List service dependencies

Hierarchical service activation lets you manage service enablement that is inherited through the Google Cloud resource hierarchy. For more information, see the overview.

Many Google Cloud services need other services to function. When you enable a service using hierarchical service activation, its required dependencies are automatically added to the ConsumerPolicy. A service dependency group contains these relied-on services, which you can list to better understand and manage them.

This document shows you how to use the Google Cloud CLI to list service dependencies for projects, folders, and organizations.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. Install the Google Cloud CLI.

  3. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  4. To initialize the gcloud CLI, run the following command: 

    gcloud init

  5. Create or select a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  6. If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

  7. Verify that billing is enabled for your Google Cloud project.

  8. Enable the Service Usage API:

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles. 

    gcloud services enable serviceusage.googleapis.com

  9. Install the Google Cloud CLI.

  10. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  11. To initialize the gcloud CLI, run the following command: 

    gcloud init

  12. Create or select a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  13. If you're using an existing project for this guide, verify that you have the permissions required to complete this guide. If you created a new project, then you already have the required permissions.

  14. Verify that billing is enabled for your Google Cloud project.

  15. Enable the Service Usage API:

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles. 

    gcloud services enable serviceusage.googleapis.com

  16. If you don't indicate the Google Cloud resource that you want to manage, the commands in this document default to the current project. For example, gcloud beta services groups list-members bigquery.googleapis.com dependencies lists the members for the current project.

    You can retrieve the current project ID:

    gcloud config list --format='text(core.project)'

Required roles

To get the permissions that you need to list service dependencies, ask your administrator to grant you the Service Usage Viewer (roles/serviceusage.serviceUsageViewer) IAM role on your target resource. For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the permissions required to list service dependencies. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to list service dependencies:

  • List dependency group members: serviceusage.groups.listMembers
  • List expanded dependency group members: serviceusage.groups.listExpandedMembers

You might also be able to get these permissions with custom roles or other predefined roles.

List dependency group members

You can list the direct members of a service dependency group for a project, folder, or organization by using the gcloud beta services groups list-members command.

Project

gcloud beta services groups list-members  SERVICE GROUP \
    --project=PROJECT_ID

Replace the following:

  • SERVICE: the name of the service you want to list members for.
  • GROUP: the name of the service dependency group you want to list members for. The primary supported group is dependencies.
  • PROJECT_ID: your Google Cloud project ID. Or, omit the flag to default to the current project.

Folder

gcloud beta services groups list-members  SERVICE  GROUP \
    --folder=FOLDER_ID

Replace the following:

  • SERVICE: the name of the service you want to list members for.
  • GROUP: the name of the service dependency group you want to list members for. The primary supported group is dependencies.
  • FOLDER_ID: your Google Cloud folder ID.

Organization

gcloud beta services groups list-members  SERVICE  GROUP \
    --organization=ORGANIZATION_ID

Replace the following:

  • SERVICE: the name of the service you want to list members for.
  • GROUP: the name of the service dependency group you want to list members for. The primary supported group is dependencies.
  • ORGANIZATION_ID: your Google Cloud organization resource ID.

You can use other flags to filter and limit the members listed.

List expanded dependency group members

You can list the expanded members of a service dependency group for a project, folder, or organization by using the gcloud beta services groups list-expanded-members command.

This command returns a flattened list of all dependencies, including those in nested groups, to provide a complete, combined list of all service dependencies.

Project

gcloud beta services groups list-expanded-members SERVICE GROUP \
    --project=PROJECT_ID

Replace the following:

  • SERVICE: the name of the service you want to list members for.
  • GROUP: the name of the service dependency group you want to list members for. The primary supported group is dependencies.
  • PROJECT_ID: your Google Cloud project ID. Or, omit the flag to default to the current project.

Folder

gcloud beta services groups list-expanded-members SERVICE  GROUP \
    --folder=FOLDER_ID

Replace the following:

  • SERVICE: the name of the service you want to list members for.
  • GROUP: the name of the service dependency group you want to list members for. The primary supported group is dependencies.
  • FOLDER_ID: your Google Cloud folder ID.

Organization

gcloud beta services groups list-expanded-members SERVICE  GROUP \
    --organization=ORGANIZATION_ID

Replace the following:

  • SERVICE: the name of the service you want to list members for.
  • GROUP: the name of the service dependency group you want to list members for. The primary supported group is dependencies.
  • ORGANIZATION_ID: your Google Cloud organization resource ID.

You can use other flags to filter and limit the members listed.

Examples

Listing direct dependency group members

  • Listing direct dependencies of BigQuery service for the current project: 
    gcloud beta services groups list-members bigquery.googleapis.com dependencies

    Output:

    NAME: services/analyticshub.googleapis.com
REASON: BigQuery depends on this group to allow users to exchange data and analytics assets.

NAME: services/bigquery.googleapis.com
REASON: The service representing BigQuery which owns this dependency group and depends on the other members of this group.

NAME: services/bigqueryconnection.googleapis.com
REASON: BigQuery depends on this group to allow users to manage connections to external data sources.

NAME: services/bigquerydatapolicy.googleapis.com
REASON: BigQuery depends on this group to allow users to manage their data policies.

...
  • Attempting to list dependencies of API keys service without a corresponding service dependency group: 
    gcloud beta services groups list-members apikeys.googleapis.com dependencies --project=test-project

    Output:

    Listed 0 items.

Listing expanded dependency group members

  • Listing expanded dependencies of BigQuery service for the current project: 
    gcloud beta services groups list-expanded-members bigquery.googleapis.com dependencies

    Output:

    services/analyticshub.googleapis.com
services/bigquery.googleapis.com
services/bigqueryconnection.googleapis.com
services/bigquerydatapolicy.googleapis.com
services/bigquerydatatransfer.googleapis.com
services/bigquerymigration.googleapis.com
services/bigqueryreservation.googleapis.com
services/bigquerystorage.googleapis.com
services/cloudresourcemanager.googleapis.com
services/dataform.googleapis.com
services/dataplex.googleapis.com

What's next