Grant permissions to applications

Configure who can access your App Hub applications by assigning Identity and Access Management (IAM) roles to principals, such as users, groups, or service accounts. Applications are contained within an application management boundary, which is a project or a folder of projects, and are managed by a management project.

You can grant these permissions on the management project to principals in two ways:

For recommended roles, see Grant application-centric roles to your users.

Grant access to all applications

To grant access to all applications within your application management boundary, assign an IAM role to a principal on the management project:

Console

  1. In the Google Cloud console, use the project picker to select your management project.

  2. Navigate to the IAM page.

    Go to IAM

  3. Click Grant access.

  4. Enter an identifier for the principal who will get access to all applications within the boundary. For example, user@example.com.

  5. From the Select a role drop-down menu, search for the role you want to assign and click it.

  6. Click Save.

  7. Verify that the principal and the corresponding role are listed in the IAM page.

gcloud

  1. Find the project ID of the management project.

  2. Add a policy binding:

    gcloud projects add-iam-policy-binding PROJECT_ID \
   --member=USER_EMAIL \
   --role=ROLE

    Replace the following:

    • PROJECT_ID: the ID of the management project.
    • USER_EMAIL: the email address of the user who will get access to all applications within the boundary, such as user@example.com.
    • ROLE: the role that you want to provide to the user, such as roles/apphub.editor.

Grant access to individual applications

To grant access to individual applications within your application management boundary, assign an IAM role to a principal on the application:

  1. Find the project ID of the management project.

  2. Set a IAM policy:

    gcloud apphub applications set-iam-policy APPLICATION_NAME \
   --project=PROJECT_ID \
   --location=LOCATION \
   POLICY_FILE

    Replace the following:

    • APPLICATION_NAME: the name of your application. The name must include only lowercase alphanumeric characters without spaces, such as my-application.
    • PROJECT_ID: the ID of the management project.
    • LOCATION: the location of the application.
    • POLICY_FILE: the name of the policy file that grants the role to the user, such as my-policy.yaml.

The following example of a policy file grants the roles/apphub.editor role to the user user@example.com:

# policyfile.yaml
bindings:
- role: roles/apphub.editor
  members:
  - user:user@example.com