At this point, your GCP project has the following users associated with it:
- You (the owner)
- Five service accounts as listed in Recommended service accounts (which you created in the previous step)
After you receive a confirmation that your Apigee organization has been provisioned, you can add more user accounts to the Google Cloud Platform (GCP) project. You do this by using the IAM service in the GCP Console.
This section describes how to add new user accounts to your GCP project and manage their access. These user accounts might have specialized roles, such as someone who creates analytics reports or someone who is responsible for deploying and undeploying API proxies. For description of Apigee roles, including API access details, see Users and roles.
For small projects, you might not add any new users. For larger projects, it’s likely that you’ll add at least one new member for each Apigee role. Try to limit the number of Apigee Organization Admin roles you assign because this role has the highest level of permissions.
To add a user and assign Apigee roles to it in your GCP project:
- Open the Google Cloud Platform (GCP) Console and log in with the account you created in Step 1: Create a GCP account.
- Select the project that you created in Step 3: Create a GCP project.
- Select IAM & admin > IAM.
The Console displays the Permissions view:
- To add a new user, click the +ADD button.
The Console displays the Add members view:
- In the New members field, enter the email address of the new user’s account.
The email address must be one of the following types:
- A Google account (for example, firstname.lastname@example.org). All Gmail accounts are Google accounts, but you can also register email addresses with different domains as Google accounts.
- The name of a Google group. For example, email@example.com. If you add a Google group as a user, then all members of the group will have that role.
- A service account. For example, firstname.lastname@example.org. (You do not need to add your service accounts here.)
- A G Suite domain. For example, email@example.com, where example.com is a domain that you used when you signed up for Google Cloud services.
You can specify more than one email address in the New members field and assign the same role to all of them. To assign different roles to different email addresses, perform steps 4 and 5 for each new member.
- Assign at least one role to the new member(s):
- Expand the Select a role drop-down list.
- Select the role that you want to assign. To decide which roles to assign, see the descriptions in User accounts and roles.
- To assign an Apigee role, you can enter “Apigee” as a filter so that the drop-down list displays only Apigee roles, as the following example shows:
- Repeat this process for each role you want to assign to the user.
- Click the Save button to add the new user to the GCP project with the assigned role(s).
- Repeat this process for each user that you want to add.
GCP now allows the project’s new users to access all environments in the organization with the assigned permissions. To limit a user’s access to certain environments, use the Hybrid UI’s, as described in Add user accounts in the Hybrid UI. (Note that if this is your first time through this procedure, then you won’t have any environments... yet.)