Overview [1] [2]#

Google Cloud IAM is Identity and Access Management (IAM) for Google Cloud Platform that lets administrators authorize who can take action on specific resources, giving you full control and visibility to manage cloud resources centrally.

For established enterprises with complex organizational structures, hundreds of workgroups and potentially many more projects, Cloud IAM provides a unified view into security policy across your entire organization, with built-in auditing to ease compliance processes.

Concepts related to Google Cloud IAM#

After Google authenticates the member making a request, Google Cloud IAM makes an authorization decision on whether the member is within a Role that has a permission to perform the requested action on the requested resource.

GCP Member#

In Google Cloud IAM, you grant access to members. Members can be of following types:
  • Google account - ???
  • Service Account
  • G-Suite Domain
  • G-Suite Group
  • G-Suite User
  • Cloud Identity domain ????
  • allAuthenticatedUsers - This is a special identifier that represents anyone who is authenticated with a Google account or a service account.
  • allUsers - This is a special identifier that represents anyone who is on the internet, with or without a Google account.


You can grant access to users for a Google Cloud Platform resource


Permissions determine what operations are allowed on a resource. In the Google Cloud IAM world, permissions are represented in the form of:
for example pubsub.subscriptions.consume.

Permissions usually, but not always, correspond 1:1 with REST methods. That is, each Cloud Platform service has an associated set of permissions for each REST method that it exposes. The caller of that method needs those permissions to call that method. For example, the caller of Publisher.Publish() needs the pubsub.topics.publish permission

GCP Roles#

A role is a collection of permissions. You cannot assign a permission to the user directly; instead you grant them a role. When you grant a role to a user, you grant them all the permissions that the role contains.
  • Primitive roles: The roles historically available in the Google Cloud Platform Console will continue to work. These are the Owner, Editor, and Viewer roles.
  • Predefined roles: Predefined roles are the IAM roles that give finer-grained access control than the primitive roles. For example, the predefined role Publisher provides access to only publish messages to a Pub/Sub topic.
  • Custom roles: Roles that you create to tailor permissions to the needs of your organization when Predefined roles don't meet your needs.

More ...


You can grant roles to users by creating a Google Cloud IAM policy, which is a collection of statements that define who has what type of access. A Google Cloud IAM policy is attached to a resource and is used to enforce Access Control whenever that resource is accessed.

A Google Cloud IAM policy is represented by the Policy object. A Policy consists of a list of bindings. A Binding binds a list of members to a role.

role is the role you want to assign to the user. The role is specified in the form of roles/<name of the role>. For example, roles/owner, roles/editor, and roles/viewer.

Google Cloud IAM is hierarchical Architecture.#

Google Cloud IAM is objects in a hierarchical Architecture.



Google Cloud Platform

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-20) was last changed on 13-Aug-2017 11:15 by jim