GCPcloud~5 mins

Least privilege principle in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Giving users or services only the permissions they need helps keep your cloud environment safe. This stops accidental or harmful actions by limiting access.

When creating a new user or service account that needs access to specific cloud resources.

When setting up permissions for an application to access only the storage buckets it needs.

When you want to reduce the risk of accidental data deletion by limiting who can delete resources.

When auditing existing permissions to tighten security and remove unnecessary access.

When granting temporary access for a task and wanting to ensure it expires after use.

Config File - policy.yaml

policy.yaml

bindings:
- role: roles/storage.objectViewer
  members:
  - serviceAccount:my-app-sa@example-project.iam.gserviceaccount.com
- role: roles/logging.logWriter
  members:
  - serviceAccount:my-app-sa@example-project.iam.gserviceaccount.com
etag: BwWWja0YfJA=
version: 3

This file defines an IAM policy that grants the service account my-app-sa@example-project.iam.gserviceaccount.com only the permissions to view storage objects and write logs.

bindings: Lists roles and who has them.

role: The specific permission set assigned.

members: The users or service accounts receiving the role.

etag: Used for concurrency control when updating policies.

version: Policy format version.

Commands

This command applies the IAM policy from the file to the project, setting the permissions exactly as defined to enforce least privilege.

Terminal

gcloud iam policies set-policy policy.yaml --project=example-project

Expected OutputExpected

Updated IAM policy for project [example-project].

→

--project - Specifies the GCP project to apply the policy to.

This command retrieves the current IAM policy for the project so you can verify the permissions are set correctly.

Terminal

gcloud projects get-iam-policy example-project

Expected OutputExpected

bindings: - members: - serviceAccount:my-app-sa@example-project.iam.gserviceaccount.com role: roles/storage.objectViewer - members: - serviceAccount:my-app-sa@example-project.iam.gserviceaccount.com role: roles/logging.logWriter etag: BwWWja0YfJA= version: 3

This command shows details about the service account to confirm it exists and is the one assigned the limited permissions.

Terminal

gcloud iam service-accounts describe my-app-sa@example-project.iam.gserviceaccount.com

Expected OutputExpected

displayName: my-app-sa email: my-app-sa@example-project.iam.gserviceaccount.com name: projects/example-project/serviceAccounts/my-app-sa@example-project.iam.gserviceaccount.com uniqueId: '123456789012345678901'

Key Concept

If you remember nothing else from this pattern, remember: always give only the minimum permissions needed to do the job.

Common Mistakes

Assigning broad roles like Owner or Editor to users or service accounts by default.

This gives too many permissions, increasing risk of accidental or malicious actions.

Assign specific roles with only the permissions required for the task.

Not verifying the applied IAM policy after setting it.

You might think permissions are limited but they could be too open or incorrectly set.

Always retrieve and review the IAM policy after changes to confirm correct permissions.

Using long-lived credentials with high privileges for temporary tasks.

This can lead to security risks if credentials are leaked or misused.

Use short-lived credentials or temporary roles with least privilege for tasks.

Summary

Create an IAM policy file that grants only the needed roles to users or service accounts.

Apply the policy to the GCP project using the gcloud CLI.

Verify the policy and service account details to ensure least privilege is enforced.