Access control with IAM

Cloud API Registry uses Identity and Access Management (IAM) for access control. This document describes the access control options that are available to you.

For an introduction to IAM and its features, see the IAM overview. You can grant, change, and revoke IAM roles using the Google Cloud console, the IAM API, or the Google Cloud CLI. For instructions, see Manage access to projects, folders, and organizations.

For lists of the permissions and roles that Cloud API Registry supports, see the following sections.

Enable the Cloud API Registry API

To view and assign IAM roles for Cloud API Registry, you must enable the Cloud API Registry API for your project. You won't be able to see the Cloud API Registry roles in the Google Cloud console until you enable the API.

Use the following instructions to create or select a Google Cloud project and to enable the Cloud API Registry API:

Console

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Cloud API Registry.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Cloud API Registry.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

    8.

gcloud

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. Install the Google Cloud CLI.

  3. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  4. To initialize the gcloud CLI, run the following command: 

    gcloud init

  5. Create or select a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Cloud API Registry:

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles. 

    gcloud services enable cloudapiregistry.googleapis.com

  8. Install the Google Cloud CLI.

  9. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  10. To initialize the gcloud CLI, run the following command: 

    gcloud init

  11. Create or select a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  12. Verify that billing is enabled for your Google Cloud project.

  13. Enable the Cloud API Registry:

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles. 

    gcloud services enable cloudapiregistry.googleapis.com

Predefined roles

The following table lists the Cloud API Registry predefined IAM roles with a corresponding list of all the permissions each role includes.

The predefined roles address most typical use cases. If your use case isn't covered by the predefined roles, you can create an IAM custom role.

Cloud API Registry roles

Role Permissions

(roles/cloudapiregistry.admin)

Read/write access to Cloud API Registry for Consumers resources.

cloudapiregistry.*

  • cloudapiregistry.locations.get
  • cloudapiregistry.locations.list
  • cloudapiregistry.mcpServers.get
  • cloudapiregistry.mcpServers.list
  • cloudapiregistry.mcpTools.get
  • cloudapiregistry.mcpTools.list

serviceusage.effectivemcppolicy.get

(roles/cloudapiregistry.viewer)

Readonly access to Cloud API Registry for Consumers resources.

cloudapiregistry.*

  • cloudapiregistry.locations.get
  • cloudapiregistry.locations.list
  • cloudapiregistry.mcpServers.get
  • cloudapiregistry.mcpServers.list
  • cloudapiregistry.mcpTools.get
  • cloudapiregistry.mcpTools.list

serviceusage.effectivemcppolicy.get