Google Maps Platform resources are provisioned and managed via the Google Maps Platform interface on the Google Cloud Console. There are multiple activities and functions that can be implemented via this interface, and their number and level of sophistication are increasing over time. This functionality often can have multiple consequences for any organization in terms of productivity, interactivity, and costs - and therefore there is often a need for an approach that will enable effective governance by providing fit-for-purpose access permissions to the various functions and activities.

Examples include the enablement of Maps-related APIs or SDKs, the creation of Maps API keys and credentials, the creation and editing of customized Maps visualization styles, and the uploading and management of customized Geospatial datasets.

This article examines using predefined Google Cloud IAM roles dedicated to Google Maps usage, which can enhance the governance of these activities more effectively according to a user organization’s permissions protocol.

In addition, the default Google Cloud IAM Project Owner and Project Editor roles provide the user with access to all the other non-Maps-related assets in the Google Cloud Project, which may not suit the customer’s user permission protocol.

These roles are assigned via the IAM & Admin menu page in the GCP Console:

Google Cloud has two primary predefined IAM roles relevant to the Google Maps Platform, which provide the following permissions:

• Maps API Admin: grants read and write access to all the Maps API resources.
• Maps API Viewer: grants read-only access to all the Maps API resources.

The detailed list of permissions for each of these roles is shown below:

Note how limited the Maps API Viewer’s access to the wide variety of functionality available on the Maps Platform Console interface is. Essentially a Maps API Viewer is able to only view and make use of existing Map IDs and Maps Styles of the relevant Maps-related GCP Project - without the possibility to make any additions, changes or deletions. These restrictions would, for example, perfectly suit the role of a junior programmer entrusted with creating code that includes predefined basemaps with custom cartographic styling that the programmer needs to use without changing the styling in any way. For example:

Naturally this restriction extends to other capabilities available via the Maps Platform Console interface, such as access to the API Key interface, or enabling additional APIs. The message below is received when a Maps API Viewer tries to access these restricted menu items:

If you would like to see what roles are associated with each specific permission, these can be viewed via the IAM permissions reference (search for mapsadmin). For example:

In addition to the Maps API Admin and Viewer roles described above, two new dedicated predefined roles have been introduced with the recent release of the new Maps Datasets API:

• Maps Platform Datasets Admin: grants read and write access to all the Maps Platform Datasets API resources.
• Maps Platform Datasets Viewer: grants read-only access to all the Maps Platform Datasets API resources.

These two very specific roles provide the ability to effectively manage and control access to the organization’s proprietary Geospatial datasets, as well as take advantage of the new Data-driven Styling (DDS) capabilities to cartographically style these datasets.

The detailed list of permissions for each of the predefined Datasets roles is shown below:

Lastly, there are two additional Maps-related predefined IAM roles which may seem rather obscure, but which can have a strong impact on the secure management of Maps API keys. The Maps Platform interface on the Google Cloud Console provides up-to-date insights and recommendations per GCP project about restricting API keys in order to prevent unauthorized usage. See example below:

IAM Roles specifically relevant to the viewing and application of these insights and recommendations are:

• Google Maps Platform Insights/Recommendations Admin - admin of all Google Maps Platform insights and recommendations.

• Google Maps Platform Insights/Recommendations Viewer - viewer of all Google Maps Platform insights and recommendations.

All of the predefined Maps IAM roles described above are very powerful and useful - but custom IAM roles could enable even finer control over permissions granted to users. If you are interested in learning about customized and highly granular IAM roles for the effective management of your team’s Google Maps Platform activities, please contact me via [email protected]