GCPcloud~5 mins

Access control (IAM vs ACLs) in GCP - CLI Comparison

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Access control helps decide who can do what with your cloud resources. IAM and ACLs are two ways to set these permissions. IAM gives broad control over resources, while ACLs control access to individual objects.

When you want to give a team member permission to manage all resources in a project.

When you need to allow a user to read only a specific storage bucket.

When you want to restrict access to a single file inside a storage bucket.

When you want to assign roles like viewer or editor to users across your cloud project.

When you want to control access at a very detailed level for individual objects.

Commands

This command gives Alice the Viewer role on the entire project, allowing her to view all resources but not change them.

Terminal

gcloud projects add-iam-policy-binding example-project --member=user:alice@example.com --role=roles/viewer

Expected OutputExpected

Updated IAM policy for project [example-project].

→

--member - Specifies the user or group to grant the role.

→

--role - Specifies the role to assign.

This command gives Bob read access to the specific storage bucket named example-bucket using ACLs.

Terminal

gsutil acl ch -u bob@example.com:R gs://example-bucket

Expected OutputExpected

Updated ACL on gs://example-bucket.

→

-u - Specifies the user to change permissions for.

→

:R - Grants read permission.

This command shows the current ACL permissions set on the example-bucket so you can verify who has access.

Terminal

gsutil acl get gs://example-bucket

Expected OutputExpected

[ { "entity": "user-bob@example.com", "role": "READER" }, { "entity": "project-owners-123456789", "role": "OWNER" } ]

Key Concept

If you remember nothing else, remember: IAM controls access broadly at the project or resource level, while ACLs control access narrowly at the individual object level.

Common Mistakes

Trying to use ACLs to manage access for all project resources.

ACLs only work for individual storage objects or buckets, not for broad project permissions.

Use IAM roles to manage access at the project or resource level.

Assigning IAM roles without specifying the correct member format.

IAM commands require the member to be in the correct format like user:email or serviceAccount:email.

Always specify members with the correct prefix, for example user:alice@example.com.

Not verifying ACL changes after applying them.

Without verification, you might not know if the permissions were applied correctly.

Use 'gsutil acl get' to check the current ACL settings after changes.

Summary

Use 'gcloud projects add-iam-policy-binding' to assign broad roles to users at the project level.

Use 'gsutil acl ch' to change access permissions on individual storage buckets or objects.

Verify ACL changes with 'gsutil acl get' to ensure correct permissions.