February 3, 2025 14 min to read

Google Cloud Platform IAM Guide

A comprehensive guide to Identity and Access Management in GCP

Overview

Google Cloud Platform’s Identity and Access Management (IAM) is a critical security feature that defines who (users, groups, and service accounts) has what access (roles) to which resources in your GCP environment.

This comprehensive guide explores IAM’s fundamental concepts, implementation strategies, and best practices for securing cloud infrastructure.

IAM serves as the foundation for all security and access control in GCP, enabling organizations to implement fine-grained permissions while maintaining operational efficiency.

Understanding IAM is essential for anyone working with Google Cloud, as it underpins every interaction with GCP services.

Why IAM Matters

IAM is not just about access control—it's about building a comprehensive security framework for your entire organization.
Proper IAM design and implementation form the backbone of cloud security, ensuring that users have the exact permissions they need while preventing unauthorized access to sensitive resources.

With the increasing complexity of cloud environments and the growing importance of data security, mastering IAM has become one of the most critical skills for cloud architects, security engineers, and DevOps professionals.

What is Google Cloud IAM?

Google Identity and Access Management (IAM) is a web service that provides cloud administrators with the ability to determine who can perform specific actions on specific resources. It enables you to grant granular access to specific Google Cloud resources and helps prevent access to other resources.

graph TB subgraph "IAM Core Concept" A[Who] --> D[Policy] B[What] --> D C[Which Resource] --> D A1[Users] --> A A2[Groups] --> A A3[Service Accounts] --> A B1[Roles] --> B B2[Permissions] --> B C1[Projects] --> C C2[Folders] --> C C3[Organizations] --> C C4[Resources] --> C end style D fill:#ff9999 style A fill:#99ccff style B fill:#99ff99 style C fill:#ffcc99

IAM Fundamentals

IAM operates on a simple principle: Principal + Role + Resource = Policy

Principal (Who): The identity that needs access
Role (What): The set of permissions being granted
Resource (Where): The GCP resource being accessed
Policy: The binding that connects principals to roles for specific resources

This model provides several key advantages:

Principle of Least Privilege: Grant only the minimum access required
Scalability: Manage access for thousands of users efficiently
Auditability: Track who has access to what resources
Flexibility: Create custom roles tailored to specific needs

Key Components and Concepts

Members (Principals)

Members are the entities that can be granted access to GCP resources. Understanding the different types of members is crucial for effective IAM management.

Member Type	Format	Use Case	Example
Google Account	user:email@domain.com	Individual users with Gmail or G Suite accounts	user:john.doe@gmail.com
Service Account	serviceAccount:name@project.iam.gserviceaccount.com	Applications and compute workloads	serviceAccount:my-app@project.iam.gserviceaccount.com
Google Group	group:group-name@domain.com	Collections of users and service accounts	group:developers@company.com
G Suite Domain	domain:domain.com	All users in a G Suite domain	domain:company.com
Cloud Identity Domain	domain:domain.com	All users in a Cloud Identity domain	domain:organization.com
All Authenticated Users	allAuthenticatedUsers	Any user or service account authenticated with Google	allAuthenticatedUsers
All Users	allUsers	Anyone on the internet (use with extreme caution)	allUsers

Service Accounts

Service accounts are special Google accounts designed for applications and compute workloads rather than individual users. They are essential for automated processes and application authentication.

graph TB subgraph "Service Account Types" A[User-Created Service Accounts] B[Google-Managed Service Accounts] C[Default Service Accounts] A --> A1[Custom applications] A --> A2[CI/CD pipelines] A --> A3[Microservices] B --> B1[Google APIs] B --> B2[Google services] C --> C1[Compute Engine default] C --> C2[App Engine default] C --> C3[Cloud Functions default] end style A fill:#99ccff style B fill:#99ff99 style C fill:#ffcc99

Service Account Best Practices:

Create dedicated service accounts for different applications
Use descriptive names that indicate the service account’s purpose
Regularly rotate service account keys
Use IAM conditions to limit when and how service accounts can be used
Monitor service account usage through audit logs

IAM Policies and Resources

graph TB subgraph "GCP Resource Hierarchy" A[Organization] --> B[Folder] A --> C[Folder] B --> D[Project A] B --> E[Project B] C --> F[Project C] D --> G[Resources] E --> H[Resources] F --> I[Resources] subgraph "Resources" G1[Compute Engine] G2[Cloud Storage] G3[BigQuery] G4[Cloud SQL] end G --> G1 G --> G2 H --> G3 I --> G4 end J[IAM Policies] --> A J --> B J --> C J --> D J --> E J --> F J --> G J --> H J --> I style A fill:#ff9999 style J fill:#99ccff

IAM Policy Structure

An IAM policy is a JSON document that defines access permissions:

{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "user:alice@example.com",
        "serviceAccount:my-app@project.iam.gserviceaccount.com"
      ],
      "condition": {
        "title": "Time-based access",
        "description": "Only during business hours",
        "expression": "request.time.getHours() >= 9 && request.time.getHours() < 17"
      }
    }
  ],
  "etag": "BwXW4LVJm2c=",
  "version": 3
}

Organizational Structure

Organization

The organization is the root node of the GCP resource hierarchy and represents your company or entity. Key roles include:

Role	Description	Responsibilities
Organization Administrator	Full control over all cloud resources	Define organization policies, manage billing, assign roles
Project Creator	Create new projects within the organization	Set up new environments, manage project lifecycle
Billing Account Creator	Create and manage billing accounts	Set up payment methods, monitor costs, manage budgets

Folders

Folders provide an additional level of isolation and organization between projects. They enable:

Departmental separation: Separate resources by business units
Environment isolation: Separate development, staging, and production
Policy inheritance: Apply consistent policies across multiple projects
Billing organization: Group projects for cost allocation

Projects

Projects are the fundamental organizing entity in GCP where:

Resources are created and managed
Billing is tracked and managed
APIs are enabled and configured
Access controls are applied

Access Management and Granting Permissions

IAM provides two primary methods for granting access, but only one is recommended for production environments.

graph LR subgraph "Access Management Approaches" A[Direct Permission Assignment] --> A1[❌ Not Recommended] A1 --> A2[Difficult to manage] A1 --> A3[Security risks] A1 --> A4[No scalability] B[Role-Based Access] --> B1[✅ Recommended] B1 --> B2[Easy to manage] B1 --> B3[Secure] B1 --> B4[Scalable] B1 --> B5[Auditable] end style A fill:#ffcccc style B fill:#ccffcc style A1 fill:#ff6666 style B1 fill:#66ff66

Role-Based Access Control (RBAC)

The recommended approach involves creating roles with specific permissions and assigning these roles to members. This method offers several advantages:

Simplified Management: Manage permissions through roles rather than individual permissions
Consistency: Ensure consistent access patterns across your organization
Scalability: Easily onboard new users by assigning appropriate roles
Security: Implement least privilege principle effectively
Auditability: Track role assignments and changes

Roles and Permissions

GCP offers three types of roles, each serving different use cases and providing varying levels of granularity.

1. Primitive Roles (Basic Roles)

Primitive roles provide broad access across most resources in a project. While easy to use, they should be used sparingly in production environments.

Role	Role ID	Description	Use Case	Security Risk
Owner	roles/owner	Full access to all resources including user management	Project administrators, initial setup	Very High
Editor	roles/editor	Read/write access to most resources, cannot manage users	Developers in development environments	High
Viewer	roles/viewer	Read-only access to most resources	Monitoring, auditing, read-only access	Low

Primitive Roles Warning

Primitive roles grant very broad permissions and should be avoided in production environments. Use predefined or custom roles instead to follow the principle of least privilege.

2. Predefined Roles

Predefined roles provide fine-grained access to specific GCP services. They are created and maintained by Google and represent common use cases.

Examples of Predefined Roles:

Service	Role	Role ID	Description
Compute Engine	Compute Instance Admin	roles/compute.instanceAdmin	Full control of Compute Engine instances
	Compute Viewer	roles/compute.viewer	Read-only access to Compute Engine resources
	Compute Security Admin	roles/compute.securityAdmin	Manage security policies and SSL certificates
Cloud Storage	Storage Admin	roles/storage.admin	Full control of Cloud Storage resources
	Storage Object Viewer	roles/storage.objectViewer	View objects and their metadata
	Storage Object Creator	roles/storage.objectCreator	Create objects but not view or delete them
BigQuery	BigQuery Data Viewer	roles/bigquery.dataViewer	Read data and metadata in BigQuery
BigQuery	BigQuery Job User	roles/bigquery.jobUser	Run jobs within a project

Finding the Right Predefined Role:

# List all available roles
gcloud iam roles list

# List roles for a specific service
gcloud iam roles list --filter="name:roles/compute.*"

# Get details about a specific role
gcloud iam roles describe roles/compute.instanceAdmin

# List permissions for a role
gcloud iam roles describe roles/storage.objectAdmin --format="value(includedPermissions)"

3. Custom Roles

Custom roles allow you to create roles with specific sets of permissions tailored to your organization’s needs.

When to Use Custom Roles:

Specific Requirements: When predefined roles don’t match your exact needs
Least Privilege: When you need more granular control than predefined roles offer
Compliance: When regulatory requirements demand specific permission sets
Organizational Policies: When your security policies require custom access patterns

Creating Custom Roles:

Custom Role YAML Definition:

title: "Custom Storage Developer Role"
description: "Limited storage access for development team"
stage: "GA"
includedPermissions:
  - storage.buckets.get
  - storage.buckets.list
  - storage.objects.create
  - storage.objects.delete
  - storage.objects.get
  - storage.objects.list

Custom Role Best Practices

Start with predefined roles and customize only when necessary
Use descriptive names and documentation
Regularly review and update custom roles
Test custom roles thoroughly before production deployment
Avoid including overly broad permissions

IAM Policies and Implementation

Understanding IAM Policies

IAM policies are JSON documents that define access control for GCP resources. They consist of bindings that connect members to roles.

Policy Components:

graph TB subgraph "IAM Policy Structure" A[IAM Policy] --> B[Bindings] B --> C[Members] B --> D[Role] B --> E[Condition - Optional] C --> C1[user:alice@example.com] C --> C2[group:developers@company.com] C --> C3[serviceAccount:app@project.iam.gserviceaccount.com] D --> D1[roles/storage.objectViewer] E --> E1[Time-based conditions] E --> E2[Resource-based conditions] E --> E3[Request-based conditions] end style A fill:#ff9999 style B fill:#99ccff style E fill:#99ff99

Practical IAM Operations

1. Viewing Current IAM Policies

# Get IAM policy for a project
gcloud projects get-iam-policy PROJECT_ID

# Get IAM policy for a specific resource
gcloud storage buckets get-iam-policy gs://my-bucket

# Format output as JSON for easier reading
gcloud projects get-iam-policy PROJECT_ID --format=json

2. Granting Access to Users

3. Managing Service Account Access

4. Using IAM Conditions

IAM conditions allow you to grant access based on context such as time, resource attributes, or request properties.

5. Removing Access

Advanced IAM Features

Policy Inheritance

IAM policies are inherited through the resource hierarchy:

Organization Policy
    ↓ (inherited by)
Folder Policy  
    ↓ (inherited by)
Project Policy
    ↓ (inherited by)
Resource Policy

IAM Recommender

Google’s IAM Recommender analyzes your IAM usage and provides recommendations:

Practical Examples and Use Cases

Example 1: Development Team Setup

Setting up IAM for a development team with different access levels:

Example 2: Production Environment Security

Implementing strict access controls for production:

Example 3: Multi-Environment Organization

Setting up an organization with multiple environments:

Best Practices and Security Guidelines

Security Best Practices

1. Principle of Least Privilege

Always grant the minimum permissions necessary for a user or service to perform their function:

2. Use Groups Instead of Individual Users

Manage access through groups rather than individual users:

3. Regular Access Reviews

Implement regular access reviews to ensure permissions remain appropriate:

4. Service Account Security

Follow these guidelines for secure service account management:

Practice	Description	Implementation
Dedicated Service Accounts	Create separate service accounts for different services	One service account per application or microservice
Key Rotation	Regularly rotate service account keys	Automate key rotation every 90 days
Least Privilege	Grant minimal required permissions	Use specific predefined roles instead of primitive roles
Monitor Usage	Track service account activity	Enable audit logs and set up alerting

Monitoring and Auditing

Cloud Audit Logs

Enable and monitor audit logs for IAM changes:

Access Transparency

For additional visibility into Google’s access to your data:

Common IAM Mistakes to Avoid

Common IAM Pitfalls

Using primitive roles in production: Avoid Owner, Editor, Viewer roles for granular access
Granting access to allUsers: Never use allUsers unless absolutely necessary
Excessive service account permissions: Don't grant more permissions than needed
Ignoring IAM conditions: Use conditions to add additional security constraints
Manual user management: Use groups instead of managing individual users
No access reviews: Regularly review and audit permissions
Sharing service account keys: Never share or commit service account keys

What’s Next?

Mastering IAM is just the beginning of securing your GCP environment. Consider these advanced topics for continued learning:

Organization Policies: Implement organization-wide constraints and policies
VPC Service Controls: Create security perimeters around sensitive data
Binary Authorization: Ensure only trusted container images are deployed
Cloud Asset Inventory: Track and monitor resource configurations
Security Command Center: Centralized security and compliance monitoring

Advanced IAM Features to Explore

graph LR A[Basic IAM] --> B[IAM Conditions] A --> C[Custom Roles] B --> D[Organization Policies] C --> E[Policy Intelligence] D --> F[VPC Service Controls] E --> G[Access Context Manager] F --> H[Advanced Security] G --> H

Recommended Learning Path

Master the basics: Understand members, roles, and policies thoroughly
Practice with real scenarios: Set up different environments with appropriate access controls
Implement monitoring: Set up audit logging and alerting for IAM changes
Explore conditions: Use IAM conditions for time, location, or resource-based access
Study organization policies: Learn to implement organization-wide security controls
Security assessment: Regularly review and assess your IAM implementation