This page describes the Identity and Access Management (IAM) roles and permissions that you need to purchase and manage commercial products on Cloud Marketplace.
With IAM, you manage access control by defining who (identity) has what access (role) for which resource. For commercial apps on Cloud Marketplace, users in your Google Cloud organization require IAM roles to sign up for Cloud Marketplace plans, and to make changes to billing plans.
- Learn about managing billing for Cloud Marketplace products.
- Learn about factors that affect your bill.
- Learn about the basic concepts of IAM.
- Learn about the hierarchy of Google Cloud resources.
Before you begin
- To grant Cloud Marketplace roles and permissions using
gcloud, install the gcloud CLI. Otherwise, you can grant roles using the Google Cloud console.
Purchasing and managing roles
We recommend that you assign the Billing Account Administrator IAM role to users who are purchasing services from Cloud Marketplace.
Users who want to access the services must have the Viewer role, at a minimum.
For more granular control over users' permissions, you can create custom roles with the permissions that you want to grant.
Product-specific requirements
To use the following services in a Google Cloud project, you must have the Project Editor role:
- Google Cloud Dataprep by Trifacta
- Neo4j Aura Professional
- Redis Enterprise Cloud
List of IAM roles and permissions
You can grant users one or more of the following IAM roles. Depending on the role you are granting to users, you must also assign the role to a Google Cloud billing account, organization, or project. For details, see the section on Granting IAM roles to users.
| Role | Permissions |
|---|---|
Consumer Procurement Entitlement Manager( Allows managing entitlements and enabling, disabling, and inspecting service states for a consumer project. |
|
Consumer Procurement Entitlement Viewer( Allows inspecting entitlements and service states for a consumer project. |
|
Consumer Procurement Events Viewer( Allows viewing key events for an offer |
|
Consumer Procurement License Pool Editor( Allows managing license pools and license assignments. |
|
Consumer Procurement License Pool Viewer( Allows viewing license pools and license assignments. |
|
Consumer Procurement Order Administrator( Allows managing purchases. |
|
Consumer Procurement Order Viewer( Allows inspecting purchases. |
|
Consumer Procurement Administrator( Allows managing purchases, consents at both billing account and project level. |
|
Consumer Procurement Viewer( Allows inspecting purchases, consents and entitlements and service states for a consumer project. |
|
Granting IAM roles to users
From the roles in the preceding table, the
consumerprocurement.orderAdmin and consumerprocurement.orderViewer roles
must be assigned at the billing account or organization level, and the
consumerprocurement.entitlementManager and
consumerprocurement.entitlementViewer roles must be assigned at the project
or organization level.
To grant roles to users using gcloud, run one of the following commands:
Organization
You must have the resourcemanager.organizationAdmin
role to assign roles at the organization level.
gcloud organizations add-iam-policy-binding organization-id \
--member=member --role=role-id
The placeholder values are:
- organization-id: The numeric ID of the organization that you are granting the role for.
- member: The user that you are granting access to.
- role-id: The role ID, from the previous table.
Billing account
You must have the billing.admin
role to assign roles at the billing account level.
gcloud beta billing accounts set-iam-policy account-id \
policy-file
The placeholder values are:
- account-id: Your billing account ID, which you can get from the Manage billing accounts page.
- policy-file: An IAM policy file, in JSON or YAML format. The policy file must contain the role IDs from the previous table, and the users that you are assigning the roles to.
Project
You must have the resourcemanager.folderAdmin
role to assign roles at the project level.
gcloud projects add-iam-policy-binding project-id \
--member=member --role=role-id
The placeholder values are:
- project-id: The project that you are granting the role for.
- member: The user that you are granting access to.
- role-id: The role ID, from the previous table.
To grant roles to users using the Google Cloud console, see the IAM documentation on Granting, changing, and revoking access for users.
Using custom roles with Cloud Marketplace
If you want granular control over the permissions you grant users, you can create custom roles with the permissions that you want to grant.
If you're creating a custom role for users who purchase services from Cloud Marketplace, the role must include these permissions for the billing account they use to purchase services:
billing.accounts.get, which is typically granted with theroles/consumerprocurement.orderAdminrole.consumerprocurement.orders.get, which is typically granted with theroles/consumerprocurement.orderAdminrole.consumerprocurement.orders.list, which is typically granted with theroles/consumerprocurement.orderAdminrole.consumerprocurement.orders.place, which is typically granted with theroles/consumerprocurement.orderAdminrole.consumerprocurement.accounts.get, which is typically granted with theroles/consumerprocurement.orderAdminrole.consumerprocurement.accounts.list, which is typically granted with theroles/consumerprocurement.orderAdminrole.consumerprocurement.accounts.create, which is typically granted with theroles/consumerprocurement.orderAdminrole.consumerprocurement.consents.grant, which is typically granted with theroles/consumerprocurement.orderAdminrole.
Accessing partner websites with Single Sign-on (SSO)
Certain Cloud Marketplace API products support Single Sign-on (SSO) to a partner's external website. Authorized users within the organization have access to a "MANAGE ON PROVIDER" button on the product details page. This button directs users to the partner's website. In some cases, users are prompted to "Sign in with Google". In other cases, users are signed in a shared account context.
In order to access the SSO capability, users navigate to the product details page, and select an appropriate project. The project must be linked to a billing account where the plan has been purchased. For details about Cloud Marketplace API plan management, see Managing billing plans.
Additionally, the user must have sufficient IAM permissions
within the selected project. For most products, the
roles/consumerprocurement.entitlementManager (or
roles/editor
basic role) is required.
Minimal permissions for specific products
The following products can operate on a different set of permissions to access SSO capabilities:
- Apache Kafka on Confluent Cloud
- DataStax Astra for Apache Cassandra
- Elastic Cloud
- Neo4j Aura Professional
- Redis Enterprise Cloud
For these products, you can use the following minimal permissions:
consumerprocurement.entitlements.getconsumerprocurement.entitlements.listserviceusage.services.getserviceusage.services.listresourcemanager.projects.get
These permissions are typically granted with the
roles/consumerprocurement.entitlementManager or
roles/consumerprocurement.entitlementViewer roles.