Bird
Raised Fist0
GCPcloud~10 mins

Access control (IAM vs ACLs) in GCP - Visual Side-by-Side Comparison

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Process Flow - Access control (IAM vs ACLs)
User requests access
Check IAM policies
Access granted
Access granted
When a user tries to access a resource, the system first checks IAM policies. If IAM allows, access is granted. If not, it checks ACLs. Access is granted only if ACLs allow it.
Execution Sample
GCP
User requests access to a GCP Storage bucket
Check IAM roles assigned to the user
If IAM allows access, grant it
Else, check ACLs on the bucket
If ACLs allow access, grant it
Else, deny access
This flow shows how GCP decides access using IAM first, then ACLs if needed.
Process Table
StepActionCheckResultAccess Outcome
1User requests accessN/AN/APending
2Check IAM policiesDoes user have IAM role for resource?NoPending
3Check ACLsIs user in ACL for resource?YesAccess granted
4EndN/AN/AAccess granted
💡 Access granted after ACL check because IAM did not allow access
Status Tracker
VariableStartAfter Step 2After Step 3Final
IAM AccessUnknownNoNoNo
ACL AccessUnknownUnknownYesYes
Access OutcomePendingPendingAccess grantedAccess granted
Key Moments - 2 Insights
Why does the system check ACLs if IAM denies access?
Because in GCP, IAM is the primary control. If IAM denies, ACLs can still grant access for some resources. This is shown in execution_table row 3 where ACL check overrides IAM denial.
Can a user have access if both IAM and ACL deny?
No. Access is only granted if either IAM or ACL allows it. If both deny, access is denied. This is implied by the flow and exit_note.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the IAM Access status after Step 2?
AYes
BNo
CUnknown
DPending
💡 Hint
Check the 'IAM Access' row under 'After Step 2' in variable_tracker
At which step is access finally granted?
AStep 3
BStep 2
CStep 1
DStep 4
💡 Hint
Look at the 'Access Outcome' column in execution_table rows
If the ACL check was 'No', what would be the access outcome?
APending
BAccess granted
CAccess denied
DDepends on IAM
💡 Hint
Refer to the concept_flow and exit_note about access denial if both IAM and ACL deny
Concept Snapshot
Access control in GCP uses IAM and ACLs.
IAM is the main way to grant permissions.
If IAM denies, ACLs can still grant access for some resources.
Access is granted if either IAM or ACL allows it.
If both deny, access is denied.
Always check IAM first, then ACLs.
Full Transcript
When a user requests access to a GCP resource, the system first checks the IAM policies assigned to the user. If the IAM roles allow access, the user is granted access immediately. If IAM denies access, the system then checks the Access Control Lists (ACLs) on the resource. If the ACLs include the user with the needed permission, access is granted. Otherwise, access is denied. This layered approach ensures flexible and secure access control. The execution table shows the step-by-step checks and the final access decision. Variables track the state of IAM access, ACL access, and the overall access outcome. Key moments clarify why ACLs are checked after IAM and that both must deny for access to be denied. The visual quiz tests understanding of these steps and outcomes. The snapshot summarizes the main points for quick review.

Practice

(1/5)
1. What is the main difference between IAM and ACLs in Google Cloud Platform?
easy
A. IAM and ACLs are exactly the same in functionality.
B. IAM controls network traffic, and ACLs control user passwords.
C. IAM is only for virtual machines, ACLs are for storage only.
D. IAM manages access at resource levels using roles, while ACLs manage access at object or bucket levels.

Solution

  1. Step 1: Understand IAM scope

    IAM controls access broadly by assigning roles to users or groups at resource levels like projects or services.

  2. Step 2: Understand ACL scope

    ACLs control access more narrowly, typically at the object or bucket level in storage services.

  3. Final Answer:

    IAM manages access at resource levels using roles, while ACLs manage access at object or bucket levels. -> Option D

  4. Quick Check:

    IAM = broad roles, ACLs = fine-grained object permissions [OK]
Hint: IAM is broad roles; ACLs are fine-grained permissions [OK]
Common Mistakes:
  • Confusing IAM with network controls
  • Thinking ACLs control passwords
  • Assuming IAM and ACLs are identical
2. Which of the following is the correct way to grant a user the role of 'Storage Object Viewer' using IAM in GCP?
easy
A. Edit the user's password in the IAM console.
B. Add the user to the ACL of the bucket with read permission.
C. Use the command: gcloud projects add-iam-policy-binding my-project --member='user:email@example.com' --role='roles/storage.objectViewer'
D. Create a firewall rule allowing the user access.

Solution

  1. Step 1: Identify IAM command syntax

    The correct gcloud command to grant IAM roles uses 'add-iam-policy-binding' with member and role flags.

  2. Step 2: Verify role and member format

    The role 'roles/storage.objectViewer' and member format 'user:email@example.com' are correct for granting read access to storage objects.

  3. Final Answer:

    Use the command: gcloud projects add-iam-policy-binding my-project --member='user:email@example.com' --role='roles/storage.objectViewer' -> Option C

  4. Quick Check:

    IAM role grant uses gcloud add-iam-policy-binding [OK]
Hint: Use gcloud add-iam-policy-binding with correct role and member [OK]
Common Mistakes:
  • Confusing ACL changes with IAM commands
  • Editing passwords instead of roles
  • Using firewall rules for access control
3. Given the following IAM policy snippet for a bucket, what access does the user 'user:alice@example.com' have?
{
  "bindings": [
    {
      "role": "roles/storage.objectAdmin",
      "members": ["user:alice@example.com"]
    }
  ]
}
medium
A. Alice can only read objects in the bucket.
B. Alice can create, delete, and update objects in the bucket.
C. Alice has no access to the bucket.
D. Alice can manage IAM policies but not objects.

Solution

  1. Step 1: Identify the role assigned

    The role 'roles/storage.objectAdmin' allows full control over objects in the bucket, including create, delete, and update.

  2. Step 2: Confirm member access

    The member 'user:alice@example.com' is assigned this role, so Alice has these permissions.

  3. Final Answer:

    Alice can create, delete, and update objects in the bucket. -> Option B

  4. Quick Check:

    roles/storage.objectAdmin = full object control [OK]
Hint: objectAdmin role means full object permissions [OK]
Common Mistakes:
  • Confusing objectAdmin with read-only roles
  • Assuming no access without explicit bucket ACL
  • Mixing IAM roles with IAM policy management
4. You tried to grant a user access to a Cloud Storage bucket by adding them to the bucket's ACL, but they still cannot access the objects. What is the likely issue?
medium
A. The bucket has uniform bucket-level access enabled, which disables ACLs.
B. The user needs to restart their computer.
C. The user's email address was misspelled in the ACL.
D. The user was not granted an IAM role at the project level.

Solution

  1. Step 1: Understand uniform bucket-level access

    When uniform bucket-level access is enabled, ACLs are disabled and only IAM controls access.

  2. Step 2: Check ACL effect

    Adding users to ACLs has no effect if uniform bucket-level access is on, so the user cannot access objects despite ACL changes.

  3. Final Answer:

    The bucket has uniform bucket-level access enabled, which disables ACLs. -> Option A

  4. Quick Check:

    Uniform bucket-level access disables ACLs [OK]
Hint: Uniform bucket-level access disables ACLs [OK]
Common Mistakes:
  • Assuming ACLs always work regardless of bucket settings
  • Blaming user typos without verification
  • Thinking user restart affects cloud permissions
5. You want to allow a third-party service to read specific objects in your Cloud Storage bucket without giving it full project access. Which approach is best?
hard
A. Add the service account to the bucket's ACL with READER permission on specific objects.
B. Enable uniform bucket-level access and grant the service account the storage.admin role.
C. Grant the service an IAM role at the project level with storage.objectViewer permission.
D. Create a firewall rule to allow the service IP to access the bucket.

Solution

  1. Step 1: Understand access scope needs

    The third-party service needs access only to specific objects, not the whole project.

  2. Step 2: Choose fine-grained control method

    ACLs allow granting permissions on specific objects or buckets, ideal for limited access.

  3. Step 3: Evaluate other options

    IAM roles at project level are too broad; storage.admin is too powerful; firewall rules do not control storage access.

  4. Final Answer:

    Add the service account to the bucket's ACL with READER permission on specific objects. -> Option A

  5. Quick Check:

    Use ACLs for fine-grained object access [OK]
Hint: Use ACLs for specific object access, IAM for broad access [OK]
Common Mistakes:
  • Granting overly broad IAM roles
  • Confusing firewall rules with access control
  • Using storage.admin role unnecessarily