Google Cloud IAM · Capability

Google Cloud IAM API

The Cloud IAM API enables management of identity and access control policies, service accounts, roles, and permissions for Google Cloud resources.

Run with Naftiko GoogleCloudIamAPI

What You Can Do

GET
Listserviceaccounts — Google Cloud IAM List service accounts
/projects/{projectId}/serviceAccounts
POST
Createserviceaccount — Google Cloud IAM Create a service account
/projects/{projectId}/serviceAccounts
GET
Getserviceaccount — Google Cloud IAM Get a service account
/projects/{projectId}/serviceAccounts/{serviceAccountEmail}
PATCH
Patchserviceaccount — Google Cloud IAM Update a service account
/projects/{projectId}/serviceAccounts/{serviceAccountEmail}
DELETE
Deleteserviceaccount — Google Cloud IAM Delete a service account
/projects/{projectId}/serviceAccounts/{serviceAccountEmail}
GET
Listserviceaccountkeys — Google Cloud IAM List service account keys
/projects/{projectId}/serviceAccounts/{serviceAccountEmail}/keys
POST
Createserviceaccountkey — Google Cloud IAM Create a service account key
/projects/{projectId}/serviceAccounts/{serviceAccountEmail}/keys
GET
Listroles — Google Cloud IAM List roles
/roles
GET
Listprojectroles — Google Cloud IAM List project roles
/projects/{projectId}/roles
POST
Createprojectrole — Google Cloud IAM Create a custom role
/projects/{projectId}/roles
POST
Querytestablepermissions — Google Cloud IAM Query testable permissions
/permissions:queryTestablePermissions

MCP Tools

listserviceaccounts

Google Cloud IAM List service accounts

read-only idempotent
createserviceaccount

Google Cloud IAM Create a service account

getserviceaccount

Google Cloud IAM Get a service account

read-only idempotent
patchserviceaccount

Google Cloud IAM Update a service account

deleteserviceaccount

Google Cloud IAM Delete a service account

idempotent
listserviceaccountkeys

Google Cloud IAM List service account keys

read-only idempotent
createserviceaccountkey

Google Cloud IAM Create a service account key

listroles

Google Cloud IAM List roles

read-only idempotent
listprojectroles

Google Cloud IAM List project roles

read-only idempotent
createprojectrole

Google Cloud IAM Create a custom role

querytestablepermissions

Google Cloud IAM Query testable permissions

Capability Spec

google-cloud-iam-capability.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Google Cloud IAM API
  description: The Cloud IAM API enables management of identity and access control policies, service accounts, roles, and
    permissions for Google Cloud resources.
  tags:
  - Google
  - Cloud
  - Iam
  - API
  created: '2026-05-06'
  modified: '2026-05-06'
capability:
  consumes:
  - type: http
    namespace: google-cloud-iam
    baseUri: https://iam.googleapis.com/v1
    description: Google Cloud IAM API HTTP API.
    authentication:
      type: bearer
      token: '{{GOOGLE_CLOUD_IAM_TOKEN}}'
    resources:
    - name: projects-projectid-serviceaccounts
      path: /projects/{projectId}/serviceAccounts
      operations:
      - name: listserviceaccounts
        method: GET
        description: Google Cloud IAM List service accounts
        inputParameters:
        - name: projectId
          in: path
          type: string
          required: true
        - name: pageSize
          in: query
          type: integer
        - name: pageToken
          in: query
          type: string
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: createserviceaccount
        method: POST
        description: Google Cloud IAM Create a service account
        inputParameters:
        - name: projectId
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: projects-projectid-serviceaccounts-serviceaccoun
      path: /projects/{projectId}/serviceAccounts/{serviceAccountEmail}
      operations:
      - name: getserviceaccount
        method: GET
        description: Google Cloud IAM Get a service account
        inputParameters:
        - name: projectId
          in: path
          type: string
          required: true
        - name: serviceAccountEmail
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: patchserviceaccount
        method: PATCH
        description: Google Cloud IAM Update a service account
        inputParameters:
        - name: projectId
          in: path
          type: string
          required: true
        - name: serviceAccountEmail
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: deleteserviceaccount
        method: DELETE
        description: Google Cloud IAM Delete a service account
        inputParameters:
        - name: projectId
          in: path
          type: string
          required: true
        - name: serviceAccountEmail
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: projects-projectid-serviceaccounts-serviceaccoun
      path: /projects/{projectId}/serviceAccounts/{serviceAccountEmail}/keys
      operations:
      - name: listserviceaccountkeys
        method: GET
        description: Google Cloud IAM List service account keys
        inputParameters:
        - name: projectId
          in: path
          type: string
          required: true
        - name: serviceAccountEmail
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: createserviceaccountkey
        method: POST
        description: Google Cloud IAM Create a service account key
        inputParameters:
        - name: projectId
          in: path
          type: string
          required: true
        - name: serviceAccountEmail
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: roles
      path: /roles
      operations:
      - name: listroles
        method: GET
        description: Google Cloud IAM List roles
        inputParameters:
        - name: pageSize
          in: query
          type: integer
        - name: pageToken
          in: query
          type: string
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: projects-projectid-roles
      path: /projects/{projectId}/roles
      operations:
      - name: listprojectroles
        method: GET
        description: Google Cloud IAM List project roles
        inputParameters:
        - name: projectId
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: createprojectrole
        method: POST
        description: Google Cloud IAM Create a custom role
        inputParameters:
        - name: projectId
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: permissions-querytestablepermissions
      path: /permissions:queryTestablePermissions
      operations:
      - name: querytestablepermissions
        method: POST
        description: Google Cloud IAM Query testable permissions
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
  exposes:
  - type: rest
    port: 8080
    namespace: google-cloud-iam-rest
    description: REST adapter for Google Cloud IAM API.
    resources:
    - path: /projects/{projectId}/serviceAccounts
      name: listserviceaccounts
      operations:
      - method: GET
        name: listserviceaccounts
        description: Google Cloud IAM List service accounts
        call: google-cloud-iam.listserviceaccounts
        with:
          projectId: rest.projectId
        outputParameters:
        - type: object
          mapping: $.
    - path: /projects/{projectId}/serviceAccounts
      name: createserviceaccount
      operations:
      - method: POST
        name: createserviceaccount
        description: Google Cloud IAM Create a service account
        call: google-cloud-iam.createserviceaccount
        with:
          projectId: rest.projectId
        outputParameters:
        - type: object
          mapping: $.
    - path: /projects/{projectId}/serviceAccounts/{serviceAccountEmail}
      name: getserviceaccount
      operations:
      - method: GET
        name: getserviceaccount
        description: Google Cloud IAM Get a service account
        call: google-cloud-iam.getserviceaccount
        with:
          projectId: rest.projectId
          serviceAccountEmail: rest.serviceAccountEmail
        outputParameters:
        - type: object
          mapping: $.
    - path: /projects/{projectId}/serviceAccounts/{serviceAccountEmail}
      name: patchserviceaccount
      operations:
      - method: PATCH
        name: patchserviceaccount
        description: Google Cloud IAM Update a service account
        call: google-cloud-iam.patchserviceaccount
        with:
          projectId: rest.projectId
          serviceAccountEmail: rest.serviceAccountEmail
        outputParameters:
        - type: object
          mapping: $.
    - path: /projects/{projectId}/serviceAccounts/{serviceAccountEmail}
      name: deleteserviceaccount
      operations:
      - method: DELETE
        name: deleteserviceaccount
        description: Google Cloud IAM Delete a service account
        call: google-cloud-iam.deleteserviceaccount
        with:
          projectId: rest.projectId
          serviceAccountEmail: rest.serviceAccountEmail
        outputParameters:
        - type: object
          mapping: $.
    - path: /projects/{projectId}/serviceAccounts/{serviceAccountEmail}/keys
      name: listserviceaccountkeys
      operations:
      - method: GET
        name: listserviceaccountkeys
        description: Google Cloud IAM List service account keys
        call: google-cloud-iam.listserviceaccountkeys
        with:
          projectId: rest.projectId
          serviceAccountEmail: rest.serviceAccountEmail
        outputParameters:
        - type: object
          mapping: $.
    - path: /projects/{projectId}/serviceAccounts/{serviceAccountEmail}/keys
      name: createserviceaccountkey
      operations:
      - method: POST
        name: createserviceaccountkey
        description: Google Cloud IAM Create a service account key
        call: google-cloud-iam.createserviceaccountkey
        with:
          projectId: rest.projectId
          serviceAccountEmail: rest.serviceAccountEmail
        outputParameters:
        - type: object
          mapping: $.
    - path: /roles
      name: listroles
      operations:
      - method: GET
        name: listroles
        description: Google Cloud IAM List roles
        call: google-cloud-iam.listroles
        outputParameters:
        - type: object
          mapping: $.
    - path: /projects/{projectId}/roles
      name: listprojectroles
      operations:
      - method: GET
        name: listprojectroles
        description: Google Cloud IAM List project roles
        call: google-cloud-iam.listprojectroles
        with:
          projectId: rest.projectId
        outputParameters:
        - type: object
          mapping: $.
    - path: /projects/{projectId}/roles
      name: createprojectrole
      operations:
      - method: POST
        name: createprojectrole
        description: Google Cloud IAM Create a custom role
        call: google-cloud-iam.createprojectrole
        with:
          projectId: rest.projectId
        outputParameters:
        - type: object
          mapping: $.
    - path: /permissions:queryTestablePermissions
      name: querytestablepermissions
      operations:
      - method: POST
        name: querytestablepermissions
        description: Google Cloud IAM Query testable permissions
        call: google-cloud-iam.querytestablepermissions
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    port: 9090
    namespace: google-cloud-iam-mcp
    transport: http
    description: MCP adapter for Google Cloud IAM API for AI agent use.
    tools:
    - name: listserviceaccounts
      description: Google Cloud IAM List service accounts
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: google-cloud-iam.listserviceaccounts
      with:
        projectId: tools.projectId
        pageSize: tools.pageSize
        pageToken: tools.pageToken
      inputParameters:
      - name: projectId
        type: string
        description: projectId
        required: true
      - name: pageSize
        type: integer
        description: pageSize
      - name: pageToken
        type: string
        description: pageToken
      outputParameters:
      - type: object
        mapping: $.
    - name: createserviceaccount
      description: Google Cloud IAM Create a service account
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: google-cloud-iam.createserviceaccount
      with:
        projectId: tools.projectId
      inputParameters:
      - name: projectId
        type: string
        description: projectId
        required: true
      outputParameters:
      - type: object
        mapping: $.
    - name: getserviceaccount
      description: Google Cloud IAM Get a service account
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: google-cloud-iam.getserviceaccount
      with:
        projectId: tools.projectId
        serviceAccountEmail: tools.serviceAccountEmail
      inputParameters:
      - name: projectId
        type: string
        description: projectId
        required: true
      - name: serviceAccountEmail
        type: string
        description: serviceAccountEmail
        required: true
      outputParameters:
      - type: object
        mapping: $.
    - name: patchserviceaccount
      description: Google Cloud IAM Update a service account
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: google-cloud-iam.patchserviceaccount
      with:
        projectId: tools.projectId
        serviceAccountEmail: tools.serviceAccountEmail
      inputParameters:
      - name: projectId
        type: string
        description: projectId
        required: true
      - name: serviceAccountEmail
        type: string
        description: serviceAccountEmail
        required: true
      outputParameters:
      - type: object
        mapping: $.
    - name: deleteserviceaccount
      description: Google Cloud IAM Delete a service account
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: google-cloud-iam.deleteserviceaccount
      with:
        projectId: tools.projectId
        serviceAccountEmail: tools.serviceAccountEmail
      inputParameters:
      - name: projectId
        type: string
        description: projectId
        required: true
      - name: serviceAccountEmail
        type: string
        description: serviceAccountEmail
        required: true
      outputParameters:
      - type: object
        mapping: $.
    - name: listserviceaccountkeys
      description: Google Cloud IAM List service account keys
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: google-cloud-iam.listserviceaccountkeys
      with:
        projectId: tools.projectId
        serviceAccountEmail: tools.serviceAccountEmail
      inputParameters:
      - name: projectId
        type: string
        description: projectId
        required: true
      - name: serviceAccountEmail
        type: string
        description: serviceAccountEmail
        required: true
      outputParameters:
      - type: object
        mapping: $.
    - name: createserviceaccountkey
      description: Google Cloud IAM Create a service account key
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: google-cloud-iam.createserviceaccountkey
      with:
        projectId: tools.projectId
        serviceAccountEmail: tools.serviceAccountEmail
      inputParameters:
      - name: projectId
        type: string
        description: projectId
        required: true
      - name: serviceAccountEmail
        type: string
        description: serviceAccountEmail
        required: true
      outputParameters:
      - type: object
        mapping: $.
    - name: listroles
      description: Google Cloud IAM List roles
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: google-cloud-iam.listroles
      with:
        pageSize: tools.pageSize
        pageToken: tools.pageToken
      inputParameters:
      - name: pageSize
        type: integer
        description: pageSize
      - name: pageToken
        type: string
        description: pageToken
      outputParameters:
      - type: object
        mapping: $.
    - name: listprojectroles
      description: Google Cloud IAM List project roles
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: google-cloud-iam.listprojectroles
      with:
        projectId: tools.projectId
      inputParameters:
      - name: projectId
        type: string
        description: projectId
        required: true
      outputParameters:
      - type: object
        mapping: $.
    - name: createprojectrole
      description: Google Cloud IAM Create a custom role
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: google-cloud-iam.createprojectrole
      with:
        projectId: tools.projectId
      inputParameters:
      - name: projectId
        type: string
        description: projectId
        required: true
      outputParameters:
      - type: object
        mapping: $.
    - name: querytestablepermissions
      description: Google Cloud IAM Query testable permissions
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: google-cloud-iam.querytestablepermissions
      outputParameters:
      - type: object
        mapping: $.
binds:
- namespace: env
  keys:
    GOOGLE_CLOUD_IAM_TOKEN: GOOGLE_CLOUD_IAM_TOKEN