GCPcloud~7 mins

IAM conditions for fine-grained control in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes you want to give people access to cloud resources but only under certain conditions. IAM conditions let you set rules that control when and how permissions apply, making access safer and more precise.

When you want to allow access to a storage bucket only during business hours.

When you want to restrict VM instance management to users connecting from a specific IP range.

When you want to grant read access to a database only if the request comes from a certain project.

When you want to limit who can delete resources based on the requester's device security status.

When you want to apply temporary access that expires after a certain date.

Config File - policy.json

policy.json

{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": ["user:alice@example.com"],
      "condition": {
        "title": "BusinessHoursAccess",
        "description": "Allow access only during business hours",
        "expression": "request.time.getHours() >= 9 && request.time.getHours() < 17"
      }
    }
  ]
}

This JSON file defines an IAM policy binding that grants the role roles/storage.objectViewer to the user alice@example.com. The condition section restricts this permission to only apply during business hours, from 9 AM to 5 PM, using the request.time.getHours() expression.

Commands

This command applies the IAM policy with the condition to the project named 'example-project'. It updates the project's permissions to include the conditional access rule.

Terminal

gcloud projects set-iam-policy example-project policy.json

Expected OutputExpected

Updated IAM policy for project [example-project].

This command retrieves and shows the current IAM policy for 'example-project' so you can verify the condition was applied correctly.

Terminal

gcloud projects get-iam-policy example-project

Expected OutputExpected

bindings: - members: - user:alice@example.com role: roles/storage.objectViewer condition: title: BusinessHoursAccess description: Allow access only during business hours expression: request.time.getHours() >= 9 && request.time.getHours() < 17

Key Concept

If you remember nothing else from this pattern, remember: IAM conditions let you add rules that limit when and how permissions work, making access safer and more precise.

Common Mistakes

Writing incorrect or unsupported expressions in the condition field.

The policy will fail to apply or the condition will be ignored, causing unexpected access behavior.

Use valid CEL expressions supported by GCP IAM conditions and test them carefully.

Not applying the updated policy after editing the JSON file.

Changes won't take effect until the policy is set on the project or resource.

Run 'gcloud projects set-iam-policy' with the updated file to apply changes.

Using conditions that are too complex or not supported by the resource type.

The condition may be rejected or not enforced, leading to security gaps.

Keep conditions simple and verify they are supported for the specific resource.

Summary

Create an IAM policy JSON file with a condition expression to limit access.

Apply the policy to your GCP project using 'gcloud projects set-iam-policy'.

Verify the policy and condition are set correctly with 'gcloud projects get-iam-policy'.