GCPcloud~30 mins

Access control (IAM vs ACLs) in GCP - Hands-On Comparison

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Access control (IAM vs ACLs) in GCP

📖 Scenario: You are managing access to a Google Cloud Storage bucket for a small team. You want to control who can read and write files in the bucket using two common methods: IAM roles and ACLs.

🎯 Goal: Build a simple configuration that sets up a Cloud Storage bucket with specific IAM roles and ACLs to control access for users.

📋 What You'll Learn

Create a Cloud Storage bucket named exactly team-data-bucket

Assign the IAM role roles/storage.objectViewer to the user user:alice@example.com

Assign the IAM role roles/storage.objectAdmin to the user user:bob@example.com

Set an ACL on the bucket to give user:charlie@example.com read access

Set an ACL on the bucket to give user:dana@example.com write access

💡 Why This Matters

🌍 Real World

Managing access to cloud storage is essential for protecting data and ensuring only authorized users can read or modify files.

💼 Career

Cloud engineers and administrators regularly configure IAM and ACLs to enforce security policies and compliance in cloud environments.

Progress0 / 4 steps

Create the Cloud Storage bucket

Create a Cloud Storage bucket named team-data-bucket using the resource block with google_storage_bucket.

GCP

# Your code here to create the bucket named team-data-bucket

Need a hint?

Use the google_storage_bucket resource and set the name attribute exactly to team-data-bucket.

Add IAM roles for Alice and Bob

Add two google_storage_bucket_iam_member resources to assign the IAM role roles/storage.objectViewer to user:alice@example.com and the IAM role roles/storage.objectAdmin to user:bob@example.com for the bucket team-data-bucket.

GCP

resource "google_storage_bucket" "team_data_bucket" {
  name = "team-data-bucket"
}

# Your code here to add IAM roles for Alice and Bob

Need a hint?

Use two google_storage_bucket_iam_member resources with the bucket attribute set to the bucket name, and assign the correct role and member.

Add ACLs for Charlie and Dana

Add two google_storage_bucket_acl entries to give user:charlie@example.com read access and user:dana@example.com write access to the bucket team-data-bucket. Use the google_storage_bucket_acl resource with bucket set to the bucket name and specify the entity and role accordingly.

GCP

resource "google_storage_bucket" "team_data_bucket" {
  name = "team-data-bucket"
}

resource "google_storage_bucket_iam_member" "alice_viewer" {
  bucket = google_storage_bucket.team_data_bucket.name
  role   = "roles/storage.objectViewer"
  member = "user:alice@example.com"
}

resource "google_storage_bucket_iam_member" "bob_admin" {
  bucket = google_storage_bucket.team_data_bucket.name
  role   = "roles/storage.objectAdmin"
  member = "user:bob@example.com"
}

# Your code here to add ACLs for Charlie and Dana

Need a hint?

Use google_storage_bucket_acl resources with role set to READER or WRITER and entity set to user-email format with a dash.

Complete the configuration with bucket location

Add the location attribute with value US to the google_storage_bucket resource team_data_bucket to specify the bucket's geographic location.

GCP

resource "google_storage_bucket" "team_data_bucket" {
  name = "team-data-bucket"
  # Add location attribute here
}

resource "google_storage_bucket_iam_member" "alice_viewer" {
  bucket = google_storage_bucket.team_data_bucket.name
  role   = "roles/storage.objectViewer"
  member = "user:alice@example.com"
}

resource "google_storage_bucket_iam_member" "bob_admin" {
  bucket = google_storage_bucket.team_data_bucket.name
  role   = "roles/storage.objectAdmin"
  member = "user:bob@example.com"
}

resource "google_storage_bucket_acl" "charlie_read" {
  bucket = google_storage_bucket.team_data_bucket.name
  role   = "READER"
  entity = "user-charlie@example.com"
}

resource "google_storage_bucket_acl" "dana_write" {
  bucket = google_storage_bucket.team_data_bucket.name
  role   = "WRITER"
  entity = "user-dana@example.com"
}

Need a hint?

Add the location attribute inside the bucket resource block and set it to US.