Manage role bindings
This guide shows you how to grant, revoke, list, and test fine-grained IAM access using role bindings.
Role binding commands aren't available in the evroc CLI. Use the IAM API for role binding management.
Prerequisites
Before you manage role bindings, you'll need:
- The evroc CLI installed and logged in. See Install the evroc CLI.
- Permission to manage role bindings in the target project or organization.
- The project ID or organization ID where you want to grant access.
- The principal FQID for the user or service account receiving access.
Get an access token for the API examples:
TOKEN="$(evroc iam get-access-token)"
List available roles
List predefined roles before you grant access. The response includes each role's scope and permissions.
curl -H "Authorization: Bearer $TOKEN" \
https://api.evroc.com/iam/v1beta1/roles
Use the role's id value when granting access, for example
/iam/roles/computeOperator.
For descriptions of each predefined role and permission, see permissions and roles.
Grant a project role
Grant a role to a principal in a project with the assign endpoint. This creates
the principal's role binding if it doesn't already exist.
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"principal": "/iam/users/5a9bb4ea-a79f-4918-9b62-a983b576799e",
"role": "/iam/roles/computeOperator"
}' \
https://api.evroc.com/iam/v1beta1/projects/my-project/roleBindings/assign
The principal receives the role on every applicable resource in my-project.
Note: Assigning a role is idempotent. If the principal already has that role in the scope, the request replaces the role's resource list.
Grant access to specific resources
Add resources to limit a role to specific resource FQIDs.
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"principal": "/iam/users/5a9bb4ea-a79f-4918-9b62-a983b576799e",
"role": "/iam/roles/computeOperator",
"resources": [
"/compute/projects/my-project/regions/se-sto/virtualMachines/my-vm",
"/compute/projects/my-project/regions/se-sto/virtualMachines/*"
]
}' \
https://api.evroc.com/iam/v1beta1/projects/my-project/roleBindings/assign
Use exact resource FQIDs for individual resources. Use * to match one path
segment, such as all VMs in one region.
Grant an organization role
Grant organization-level roles on an organization scope.
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"principal": "/iam/users/5a9bb4ea-a79f-4918-9b62-a983b576799e",
"role": "/iam/roles/<organization-role-id>"
}' \
https://api.evroc.com/iam/v1beta1/organizations/my-org/roleBindings/assign
Replace <organization-role-id> with a role ID from the roles API.
Organization roles govern organization-level IAM operations. They don't grant access to resources inside projects.
List role bindings
List all role bindings in a project:
curl -H "Authorization: Bearer $TOKEN" \
https://api.evroc.com/iam/v1beta1/projects/my-project/roleBindings
List all role bindings in an organization:
curl -H "Authorization: Bearer $TOKEN" \
https://api.evroc.com/iam/v1beta1/organizations/my-org/roleBindings
Use the metadata.id value from the response when you need to get, patch, or
delete a specific role binding.
Revoke one role
Remove one role from a principal with the revoke endpoint.
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"principal": "/iam/users/5a9bb4ea-a79f-4918-9b62-a983b576799e",
"role": "/iam/roles/computeOperator"
}' \
https://api.evroc.com/iam/v1beta1/projects/my-project/roleBindings/revoke
Revoking a role is idempotent. If the principal doesn't have the role, the request still succeeds. If no roles remain in the binding, the binding is deleted.
Delete all roles for a principal
Delete a role binding to revoke every role it grants to the principal in that scope.
curl -X DELETE \
-H "Authorization: Bearer $TOKEN" \
https://api.evroc.com/iam/v1beta1/projects/my-project/roleBindings/alice-access
Replace alice-access with the role binding ID from metadata.id.
Warning: Deleting a role binding revokes every role in that binding for the principal on the selected scope.
Test your permissions
Use testPermissions to check whether the authenticated caller has specific
permissions on specific resources. This is useful when you need to tailor an
application UI to the caller's access.
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"checks": [
{
"permission": "compute.virtualMachines.start",
"resource": "/compute/projects/my-project/regions/se-sto/virtualMachines/my-vm"
},
{
"permission": "iam.roleBindings.read",
"resource": "/iam/projects/my-project"
}
]
}' \
https://api.evroc.com/iam/v1beta1/testPermissions
The response returns one result for each check, in the same order as the request.
{
"results": [
{
"permission": "compute.virtualMachines.start",
"resource": "/compute/projects/my-project/regions/se-sto/virtualMachines/my-vm",
"allowed": true
},
{
"permission": "iam.roleBindings.read",
"resource": "/iam/projects/my-project",
"allowed": false
}
]
}
Check another principal's access
Use checkAccess to evaluate another principal's access.
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"principal": "/iam/projects/my-project/serviceAccounts/ci-robot",
"checks": [
{
"permission": "compute.virtualMachines.start",
"resource": "/compute/projects/my-project/regions/se-sto/virtualMachines/my-vm"
}
]
}' \
https://api.evroc.com/iam/v1beta1/checkAccess
You need permission to read role bindings on the scope to inspect another
principal. If you don't have that permission, the request returns 404 so the
scope's existence isn't revealed.
Next steps
- Learn about fine-grained access
- Review permissions and roles
- Review the IAM API reference