Bird
Raised Fist0
GCPcloud~5 mins

IAM conditions for fine-grained control in GCP - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the purpose of IAM conditions in Google Cloud?
IAM conditions allow you to add extra rules to your access policies, so permissions are granted only when specific conditions are met. This helps control access more precisely.
Click to reveal answer
beginner
Name two common attributes used in IAM conditions.
Common attributes include request.time (to limit access by time) and resource.name (to limit access to specific resources).
Click to reveal answer
intermediate
How do IAM conditions improve security compared to basic IAM roles?
IAM conditions let you restrict permissions based on context like time, resource name, or resource labels, reducing the risk of over-permission and accidental access.
Click to reveal answer
intermediate
What is the syntax format used to write IAM conditions?
IAM conditions use a simple expression language similar to logical statements, for example: request.time > timestamp("2024-01-01T00:00:00Z").
Click to reveal answer
intermediate
Can IAM conditions be used to restrict access based on the user's IP address?
No, IAM conditions do not support IP address restrictions directly. Use network-level controls like firewall rules or Identity-Aware Proxy (IAP).
Click to reveal answer
What does an IAM condition do in Google Cloud?
ADeletes unused resources
BCreates new user accounts automatically
CAdds extra rules to control when permissions apply
DMonitors network traffic
Which attribute can you use in an IAM condition to limit access by time?
Arequest.time
Bresource.type
Cuser.email
Dresource.name
IAM conditions help improve security by:
AGranting all permissions to everyone
BAllowing access only during certain conditions
CRemoving all roles from users
DBacking up data automatically
Which of these is a valid use of IAM conditions?
ARestrict access to a resource only during business hours
BChange user passwords automatically
CEncrypt data at rest
DMonitor CPU usage
Can IAM conditions restrict access based on the user's IP address?
AYes, using request.ip attribute
BOnly for storage buckets
COnly for admin users
DNo, IP address is not supported
Explain how IAM conditions help achieve fine-grained access control in Google Cloud.
Think about how adding rules based on request details can limit access.
You got /4 concepts.
    Describe a scenario where using IAM conditions would be beneficial.
    Consider when you want to allow access only during certain hours or from certain places.
    You got /3 concepts.

      Practice

      (1/5)
      1. What is the main purpose of using IAM conditions in Google Cloud?
      easy
      A. To add extra rules that control access more precisely
      B. To create new user accounts automatically
      C. To increase the storage capacity of a project
      D. To monitor network traffic in real-time

      Solution

      1. Step 1: Understand IAM conditions

        IAM conditions allow adding rules that specify when and how permissions apply.

      2. Step 2: Identify the purpose

        The purpose is to control access more precisely by adding conditions like time or IP restrictions.

      3. Final Answer:

        To add extra rules that control access more precisely -> Option A

      4. Quick Check:

        IAM conditions = precise access control [OK]
      Hint: IAM conditions add rules to limit access precisely [OK]
      Common Mistakes:
      • Confusing IAM conditions with user creation
      • Thinking IAM conditions increase storage
      • Mixing IAM conditions with network monitoring
      2. Which of the following is the correct syntax to add a condition in an IAM policy binding in JSON?
      easy
      A. "condition": "request.time < timestamp('2024-12-31T23:59:59Z')"
      B. "condition": {"title": "exp", "expression": "request.time < timestamp('2024-12-31T23:59:59Z')", "description": "Expire end of 2024"}
      C. "condition": {"title": "exp", "expr": "request.time < timestamp('2024-12-31T23:59:59Z')"}
      D. "condition": {"title": "exp", "expression": "request.time > timestamp('2024-12-31T23:59:59Z')"}

      Solution

      1. Step 1: Check the required fields for IAM condition

        The condition must have title, expression, and description fields in JSON.

      2. Step 2: Verify the expression syntax

        "condition": {"title": "exp", "expression": "request.time < timestamp('2024-12-31T23:59:59Z')", "description": "Expire end of 2024"} correctly uses "expression" with a valid timestamp comparison and includes title and description.

      3. Final Answer:

        "condition": {"title": "exp", "expression": "request.time < timestamp('2024-12-31T23:59:59Z')", "description": "Expire end of 2024"} -> Option B

      4. Quick Check:

        Correct JSON fields and expression = "condition": {"title": "exp", "expression": "request.time < timestamp('2024-12-31T23:59:59Z')", "description": "Expire end of 2024"} [OK]
      Hint: Condition needs title, expression, and description keys [OK]
      Common Mistakes:
      • Using string instead of object for condition
      • Missing description or title fields
      • Using wrong key name like 'expr' instead of 'expression'
      3. Given this IAM condition expression:
      request.time > timestamp('2024-01-01T00:00:00Z') && request.time < timestamp('2024-12-31T23:59:59Z')
      What will happen if a user tries to access a resource on 2023-12-31?
      medium
      A. Access will be denied
      B. Access will be allowed
      C. Access will be allowed only if user is admin
      D. Access will be allowed but logged as warning

      Solution

      1. Step 1: Understand the time condition

        The condition allows access only if request time is after 2024-01-01 and before 2024-12-31.

      2. Step 2: Check the access date

        On 2023-12-31, the request time is before the allowed start date, so condition fails.

      3. Final Answer:

        Access will be denied -> Option A

      4. Quick Check:

        Request time outside range = deny access [OK]
      Hint: Access allowed only within specified time range [OK]
      Common Mistakes:
      • Assuming access allowed before start date
      • Confusing AND (&&) with OR (||) in condition
      • Thinking admin role bypasses condition
      4. You wrote this IAM condition:
      "condition": {"title": "IP Restriction", "expression": "request.ip == '192.168.1.1'"}
      But it does not work as expected. What is the likely problem?
      medium
      A. IAM conditions do not support IP address restrictions
      B. The title field is missing
      C. The expression should use 'request.ip in ['192.168.1.1']' for exact match
      D. The expression uses '==' instead of 'in' for IP matching

      Solution

      1. Step 1: Check expression operator for IP

        IAM conditions require 'in' operator to match IPs, not '==' which is invalid for strings.

      2. Step 2: Confirm title presence and IP support

        Title is present and IP restrictions are supported, so problem is operator usage.

      3. Final Answer:

        The expression uses '==' instead of 'in' for IP matching -> Option D

      4. Quick Check:

        Use 'in' operator for IP matching [OK]
      Hint: Use 'in' operator for IP address matching in conditions [OK]
      Common Mistakes:
      • Using '==' instead of 'in' for IP
      • Removing title field
      • Believing IP restrictions are unsupported
      5. You want to grant a user access to a Cloud Storage bucket only if the request comes from a specific label on the resource and during business hours (9 AM to 5 PM UTC). Which IAM condition expression correctly combines these requirements?
      hard
      A. "resource.labels.env == 'prod' && request.time >= timestamp('2024-01-01T09:00:00Z') && request.time <= timestamp('2024-01-01T17:00:00Z')"
      B. "resource.labels.env == 'prod' || (request.time >= timestamp('09:00:00Z') && request.time <= timestamp('17:00:00Z'))"
      C. "resource.labels.env == 'prod' && request.time >= timestamp('1970-01-01T09:00:00Z') && request.time <= timestamp('1970-01-01T17:00:00Z')"
      D. "resource.labels.env == 'prod' && request.time >= timestamp('1970-01-01T09:00:00Z') && request.time <= timestamp('1970-01-01T17:00:00Z') && request.time.date() == request.time.date()"

      Solution

      1. Step 1: Understand label and time conditions

        Label check uses resource.labels.env == 'prod'. Time must be between 9 AM and 5 PM UTC daily.

      2. Step 2: Check timestamp usage for daily time

        Since IAM conditions lack direct time-of-day functions, use timestamps with a fixed date (like 1970-01-01) to represent daily hours.

      3. Step 3: Evaluate options

        "resource.labels.env == 'prod' && request.time >= timestamp('1970-01-01T09:00:00Z') && request.time <= timestamp('1970-01-01T17:00:00Z')" correctly uses fixed date timestamps for time range and combines with label check using AND (&&).

      4. Final Answer:

        "resource.labels.env == 'prod' && request.time >= timestamp('1970-01-01T09:00:00Z') && request.time <= timestamp('1970-01-01T17:00:00Z')" -> Option C

      5. Quick Check:

        Label AND daily time range with fixed date timestamps = "resource.labels.env == 'prod' && request.time >= timestamp('1970-01-01T09:00:00Z') && request.time <= timestamp('1970-01-01T17:00:00Z')" [OK]
      Hint: Use fixed date timestamps to represent daily time ranges [OK]
      Common Mistakes:
      • Using OR instead of AND to combine conditions
      • Using actual dates instead of fixed date for daily time
      • Adding unnecessary redundant conditions