	In Browser
	StumbleUpon
	del.icio.us
	Google
	Google Buzz
	reddit
	LinkedIn

	Facebook
	Twitter
	Linkedin
	E-Mail

Cloud Platforms > Google Cloud Platform (GCP) > Cloud IAM

Cloud IAM

Author: Venkata Sudhakar

Google Cloud IAM (Identity and Access Management) lets you control who has access to which GCP resources. It implements the principle of least privilege, ensuring users and services have only the permissions they need to perform their jobs.

Key Concepts:

1. Principal - Who is requesting access: Google account, service account, Google group, or domain.

2. Role - Collection of permissions. Three types: Basic, Predefined, and Custom roles.

3. Policy - Binds principals to roles on a resource. Policies are inherited down the resource hierarchy.

4. Service Account - Special account for applications and services (not humans) to authenticate to GCP APIs.

5. Conditions - Attribute-based access control (ABAC) to grant access only under specific conditions.

The below example shows how to manage IAM policies using gcloud CLI and the Java client library.

# Grant a role to a user
gcloud projects add-iam-policy-binding my-project \
  --member="user:alice@example.com" \
  --role="roles/bigquery.dataViewer"

# Grant a role to a service account
gcloud projects add-iam-policy-binding my-project \
  --member="serviceAccount:my-sa@my-project.iam.gserviceaccount.com" \
  --role="roles/storage.objectAdmin"

# Create a custom role
gcloud iam roles create customDataRole \
  --project=my-project \
  --title="Custom Data Role" \
  --description="Read BigQuery and write to GCS" \
  --permissions=bigquery.datasets.get,bigquery.tables.getData,storage.objects.create

# Grant role with condition (time-based)
gcloud projects add-iam-policy-binding my-project \
  --member="user:contractor@example.com" \
  --role="roles/viewer" \
  --condition="expression=request.time < timestamp('2024-12-31T00:00:00Z'),title=Temporary Access"

# View IAM policy
gcloud projects get-iam-policy my-project

# Create a service account
gcloud iam service-accounts create my-app-sa \
  --display-name="My Application Service Account"

# Generate a key for a service account
gcloud iam service-accounts keys create key.json \
  --iam-account=my-app-sa@my-project.iam.gserviceaccount.com

It gives the following output,

Updated IAM policy for project [my-project].
bindings:
- members:
  - user:[email protected]
  role: roles/bigquery.dataViewer
- members:
  - serviceAccount:[email protected]
  role: roles/storage.objectAdmin

IAM Best Practices:

Least privilege - Grant only the minimum permissions required. Prefer predefined roles over basic roles (Owner/Editor/Viewer).

Service accounts - Use service accounts for applications instead of user accounts. Never download service account keys if Workload Identity can be used instead.

Resource hierarchy - Set policies at the Organization or Folder level for broad access; override at project or resource level for exceptions.

Send your comments, suggestions or queries regarding this site to [email protected].