Bird
Raised Fist0
GCPcloud~7 mins

IAM conditions for fine-grained control in GCP - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Sometimes you want to give people access to cloud resources but only under certain conditions. IAM conditions let you set rules that control when and how permissions apply, making access safer and more precise.
When you want to allow access to a storage bucket only during business hours.
When you want to restrict VM instance management to users connecting from a specific IP range.
When you want to grant read access to a database only if the request comes from a certain project.
When you want to limit who can delete resources based on the requester's device security status.
When you want to apply temporary access that expires after a certain date.
Config File - policy.json
policy.json
{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": ["user:alice@example.com"],
      "condition": {
        "title": "BusinessHoursAccess",
        "description": "Allow access only during business hours",
        "expression": "request.time.getHours() >= 9 && request.time.getHours() < 17"
      }
    }
  ]
}

This JSON file defines an IAM policy binding that grants the role roles/storage.objectViewer to the user alice@example.com. The condition section restricts this permission to only apply during business hours, from 9 AM to 5 PM, using the request.time.getHours() expression.

Commands
This command applies the IAM policy with the condition to the project named 'example-project'. It updates the project's permissions to include the conditional access rule.
Terminal
gcloud projects set-iam-policy example-project policy.json
Expected OutputExpected
Updated IAM policy for project [example-project].
This command retrieves and shows the current IAM policy for 'example-project' so you can verify the condition was applied correctly.
Terminal
gcloud projects get-iam-policy example-project
Expected OutputExpected
bindings: - members: - user:alice@example.com role: roles/storage.objectViewer condition: title: BusinessHoursAccess description: Allow access only during business hours expression: request.time.getHours() >= 9 && request.time.getHours() < 17
Key Concept

If you remember nothing else from this pattern, remember: IAM conditions let you add rules that limit when and how permissions work, making access safer and more precise.

Common Mistakes
Writing incorrect or unsupported expressions in the condition field.
The policy will fail to apply or the condition will be ignored, causing unexpected access behavior.
Use valid CEL expressions supported by GCP IAM conditions and test them carefully.
Not applying the updated policy after editing the JSON file.
Changes won't take effect until the policy is set on the project or resource.
Run 'gcloud projects set-iam-policy' with the updated file to apply changes.
Using conditions that are too complex or not supported by the resource type.
The condition may be rejected or not enforced, leading to security gaps.
Keep conditions simple and verify they are supported for the specific resource.
Summary
Create an IAM policy JSON file with a condition expression to limit access.
Apply the policy to your GCP project using 'gcloud projects set-iam-policy'.
Verify the policy and condition are set correctly with 'gcloud projects get-iam-policy'.

Practice

(1/5)
1. What is the main purpose of using IAM conditions in Google Cloud?
easy
A. To add extra rules that control access more precisely
B. To create new user accounts automatically
C. To increase the storage capacity of a project
D. To monitor network traffic in real-time

Solution

  1. Step 1: Understand IAM conditions

    IAM conditions allow adding rules that specify when and how permissions apply.

  2. Step 2: Identify the purpose

    The purpose is to control access more precisely by adding conditions like time or IP restrictions.

  3. Final Answer:

    To add extra rules that control access more precisely -> Option A

  4. Quick Check:

    IAM conditions = precise access control [OK]
Hint: IAM conditions add rules to limit access precisely [OK]
Common Mistakes:
  • Confusing IAM conditions with user creation
  • Thinking IAM conditions increase storage
  • Mixing IAM conditions with network monitoring
2. Which of the following is the correct syntax to add a condition in an IAM policy binding in JSON?
easy
A. "condition": "request.time < timestamp('2024-12-31T23:59:59Z')"
B. "condition": {"title": "exp", "expression": "request.time < timestamp('2024-12-31T23:59:59Z')", "description": "Expire end of 2024"}
C. "condition": {"title": "exp", "expr": "request.time < timestamp('2024-12-31T23:59:59Z')"}
D. "condition": {"title": "exp", "expression": "request.time > timestamp('2024-12-31T23:59:59Z')"}

Solution

  1. Step 1: Check the required fields for IAM condition

    The condition must have title, expression, and description fields in JSON.

  2. Step 2: Verify the expression syntax

    "condition": {"title": "exp", "expression": "request.time < timestamp('2024-12-31T23:59:59Z')", "description": "Expire end of 2024"} correctly uses "expression" with a valid timestamp comparison and includes title and description.

  3. Final Answer:

    "condition": {"title": "exp", "expression": "request.time < timestamp('2024-12-31T23:59:59Z')", "description": "Expire end of 2024"} -> Option B

  4. Quick Check:

    Correct JSON fields and expression = "condition": {"title": "exp", "expression": "request.time < timestamp('2024-12-31T23:59:59Z')", "description": "Expire end of 2024"} [OK]
Hint: Condition needs title, expression, and description keys [OK]
Common Mistakes:
  • Using string instead of object for condition
  • Missing description or title fields
  • Using wrong key name like 'expr' instead of 'expression'
3. Given this IAM condition expression:
request.time > timestamp('2024-01-01T00:00:00Z') && request.time < timestamp('2024-12-31T23:59:59Z')
What will happen if a user tries to access a resource on 2023-12-31?
medium
A. Access will be denied
B. Access will be allowed
C. Access will be allowed only if user is admin
D. Access will be allowed but logged as warning

Solution

  1. Step 1: Understand the time condition

    The condition allows access only if request time is after 2024-01-01 and before 2024-12-31.

  2. Step 2: Check the access date

    On 2023-12-31, the request time is before the allowed start date, so condition fails.

  3. Final Answer:

    Access will be denied -> Option A

  4. Quick Check:

    Request time outside range = deny access [OK]
Hint: Access allowed only within specified time range [OK]
Common Mistakes:
  • Assuming access allowed before start date
  • Confusing AND (&&) with OR (||) in condition
  • Thinking admin role bypasses condition
4. You wrote this IAM condition:
"condition": {"title": "IP Restriction", "expression": "request.ip == '192.168.1.1'"}
But it does not work as expected. What is the likely problem?
medium
A. IAM conditions do not support IP address restrictions
B. The title field is missing
C. The expression should use 'request.ip in ['192.168.1.1']' for exact match
D. The expression uses '==' instead of 'in' for IP matching

Solution

  1. Step 1: Check expression operator for IP

    IAM conditions require 'in' operator to match IPs, not '==' which is invalid for strings.

  2. Step 2: Confirm title presence and IP support

    Title is present and IP restrictions are supported, so problem is operator usage.

  3. Final Answer:

    The expression uses '==' instead of 'in' for IP matching -> Option D

  4. Quick Check:

    Use 'in' operator for IP matching [OK]
Hint: Use 'in' operator for IP address matching in conditions [OK]
Common Mistakes:
  • Using '==' instead of 'in' for IP
  • Removing title field
  • Believing IP restrictions are unsupported
5. You want to grant a user access to a Cloud Storage bucket only if the request comes from a specific label on the resource and during business hours (9 AM to 5 PM UTC). Which IAM condition expression correctly combines these requirements?
hard
A. "resource.labels.env == 'prod' && request.time >= timestamp('2024-01-01T09:00:00Z') && request.time <= timestamp('2024-01-01T17:00:00Z')"
B. "resource.labels.env == 'prod' || (request.time >= timestamp('09:00:00Z') && request.time <= timestamp('17:00:00Z'))"
C. "resource.labels.env == 'prod' && request.time >= timestamp('1970-01-01T09:00:00Z') && request.time <= timestamp('1970-01-01T17:00:00Z')"
D. "resource.labels.env == 'prod' && request.time >= timestamp('1970-01-01T09:00:00Z') && request.time <= timestamp('1970-01-01T17:00:00Z') && request.time.date() == request.time.date()"

Solution

  1. Step 1: Understand label and time conditions

    Label check uses resource.labels.env == 'prod'. Time must be between 9 AM and 5 PM UTC daily.

  2. Step 2: Check timestamp usage for daily time

    Since IAM conditions lack direct time-of-day functions, use timestamps with a fixed date (like 1970-01-01) to represent daily hours.

  3. Step 3: Evaluate options

    "resource.labels.env == 'prod' && request.time >= timestamp('1970-01-01T09:00:00Z') && request.time <= timestamp('1970-01-01T17:00:00Z')" correctly uses fixed date timestamps for time range and combines with label check using AND (&&).

  4. Final Answer:

    "resource.labels.env == 'prod' && request.time >= timestamp('1970-01-01T09:00:00Z') && request.time <= timestamp('1970-01-01T17:00:00Z')" -> Option C

  5. Quick Check:

    Label AND daily time range with fixed date timestamps = "resource.labels.env == 'prod' && request.time >= timestamp('1970-01-01T09:00:00Z') && request.time <= timestamp('1970-01-01T17:00:00Z')" [OK]
Hint: Use fixed date timestamps to represent daily time ranges [OK]
Common Mistakes:
  • Using OR instead of AND to combine conditions
  • Using actual dates instead of fixed date for daily time
  • Adding unnecessary redundant conditions