GCPcloud~30 mins

IAM conditions for fine-grained control in GCP - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

IAM conditions for fine-grained control

📖 Scenario: You are managing access to a Google Cloud Storage bucket for a team. You want to allow team members to read objects only if they come from a specific IP address range. This helps keep your data secure by limiting access based on where requests originate.

🎯 Goal: Build an IAM policy with a condition that restricts read access to a Cloud Storage bucket based on the requester's IP address range.

📋 What You'll Learn

Create a basic IAM policy binding for the role roles/storage.objectViewer

Add a condition to the binding that allows access only if the request comes from IP addresses in the range 192.168.1.0/24

Use the correct IAM condition syntax for IP address matching

Ensure the policy is valid JSON and deployable

💡 Why This Matters

🌍 Real World

IAM conditions help secure cloud resources by allowing access only under specific circumstances, such as from certain IP addresses or during certain times.

💼 Career

Cloud engineers and security specialists use IAM conditions to enforce fine-grained access control policies that protect sensitive data and services.

Progress0 / 4 steps

Create the initial IAM policy structure

Create a variable called iam_policy and assign it a dictionary with a key bindings set to an empty list.

GCP

iam_policy = {
    "bindings": []
}
# Your code here

Need a hint?

Start by creating a dictionary named iam_policy with a key bindings that holds an empty list.

Add a binding for the storage object viewer role

Add a dictionary to the bindings list inside iam_policy with keys role set to "roles/storage.objectViewer" and members set to a list containing "user:team-member@example.com".

GCP

iam_policy = {
    "bindings": [
        {
            "role": "roles/storage.objectViewer",
            "members": ["user:team-member@example.com"]
        }
    ]
}
# Your code here

Need a hint?

Add a binding with the correct role and member email inside the bindings list.

Add an IAM condition to restrict access by IP address

Inside the binding dictionary in iam_policy["bindings"], add a key condition with a dictionary value containing title set to "IPRestriction", description set to "Allow access only from 192.168.1.0/24", and expression set to "request.ip == '192.168.1.0/24'".

GCP

iam_policy = {
    "bindings": [
        {
            "role": "roles/storage.objectViewer",
            "members": ["user:team-member@example.com"],
            "condition": {
                "title": "IPRestriction",
                "description": "Allow access only from 192.168.1.0/24",
                "expression": "request.ip == '192.168.1.0/24'"
            }
        }
    ]
}
# Your code here

Need a hint?

Add the condition dictionary inside the binding with the exact keys and values for title, description, and expression.

Complete the IAM policy with correct IP address condition syntax

Update the expression in the condition dictionary to use the correct syntax for IP address range matching: "request.ip in cidr_subnet('192.168.1.0/24', 0)".

GCP

iam_policy = {
    "bindings": [
        {
            "role": "roles/storage.objectViewer",
            "members": ["user:team-member@example.com"],
            "condition": {
                "title": "IPRestriction",
                "description": "Allow access only from 192.168.1.0/24",
                "expression": "request.ip in cidr_subnet('192.168.1.0/24', 0)"
            }
        }
    ]
}
# Your code here

Need a hint?

Use the cidr_subnet function in the expression to correctly check if the request IP is in the subnet.