0
0
GCPcloud~10 mins

IAM conditions for fine-grained control in GCP - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - IAM conditions for fine-grained control
User Request
IAM Policy Check
Evaluate Conditions
Allow Access
Service Response
When a user makes a request, GCP checks the IAM policy and evaluates any conditions. If conditions are met, access is allowed; otherwise, it is denied.
Execution Sample
GCP
bindings:
- role: roles/storage.objectViewer
  members:
  - user:alice@example.com
  condition:
    title: "Time-based access"
    expression: "request.time < timestamp('2024-12-31T23:59:59Z')"
This IAM policy grants Alice read access to storage objects only before the end of 2024.
Process Table
StepRequest TimeCondition ExpressionCondition ResultAccess Decision
12024-06-01T12:00:00Zrequest.time < timestamp('2024-12-31T23:59:59Z')TrueAllow
22025-01-01T00:00:00Zrequest.time < timestamp('2024-12-31T23:59:59Z')FalseDeny
💡 Access decision made based on condition evaluation result.
Status Tracker
VariableStartAfter Step 1After Step 2
request.timeN/A2024-06-01T12:00:00Z2025-01-01T00:00:00Z
condition resultN/ATrueFalse
access decisionN/AAllowDeny
Key Moments - 2 Insights
Why does access get denied even though the user has the role?
Because the IAM condition evaluates to False (see execution_table step 2), so the policy does not grant access.
What happens if the condition is missing?
Without a condition, the role applies unconditionally, so access would be allowed regardless of request time.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the access decision at step 1?
AAllow
BDeny
CConditional
DUnknown
💡 Hint
Check the 'Access Decision' column in execution_table row for step 1.
At which step does the condition evaluate to False?
ANever
BStep 1
CStep 2
DBoth steps
💡 Hint
Look at the 'Condition Result' column in execution_table.
If the request time was 2024-11-30T10:00:00Z, what would the access decision be?
ADepends on role
BAllow
CDeny
DDepends on user
💡 Hint
Compare with execution_table step 1 where condition was True and access was allowed.
Concept Snapshot
IAM conditions add rules to roles.
They check request details like time or IP.
If condition is True, access is granted.
If False, access is denied even if role matches.
Use conditions for fine-grained control.
Full Transcript
When a user requests access, Google Cloud checks the IAM policy. If the policy has conditions, it evaluates them using request data like time. If the condition is true, access is allowed. If false, access is denied even if the user has the role. For example, a policy can allow access only before a certain date. This helps control access precisely.