Open in app

Sign in

Write

Sign in

How GCP IAM works ?

Akshit Pal
2 min readSep 27, 2021

I have worked on GCP labs recently, while learning and capturing more knowledge on GCP I came to know about IAM which is one of the building block of every cloud platform present out there right now. So here goes the explanation of it.

So what is IAM in general ?

For a common understanding, Identity and Access Management (IAM) is basically Who gets the permission to get into the cloud and who doesn't. It's very important as it covers the Security and Cost factor.

Important thing to remember here cloud services also need to these IAM permissions to connect with other service just like a user or group will require.

Briefly explain more about IAM

Briefly, I would quote qwikabs here, Cloud IAM provides the right tools to manage resource permissions with minimum fuss and high automation. You don’t directly grant users permissions. Instead, you grant them roles, which bundle one or more permissions.

This allows you to map job functions within your company to groups and roles. Users get access only to what they need to get the job done, and admins can easily grant default permissions to entire groups of users.

Definitions aside important thing in this whole IAM story are roles and polices and conditions

There are two kinds of roles in Cloud IAM:

  • Predefined Roles
  • Custom Roles

Predefined Roles in google cloud platform are basically roles that are maintained by google and are automatically update by google when new features or services are added to Google Cloud.

Custom Roles as the name suggest are user-defined, and allow you to bundle one or more supported permissions to meet your specific needs. You create a custom role by combining one or more of the available Cloud IAM permissions. Permissions allow users to perform specific actions on Google Cloud resources.

How Google GCP IAM works with an example

Think like this

A Policy is a collection of bindings.

A binding binds one or more members to a single role.

Members can be user accounts, service accounts(told you services also require permissions), Groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role.

Bindings": [
  {
    "role": ...,
    "members": ...,
    
    "condition": {
                "title": ...,
                "description": ...,
                "expression": ...
}
  },
  ...
]

You can see the example here https://cloud.google.com/iam/docs/reference/rest/v1/Policy

Gcpsecurity
Gcp
Iam
Cloud Services
Pentesting

--

--

Akshit Pal

Written by Akshit Pal

7 Followers

This is blogspot right :?

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams