Understanding GCP Identity and Access Management(IAM)
IAM (Identity and Access Management) is the security framework that defines who (identity) has what access (role) to which resource. It ensures that only authorized identities can perform specific actions on your Google Cloud resources.
1. The Three Pillars of IAM
- Principals ("Who"): Can be a Google Account (user), a Service Account (for apps), or a Google Group.
- Roles ("What"): A collection of permissions (e.g., the ability to create a VM or read a file).
- Resources ("Which"): The actual assets like a Storage Bucket, a BigQuery table, or a Pub/Sub topic.
2. Role Types
| Role Type | Description | Risk Level |
|---|---|---|
| Basic (Primitive) | Owner, Editor, Viewer. Extremely broad access. | High |
| Predefined | Granular roles managed by Google (e.g., Storage Object Admin). | Low |
| Custom | User-defined roles with specific, hand-picked permissions. | Lowest |
3. Policy Inheritance & Hierarchy
Permissions are inherited from the top down. If a user is granted access at the Organization or Folder level, they automatically have that same access to all Projects and Resources underneath.
Important: You cannot "deny" an inherited permission at a lower level. Access is additive.
Practical Example: The Data Science Team
The Scenario: You have a team that needs to run queries on data but must not be able to delete any datasets or create new infrastructure.
The Implementation:
- Create a Google Group:
data-science-team@company.com. - Assign the
roles/bigquery.jobUserrole (to run queries). - Assign the
roles/bigquery.dataViewerrole (to read data).
Result: They have exactly what they need to work, following the Principle of Least Privilege.
4. Best Practices
- Least Privilege: Grant only the minimum permissions required for a task.
- Use Service Accounts: Use these for automated workloads instead of personal user keys.
- Audit Logs: Regularly check logs to monitor who is accessing sensitive data.