GCP IAM
GCP Identity and Access Management (IAM)
Section titled โGCP Identity and Access Management (IAM)โIAM controls who can do what on which GCP resources. Every API call checks IAM before executing.
Core Concepts
Section titled โCore Conceptsโ| Term | Description |
|---|---|
| Principal | Who is requesting access (user, service account, group) |
| Role | Collection of permissions (e.g., roles/storage.objectViewer) |
| Policy | Binds principals to roles on a resource |
| Permission | A single action (e.g., storage.objects.get) |
Principal Types
Section titled โPrincipal Typesโ| Type | Example |
|---|---|
| Google Account | user:alice@gmail.com |
| Service Account | serviceAccount:my-sa@project.iam.gserviceaccount.com |
| Google Group | group:dev-team@example.com |
| All authenticated users | allAuthenticatedUsers |
| All users (public) | allUsers |
Role Types
Section titled โRole TypesโPrimitive roles (avoid in production โ too broad):
roles/ownerโ full controlroles/editorโ read + write, no IAMroles/viewerโ read only
Predefined roles (recommended):
roles/storage.objectViewerโ read objects in Cloud Storageroles/run.invokerโ call Cloud Run servicesroles/bigquery.dataViewerโ read BigQuery datasetsroles/container.developerโ deploy to GKE
Custom roles โ define exactly the permissions needed:
gcloud iam roles create MyCustomRole \ --project=my-project \ --title="My Custom Role" \ --permissions="storage.objects.get,storage.objects.list"Granting Access
Section titled โGranting Accessโ# Grant a user a role on a projectgcloud projects add-iam-policy-binding my-project \ --member=user:alice@example.com \ --role=roles/storage.objectViewer
# Grant a service account a rolegcloud projects add-iam-policy-binding my-project \ --member=serviceAccount:my-sa@my-project.iam.gserviceaccount.com \ --role=roles/run.invoker
# Revoke accessgcloud projects remove-iam-policy-binding my-project \ --member=user:alice@example.com \ --role=roles/storage.objectViewerViewing Policies
Section titled โViewing Policiesโ# View project-level IAM policygcloud projects get-iam-policy my-project
# View IAM policy on a bucketgcloud storage buckets get-iam-policy gs://my-bucket
# Check what a member can dogcloud asset search-all-iam-policies \ --query="policy:alice@example.com" \ --scope=projects/my-projectService Accounts
Section titled โService AccountsโService accounts are identities for applications and workloads:
# Create a service accountgcloud iam service-accounts create my-service-account \ --display-name="My Service Account"
# Grant roles to the service accountgcloud projects add-iam-policy-binding my-project \ --member=serviceAccount:my-service-account@my-project.iam.gserviceaccount.com \ --role=roles/bigquery.dataViewer
# Create and download a key (avoid if possible โ prefer Workload Identity)gcloud iam service-accounts keys create key.json \ --iam-account=my-service-account@my-project.iam.gserviceaccount.comUsing a key file locally:
export GOOGLE_APPLICATION_CREDENTIALS="./key.json"Workload Identity (Preferred Over Keys)
Section titled โWorkload Identity (Preferred Over Keys)โAllows GKE pods or Cloud Run services to authenticate as a service account without key files. See GKE documentation for setup.
IAM Conditions
Section titled โIAM ConditionsโGrant roles only under specific conditions:
gcloud projects add-iam-policy-binding my-project \ --member=user:contractor@example.com \ --role=roles/viewer \ --condition='expression=request.time < timestamp("2026-12-31T00:00:00Z"),title=temporary-access'Principle of Least Privilege
Section titled โPrinciple of Least PrivilegeโBest practices:
- Use predefined roles over primitive roles
- Grant at the narrowest resource scope (bucket vs project)
- Use service accounts per workload, not shared accounts
- Avoid downloading service account keys โ use Workload Identity
- Audit access regularly with
gcloud projects get-iam-policy - Enable organisation policies to restrict dangerous actions