0
0
GCPcloud~10 mins

Access control (IAM vs ACLs) in GCP - Visual Side-by-Side Comparison

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Access control (IAM vs ACLs)
User requests access
Check IAM policies
Access granted
Access granted
When a user tries to access a resource, the system first checks IAM policies. If IAM allows, access is granted. If not, it checks ACLs. Access is granted only if ACLs allow it.
Execution Sample
GCP
User requests access to a GCP Storage bucket
Check IAM roles assigned to the user
If IAM allows access, grant it
Else, check ACLs on the bucket
If ACLs allow access, grant it
Else, deny access
This flow shows how GCP decides access using IAM first, then ACLs if needed.
Process Table
StepActionCheckResultAccess Outcome
1User requests accessN/AN/APending
2Check IAM policiesDoes user have IAM role for resource?NoPending
3Check ACLsIs user in ACL for resource?YesAccess granted
4EndN/AN/AAccess granted
💡 Access granted after ACL check because IAM did not allow access
Status Tracker
VariableStartAfter Step 2After Step 3Final
IAM AccessUnknownNoNoNo
ACL AccessUnknownUnknownYesYes
Access OutcomePendingPendingAccess grantedAccess granted
Key Moments - 2 Insights
Why does the system check ACLs if IAM denies access?
Because in GCP, IAM is the primary control. If IAM denies, ACLs can still grant access for some resources. This is shown in execution_table row 3 where ACL check overrides IAM denial.
Can a user have access if both IAM and ACL deny?
No. Access is only granted if either IAM or ACL allows it. If both deny, access is denied. This is implied by the flow and exit_note.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the IAM Access status after Step 2?
AYes
BNo
CUnknown
DPending
💡 Hint
Check the 'IAM Access' row under 'After Step 2' in variable_tracker
At which step is access finally granted?
AStep 3
BStep 2
CStep 1
DStep 4
💡 Hint
Look at the 'Access Outcome' column in execution_table rows
If the ACL check was 'No', what would be the access outcome?
APending
BAccess granted
CAccess denied
DDepends on IAM
💡 Hint
Refer to the concept_flow and exit_note about access denial if both IAM and ACL deny
Concept Snapshot
Access control in GCP uses IAM and ACLs.
IAM is the main way to grant permissions.
If IAM denies, ACLs can still grant access for some resources.
Access is granted if either IAM or ACL allows it.
If both deny, access is denied.
Always check IAM first, then ACLs.
Full Transcript
When a user requests access to a GCP resource, the system first checks the IAM policies assigned to the user. If the IAM roles allow access, the user is granted access immediately. If IAM denies access, the system then checks the Access Control Lists (ACLs) on the resource. If the ACLs include the user with the needed permission, access is granted. Otherwise, access is denied. This layered approach ensures flexible and secure access control. The execution table shows the step-by-step checks and the final access decision. Variables track the state of IAM access, ACL access, and the overall access outcome. Key moments clarify why ACLs are checked after IAM and that both must deny for access to be denied. The visual quiz tests understanding of these steps and outcomes. The snapshot summarizes the main points for quick review.