Process Flow - IAM policy binding

Start: Define IAM Policy

↓

Add Binding: Role + Member

↓

Attach Policy to Resource

↓

Resource Enforces Permissions

↓

User Access Granted or Denied

This flow shows how an IAM policy is created, a role and member are bound, the policy is attached to a resource, and then permissions are enforced.

Execution Sample

GCP

resource = "projects/my-project"
policy = getIamPolicy(resource)
policy.bindings.append({"role": "roles/viewer", "members": ["user:alice@example.com"]})
setIamPolicy(resource, policy)

This code gets the current IAM policy for a project, adds a binding for a viewer role to a user, and updates the policy.

Process Table

Step	Action	Policy Bindings Before	Policy Bindings After	Result
1	Get current IAM policy	[]	[]	Policy fetched with no bindings
2	Add binding: roles/viewer to user:alice@example.com	[]	[{"role": "roles/viewer", "members": ["user:alice@example.com"]}]	Binding added to policy
3	Set updated IAM policy on resource	[{"role": "roles/viewer", "members": ["user:alice@example.com"]}]	[{"role": "roles/viewer", "members": ["user:alice@example.com"]}]	Policy updated on resource
4	User alice tries to access resource	[{"role": "roles/viewer", "members": ["user:alice@example.com"]}]	[{"role": "roles/viewer", "members": ["user:alice@example.com"]}]	Access granted based on binding
5	User bob tries to access resource	[{"role": "roles/viewer", "members": ["user:alice@example.com"]}]	[{"role": "roles/viewer", "members": ["user:alice@example.com"]}]	Access denied, no binding for bob

💡 Execution stops after policy is updated and access is enforced based on bindings.

Status Tracker

Variable	Start	After Step 1	After Step 2	After Step 3	Final
policy.bindings	[]	[]	[{"role": "roles/viewer", "members": ["user:alice@example.com"]}]	[{"role": "roles/viewer", "members": ["user:alice@example.com"]}]	[{"role": "roles/viewer", "members": ["user:alice@example.com"]}]

Key Moments - 3 Insights

Why does user bob get denied access even though the policy has a binding?

What happens if you add the same role with the same member twice?

Why do we need to fetch the current policy before adding a binding?

Visual Quiz - 3 Questions

Test your understanding

Look at the execution_table at step 2, what is the policy.bindings after adding the binding?

A[{"role": "roles/editor", "members": ["user:bob@example.com"]}]

B[{"role": "roles/viewer", "members": ["user:alice@example.com"]}]

C[]

Dnull

Concept Snapshot

IAM Policy Binding Quick Reference:
- IAM policy is a set of bindings.
- Each binding links a role to one or more members.
- To add a binding: fetch policy, add binding, update policy.
- Permissions are granted if user is in a binding for a role.
- Always avoid overwriting existing bindings unintentionally.

Full Transcript

IAM policy binding in Google Cloud means connecting a role to users or groups so they get permissions. The process starts by getting the current policy of a resource. Then you add a binding that says, for example, 'user alice@example.com has viewer role.' After updating the policy on the resource, when alice tries to access, she is allowed because of the binding. Others not listed, like bob, are denied. It's important to fetch the current policy before adding bindings to avoid losing existing permissions. Bindings are lists of roles and members. Adding the same member twice is redundant but allowed. This visual trace shows each step and how the policy changes, helping beginners understand how access control works in GCP.