MANAGEMENT_PROJECT_ID: the management project ID,
such as google-mpf-123456789.
USER_EMAIL: the email address of the user that
must get access to all applications in the management project, such as
user@example.com.
ROLE: the role that you want to provide to the
user, such as roles/apphub.editor.
Grant access to individual applications
To grant access to individual applications in the management project, assign an
IAM role to the principal on the application resource.
Run the following gcloud CLI command. For example, you can use
Cloud Shell:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Grant permissions to applications\n\nYou can configure application access by assigning user roles on your management\nproject. To do this, use the following approaches:\n\n- Grant access to [all applications](#all-applications) in a management project.\n- Grant access to [individual applications](#individual-applications) in a management project.\n\nGrant access to all applications\n--------------------------------\n\nTo grant access to all applications from the management project, assign an\nIAM role to a principal on the management project. \n\n### Google Cloud console\n\n1. Go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam?supportedpurview=project)\n2. From the project picker in the Google Cloud console, select the\n management project.\n\n3. Click person_add **Grant access**.\n\n4. Enter an identifier for the principal. For example,\n `user@example.com`.\n\n5. From the **Select a role** drop-down menu, search for the role you want to\n assign and click it.\n\n6. Click **Save**.\n\n7. Verify that the principal and the corresponding role are listed in the\n IAM page.\n\nYou have successfully granted an IAM role to a principal.\n\n### gcloud CLI\n\nRun the following gcloud CLI command. For example, you can use\nCloud Shell: \n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003eMANAGEMENT_PROJECT_ID\u003c/var\u003e \\\n --member=\u003cvar translate=\"no\"\u003eUSER_EMAIL\u003c/var\u003e \\\n --role=\u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eMANAGEMENT_PROJECT_ID\u003c/var\u003e: the management project ID, such as `google-mpf-123456789`.\n- \u003cvar translate=\"no\"\u003eUSER_EMAIL\u003c/var\u003e: the email address of the user that must get access to all applications in the management project, such as `user@example.com`.\n- \u003cvar translate=\"no\"\u003eROLE\u003c/var\u003e: the role that you want to provide to the user, such as `roles/apphub.editor`.\n\nGrant access to individual applications\n---------------------------------------\n\nTo grant access to individual applications in the management project, assign an\nIAM role to the principal on the application resource.\nRun the following gcloud CLI command. For example, you can use\nCloud Shell: \n\n gcloud apphub applications set-iam-policy \u003cvar translate=\"no\"\u003eAPPLICATION_NAME\u003c/var\u003e \\\n --project=\u003cvar translate=\"no\"\u003eMANAGEMENT_PROJECT_ID\u003c/var\u003e \\\n --location=\u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e \\\n \u003cvar translate=\"no\"\u003ePOLICY_FILE\u003c/var\u003e\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eAPPLICATION_NAME\u003c/var\u003e: the name of your application. The name must include only lowercase alphanumeric characters without spaces, such as `my-application`.\n- \u003cvar translate=\"no\"\u003eMANAGEMENT_PROJECT_ID\u003c/var\u003e: the management project ID, such as `google-mpf-123456789`.\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: the region of the application.\n- \u003cvar translate=\"no\"\u003ePOLICY_FILE\u003c/var\u003e: the name of the policy file that grants the role to the user, such as `my-policy.yaml`.\n\nThe following example policy file grants the `roles/apphub.editor` role to\nthe user `user@example.com`: \n\n # policyfile.yaml\n bindings:\n - role: roles/apphub.editor\n members:\n - user:user@example.com"]]
