Google Cloud IAM C++ Client  1.31.1
A C++ Client Library for Google Cloud IAM
Cloud IAM C++ Client Library

The Cloud IAM C++ Client library offers types and functions to use Cloud IAM from C++11 applications.

This library requires a C++11 compiler. It is supported (and tested) on multiple Linux distributions, macOS, and Windows.


The following instructions show you how to perform basic tasks in Cloud IAM using the C++ client library.

Before you begin

  1. Select or create a Google Cloud Platform (GCP) project using the manage resource page. Make a note of the project id as you will need to use it later.
  2. Make sure that billing is enabled for your project.
  3. Learn about key terms and concepts for Cloud IAM.
  4. Setup the authentication for the examples:
    • [Configure a service account][gcloud-authorizing],
    • or [login with your personal account][gcloud-authorizing]

Setting up your repo

In order to use the Cloud IAM C++ client library from your own code, you'll need to configure your build system to fetch and compile the Cloud C++ client library. The Cloud IAM C++ client library natively supports the Bazel and CMake build systems. We've created a minimal, "Hello world", quickstart repo that includes detailed instructions on how to compile the library for use in your application. You can fetch the source from GitHub as normal:

git clone
cd google-cloud-cpp/google/cloud/iam/quickstart
Example: Hello World

The following shows the code that you'll run in the google/cloud/iam/quickstart/ directory, which should give you a taste of the Cloud IAM C++ client library API.

// Copyright 2021 Google LLC
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// See the License for the specific language governing permissions and
// limitations under the License.
#include <iostream>
#include <stdexcept>
int main(int argc, char* argv[]) try {
if (argc != 2) {
std::cerr << "Usage: " << argv[0] << " <project-id>\n";
return 1;
std::string const project_id = argv[1];
// Create a namespace alias to make the code easier to read.
namespace iam = ::google::cloud::iam;
std::cout << "Service Accounts for project: " << project_id << "\n";
int count = 0;
for (auto const& service_account :
client.ListServiceAccounts("projects/" + project_id)) {
if (!service_account) {
throw std::runtime_error(service_account.status().message());
std::cout << service_account->name() << "\n";
if (count == 0) std::cout << "No Service Accounts found.\n";
return 0;
} catch (std::exception const& ex) {
std::cerr << "Standard exception raised: " << ex.what() << "\n";
return 1;
Creates and manages Identity and Access Management (IAM) resources.
Definition: iam_client.h:55
std::shared_ptr< IAMConnection > MakeIAMConnection(Options options)
int main(int argc, char *argv[])
[START iam_quickstart]

API Notes

The following are general notes about using the library.

Environment Variables

There are several environment variables that can be set to configure certain behaviors in the library.

  • GOOGLE_CLOUD_CPP_ENABLE_TRACING=rpc turns on tracing for most gRPC calls. The library injects an additional Stub decorator that prints each gRPC request and response. Unless you have configured you own logging backend, you should also set GOOGLE_CLOUD_CPP_ENABLE_CLOG to produce any output on the program's console.
  • GOOGLE_CLOUD_CPP_TRACING_OPTIONS=... modifies the behavior of gRPC tracing, including whether messages will be output on multiple lines, or whether string/bytes fields will be truncated.
  • GOOGLE_CLOUD_PROJECT=... is used in examples and integration tests to configure the GCP project.
  • GOOGLE_CLOUD_CPP_ENABLE_CLOG=yes turns on logging in the library, basically the library always "logs" but the logging infrastructure has no backend to actually print anything until the application sets a backend or they set this environment variable.

Error Handling

This library never throws exceptions to signal errors. In general, the library returns a StatusOr<T> if an error is possible. Some functions return objects that are not wrapped in a StatusOr<> but will themselves return a StatusOr<T> to signal an error. For example, wrappers for asynchronous operations return future<StatusOr<T>>.

Applications should check if the StatusOr<T> contains a value before using it, much like how you might check that a pointer is not null before dereferencing it. Indeed, a StatusOr<T> object can be used like a smart-pointer to T, with the main difference being that when it does not hold a T it will instead hold a Status object with extra information about the error.

You can check that a StatusOr<T> contains a value by calling the .ok() method, or by using operator bool() (like with other smart pointers). If there is no value, you can access the contained Status object using the .status() member. If there is a value, you may access it by dereferencing with operator*() or operator->(). As with all smart pointers, callers must first check that the StatusOr<T> contains a value before dereferencing and accessing the contained value. Alternatively, callers may instead use the .value() member function which is defined to throw a RuntimeStatusError if there is no value.

If you're compiling with exceptions disabled, calling .value() on a StatusOr<T> that does not contain a value will terminate the program instead of throwing.
namespace iam = ::google::cloud::iam;
[](std::string const& project_id) {
int count = 0;
// The actual type of `service_account` is
// google::cloud::StatusOr<google::iam::admin::v1::ServiceAccount>, but
// we expect it'll most often be declared with auto like this.
for (auto const& sa :
client.ListServiceAccounts("projects/" + project_id)) {
// Use `service_account` like a smart pointer; check it before
// de-referencing
if (!sa) {
// `service_account` doesn't contain a value, so `.status()` will
// contain error info
std::cerr << sa.status() << "\n";
std::cout << "ServiceAccount successfully retrieved: " << sa->name()
<< "\n";

Next Steps

Testing your Cloud IAM application with googlemock Testing your Cloud IAM Credentials application with googlemock