Understanding Google Cloud IAM

RohitRohit
2 min read

Identity (Who?)

An identity represents a user, group, or service account that can interact with Google Cloud resources. It can be:

  • Google Accounts (e.g., user@gmail.com)

  • Google Groups (e.g., admins@example.com)

  • Service Accounts (e.g., automated processes or applications)

  • Workforce or Customer Identity Federation (e.g., users authenticated via external identity providers)

Roles (What Permissions?)

Roles define what actions an identity can perform on a resource. IAM roles in GCP are categorized into:

  • Basic Roles (Legacy): Owner, Editor, Viewer

  • Predefined Roles: Google-managed roles designed for specific services (e.g., Cloud Storage Admin, Compute Viewer)

  • Custom Roles: User-defined roles with specific permissions

Resources (Where?)

Resources are the cloud services and components IAM policies apply to, such as:

  • Projects

  • Folders

  • Organizations

  • Compute Engine instances

  • Cloud Storage buckets

Policies (How Access is Granted?)

IAM policies define who can do what actions on which resources. Policies consist of bindings, where an identity is assigned a specific role on a resource.

Example IAM Policy:

{
  "bindings": [
    {
      "role": "roles/storage.admin",
      "members": ["user:admin@example.com"]
    }
  ]
}

This policy grants admin@example.com full access to manage Cloud Storage.

How IAM Works in GCP

IAM policies are hierarchical in Google Cloud, meaning permissions apply at different levels:

  • Organization Level: Policies here apply to all projects and resources under the organization.

  • Folder Level: Useful for structuring projects and managing permissions at a department level.

  • Project Level: Defines access to all resources within a specific project.

  • Resource Level: Fine-grained control over specific resources like Compute Engine instances or Cloud Storage buckets.

Inheritance: Policies at higher levels (e.g., Organization) are inherited by lower levels (e.g., Projects, Resources), reducing redundancy in permission management but first the deny rules are applied and then the allow rules as per the IAM Policy

Best Practices for Managing IAM in Google Cloud

  • Follow the Principle of Least Privilege (PoLP): Assign only the permissions required for a user’s job role.

  • Use Predefined Roles When Possible: Avoid basic roles like Owner or Editor and use more granular roles instead.

  • Enable IAM Audit Logging: Monitor and track IAM changes for security and compliance.

  • Use Service Accounts for Automation: Instead of using personal accounts for apps, create service accounts with limited permissions.

0
Subscribe to my newsletter

Read articles from Rohit directly inside your inbox. Subscribe to the newsletter, and don't miss out.

LinuxAWSGoogle Cloud PlatformDevopsDocker

Written by

Rohit
Rohit

I'm a results-driven professional skilled in both DevOps and Web Development. Here's a snapshot of what I bring to the table: 💻 DevOps Expertise: AWS Certified Solutions Architect Associate: Proficient in deploying and managing applications in the cloud. Automation Enthusiast: Leveraging Python for task automation, enhancing development workflows. 🔧 Tools & Technologies: Ansible, Terraform, Docker, Prometheus, Kubernetes, Linux, Git, Github Actions, EC2, S3, VPC, R53 and other AWS services. 🌐 Web Development: Proficient in HTML, CSS, JavaScript, React, Redux-toolkit, Node.js, Express.js and Tailwind CSS. Specialized in building high-performance websites with Gatsby.js. Let's connect to discuss how my DevOps skills and frontend expertise can contribute to your projects or team. Open to collaboration and always eager to learn! Aside from my work, I've also contributed to open-source projects, like adding a feature for Focalboard Mattermost.