighted
condition expression to the policy file that you downloaded in the previous
step.
Do not modify the etag. Ensure the version is specified as 3, since this policy includes the condition field.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[],[],null,["# Grant access to individual Cloud Workstations ports\n\nYou can use IAM Conditions to grant access to individual\nworkstation ports. This is useful for sharing limited access to individual\nworkstation ports. For example, you can use IAM Conditions to\ngrant access to a demo server running on a workstation port.\n\nCloud Workstations supports `destination.port` IAM Conditions\nattribute.\n\nFor more information about IAM Conditions, see the\nfollowing:\n\n- [Conditions overview](/iam/docs/conditions-overview)\n- [Managing conditional role bindings](/iam/docs/managing-conditional-policies)\n\nBefore you begin\n----------------\n\nBefore you can grant access to individual workstation ports, you must have the\nCloud Workstations Policy Admin\n(`roles/workstations.policyAdmin`) role on the workstation.\n\n### Check IAM roles on the workstation\n\nBe sure that you have the Cloud Workstations User (`roles/workstations.user`) and\nCloud Workstations Policy Admin (`roles/workstations.policyAdmin`) roles\non the workstation. If you don't, ask your organization's\nCloud Workstations Admin to grant you those roles on the workstation.\n| **Tip:** [--grant-workstation-admin-role-on-create](/sdk/gcloud/reference/workstations/configs/create#--grant-workstation-admin-role-on-create) option is recommended on Cloud Workstations configuration because it lets creators of workstations to update IAM policy of the workstation that they create. For details on this option, see the [Add users](/workstations/docs/create-configuration#add_users) section.\n\n### Start a demo server in workstation\n\nStart and connect to your workstations using the [Launch workstation](/workstations/docs/create-workstation#launch_a_workstation)\nguide. Run the following command on the workstation to start a demo server on\na workstation port. \n\n python3 -m http.server \u003cvar translate=\"no\"\u003eWORKSTATIONS_PORT\u003c/var\u003e\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eWORKSTATIONS_PORT\u003c/var\u003e: the port on which the demo server will listen. For example, use 8081.\n\nUpdate conditional IAM policy of workstation\n--------------------------------------------\n\nTo grant access to a workstation port, you can use Google Cloud console or\n`gcloud` CLI [`iam policies`](/sdk/gcloud/reference/iam/policies)\ncommand. \n\n### Console\n\nTo grant conditional access to the workstation:\n\n1. In the Google Cloud console, navigate to the\n **Cloud Workstations** \\\u003e **Workstations**\n page.\n\n\n [Go to Workstations](https://console.cloud.google.com/workstations/list)\n\n \u003cbr /\u003e\n\n2. Find your workstation and then click themore_vert**More** options menu, and select **Add Users**.\n\n3. To grant conditional access, enter the email for the principal. For example,\n `222larabrown@gmail.com`.\n\n4. Ensure **Cloud Workstations User** is selected as a Role.\n\n5. Update the IAM condition to grant port-specific access:\n\n 1. Click **Add IAM Condition**.\n\n 2. Specify a title such as **Port \u003cvar scope=\"WORKSTATIONS_PORT\" translate=\"no\"\u003eWORKSTATIONS_PORT\u003c/var\u003e**.\n\n 3. In the **Condition Editor** tab, enter the following condition:\n\n destination.port == \u003cvar translate=\"no\"\u003eWORKSTATIONS_PORT\u003c/var\u003e\n\n 1. Click **Save** to finalize granting conditional access to the specific port to the principal.\n\n### gcloud\n\n1. Get the workstation IAM policy by using the\n `gcloud` CLI [`workstations get-iam-policy`](/sdk/gcloud/reference/workstations/get-iam-policy)\n command. This command outputs the policy to the file:\n `/tmp/`\u003cvar scope=\"WORKSTATIONS_NAME\" class=\"edit\" translate=\"no\"\u003eWORKSTATIONS_NAME\u003c/var\u003e`.yaml`. If the file\n exists, it will be overwritten.\n\n gcloud workstations get-iam-policy \u003cvar translate=\"no\"\u003eWORKSTATIONS_NAME\u003c/var\u003e \\\n --cluster=\u003cvar translate=\"no\"\u003eWORKSTATIONS_CLUSTER_NAME\u003c/var\u003e \\\n --config=\u003cvar translate=\"no\"\u003eWORKSTATIONS_CONFIG_NAME\u003c/var\u003e \\\n --region=\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003eWORKSTATIONS_PROJECT_ID\u003c/var\u003e \\\n \u003e /tmp/\u003cvar translate=\"no\"\u003eWORKSTATIONS_NAME\u003c/var\u003e.yaml\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eWORKSTATIONS_NAME\u003c/var\u003e: the name of the workstation.\n - \u003cvar translate=\"no\"\u003eWORKSTATIONS_CONFIG_NAME\u003c/var\u003e: the name of the workstation configuration.\n - \u003cvar translate=\"no\"\u003eWORKSTATIONS_CLUSTER_NAME\u003c/var\u003e: the name of the workstation cluster.\n - \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the region name for your workstation cluster.\n - \u003cvar translate=\"no\"\u003eWORKSTATIONS_PROJECT_ID\u003c/var\u003e: the ID of the Cloud Workstations project containing your workstation.\n\n The YAML format of the policy is downloaded into `/tmp/`\u003cvar scope=\"WORKSTATIONS_NAME\" translate=\"no\"\u003eWORKSTATIONS_NAME\u003c/var\u003e`.yaml`: \n\n bindings:\n - members:\n - user:222larabrown@gmail.com\n role: roles/workstations.user\n etag: BwYdnV9Eg7Y=\n version: 1\n\n2. To grant conditional access to a principal, add the following highlighted\n condition expression to the policy file that you downloaded in the previous\n step.\n\n Do not modify the etag. Ensure the version is specified as `3`, since this policy includes the `condition` field.\n\n For example: \n\n bindings:\n - members:\n - user:\u003cvar translate=\"no\"\u003eYOUR_ID\u003c/var\u003e\n role: roles/workstations.user\n - condition:\n expression: destination.port == \u003cvar translate=\"no\"\u003eWORKSTATIONS_PORT\u003c/var\u003e\n title: Port \u003cvar translate=\"no\"\u003eWORKSTATIONS_PORT\u003c/var\u003e\n members:\n - user:\u003cvar translate=\"no\"\u003ePRINCIPAL\u003c/var\u003e\n role: roles/workstations.user\n etag: BwYlui8uSXo=\n version: 3\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eYOUR_ID\u003c/var\u003e: your own login ID. For example, `222larabrown@gmail.com`.\n - \u003cvar translate=\"no\"\u003ePRINCIPAL\u003c/var\u003e: the principal with whom you want share access of the port \u003cvar scope=\"WORKSTATIONS_PORT\" translate=\"no\"\u003eWORKSTATIONS_PORT\u003c/var\u003e of the workstation. For example, `baklavainthebalkans@gmail.com`.\n - \u003cvar translate=\"no\"\u003eWORKSTATIONS_PORT\u003c/var\u003e: the workstation port on which the demo server is listening.\n3. Set IAM policy of workstation using the\n `gcloud` CLI [`workstations set-iam-policy`](/sdk/gcloud/reference/workstations/set-iam-policy)\n command.\n\n gcloud workstations set-iam-policy \u003cvar translate=\"no\"\u003eWORKSTATIONS_NAME\u003c/var\u003e \\\n --cluster=\u003cvar translate=\"no\"\u003eWORKSTATIONS_CLUSTER_NAME\u003c/var\u003e \\\n --config=\u003cvar translate=\"no\"\u003eWORKSTATIONS_CONFIG_NAME\u003c/var\u003e \\\n --region=\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003eWORKSTATIONS_PROJECT_ID\u003c/var\u003e \\\n /tmp/\u003cvar translate=\"no\"\u003eWORKSTATIONS_NAME\u003c/var\u003e.yaml\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eWORKSTATIONS_NAME\u003c/var\u003e: the name of the workstation.\n - \u003cvar translate=\"no\"\u003eWORKSTATIONS_CONFIG_NAME\u003c/var\u003e: the name of the workstation configuration.\n - \u003cvar translate=\"no\"\u003eWORKSTATIONS_CLUSTER_NAME\u003c/var\u003e: the name of the workstation cluster.\n - \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the region name for your workstation cluster.\n - \u003cvar translate=\"no\"\u003eWORKSTATIONS_PROJECT_ID\u003c/var\u003e: the ID of the Cloud Workstations project containing your workstation.\n\nAfter the IAM policy of the workstation is updated, the principal\nwill be able to access the specified port of the workstation.\n| **Note:** Even if you revoke the IAM access, the principal may be able to access the specified port for up to 24 hours, or until the workstation is shut down.\n\nShare URL of workstation\n------------------------\n\nThe principal will be able to access the specified port with the following\nworkstation URL: \n\n https://\u003cvar translate=\"no\"\u003eWORKSTATIONS_PORT\u003c/var\u003e-\u003cvar translate=\"no\"\u003eWORKSTATIONS_NAME\u003c/var\u003e.\u003cvar translate=\"no\"\u003eWORKSTATIONS_CLUSTER_NAME\u003c/var\u003e.cloudworkstations.dev\n\nThe placeholders represent the following:\n\n- \u003cvar translate=\"no\"\u003eWORKSTATIONS_PORT\u003c/var\u003e: the port on which the demo server is listening.\n- \u003cvar translate=\"no\"\u003eWORKSTATIONS_NAME\u003c/var\u003e: the workstation name.\n- \u003cvar translate=\"no\"\u003eWORKSTATIONS_CLUSTER_NAME\u003c/var\u003e: the randomly generated cluster identifier.\n- `cloudworkstations.dev`: the default domain name for a workstation.\n\nThe principal won't be able to access other ports of the workstation they\ndon't have access to."]]