GCPcloud~5 mins

IAM policy binding in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes you want to give someone or something permission to use your cloud resources. IAM policy binding lets you connect a user, group, or service to a specific role that defines what they can do.

When you want to let a teammate read data from a storage bucket without changing it

When you need to allow a service account to deploy applications on your cloud project

When you want to give a group of users admin access to a specific resource

When you want to remove access for a user who no longer needs it

When you want to audit who has what permissions on your cloud resources

Commands

This command adds a policy binding to the project 'example-project' giving the user alice@example.com the role to view storage objects. It connects the user to the permission role.

Terminal

gcloud projects add-iam-policy-binding example-project --member='user:alice@example.com' --role='roles/storage.objectViewer'

Expected OutputExpected

Updated IAM policy for project [example-project].

→

--member - Specifies the user, group, or service account to grant the role

→

--role - Specifies the role that defines the permissions

This command shows the current IAM policy for the project, so you can verify the binding was added.

Terminal

gcloud projects get-iam-policy example-project

Expected OutputExpected

bindings: - members: - user:alice@example.com role: roles/storage.objectViewer etag: BwWWja0YfJA= version: 1

This command removes the policy binding, taking away the permissions from the user.

Terminal

gcloud projects remove-iam-policy-binding example-project --member='user:alice@example.com' --role='roles/storage.objectViewer'

Expected OutputExpected

Updated IAM policy for project [example-project].

→

--member - Specifies the user or entity to remove from the role

→

--role - Specifies the role to remove from the member

Key Concept

If you remember nothing else from this pattern, remember: IAM policy binding connects a user or service to a role that grants specific permissions on cloud resources.

Common Mistakes

Using the wrong member format like just the email without 'user:' prefix

The command expects the member type prefix (user:, group:, serviceAccount:) to identify the entity correctly.

Always include the member type prefix, for example 'user:alice@example.com'.

Trying to add a role that does not exist or is misspelled

The command will fail because the role must be a valid predefined or custom role in GCP.

Check the exact role name in GCP documentation or use 'gcloud iam roles list' to find valid roles.

Not verifying the policy after adding or removing bindings

You might think the change worked but it did not apply, leading to unexpected access issues.

Always run 'gcloud projects get-iam-policy' to confirm your changes.

Summary

Use 'gcloud projects add-iam-policy-binding' to grant permissions by connecting members to roles.

Verify changes with 'gcloud projects get-iam-policy' to see current bindings.

Remove permissions with 'gcloud projects remove-iam-policy-binding' when access is no longer needed.