Google Cloud IAM

Overview [1] [2]#

Google Cloud IAM is Identity and Access Management (IAM) for Google Cloud Platform that lets administrators authorize who can take action on specific resources, giving you full control and visibility to manage cloud resources centrally.

For established enterprises with complex organizational structures, hundreds of workgroups and potentially many more projects, Cloud IAM provides a unified view into security policy across your entire organization, with built-in auditing to ease compliance processes.

Concepts related to Google Cloud IAM#

After Google authenticates the member making a request, Google Cloud IAM makes an authorization decision on whether the member is within a Role that has a permission to perform the requested action on the requested resource.

GCP Identity#

In Google Cloud IAM, GCP Roles are granted to GCP Identities.

GCP Resource#

You can grant access to GCP Identities for a Google Cloud Platform GCP Resource


Permissions determine what operations are allowed on a resource. In the Google Cloud IAM world, permissions are represented in the form of:
for example pubsub.subscriptions.consume.

Permissions usually, but not always, correspond 1:1 with REST methods. That is, each Google Cloud Platform service has an associated set of permissions for each REST method that it exposes. The caller of that method needs those permissions to call that method. For example, the caller of Publisher.Publish() needs the pubsub.topics.publish permission

GCP Roles#

A role is a collection of permissions. You cannot assign a permission to the user directly; instead you grant them a role. When you grant a role to a user, you grant them all the permissions that the role contains.
  • Primitive roles: The roles historically available in the Google Cloud Platform Console will continue to work. These are the Owner, Editor, and Viewer roles.
  • Predefined roles: Predefined roles are the IAM roles that give finer-grained access control than the primitive roles. For example, the predefined role Publisher provides access to only publish messages to a Pub/Sub topic.
  • Custom roles: Roles that you create to tailor permissions to the needs of your organization when Predefined roles don't meet your needs.

Google Cloud IAM Access Control#

Google Cloud IAM Access Control is done by creating a GCP IAM Policy.

GCP IAM Policy is assigned to a GCP Resource which defines what to the list of GCP Roles and GCP Identities.


Google Cloud Platform

More Information#

There might be more information for this subject on one of the following: