0
0
GCPcloud~5 mins

Members (users, groups, service accounts) in GCP - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
In Google Cloud, members are identities like users, groups, or service accounts that can access resources. Managing members lets you control who can do what in your cloud projects.
When you want to give a colleague access to a project to view or edit resources.
When you need to allow a group of people to manage billing or permissions together.
When an application needs to access cloud resources securely using a service account.
When you want to remove access from someone who no longer needs it.
When setting up automated tasks that require permissions without using personal accounts.
Commands
This command adds Alice as a user with the Viewer role to the example-project, letting her see resources but not change them.
Terminal
gcloud projects add-iam-policy-binding example-project --member=user:alice@example.com --role=roles/viewer
Expected OutputExpected
Updated IAM policy for project [example-project].
--member - Specifies the member to add, such as a user, group, or service account.
--role - Defines the permissions level granted to the member.
This command shows the current list of members and their roles for the example-project, so you can verify who has access.
Terminal
gcloud projects get-iam-policy example-project
Expected OutputExpected
bindings: - members: - user:alice@example.com role: roles/viewer etag: BwWWja0YfJA= version: 1
This command removes Alice's Viewer role from the example-project, revoking her access.
Terminal
gcloud projects remove-iam-policy-binding example-project --member=user:alice@example.com --role=roles/viewer
Expected OutputExpected
Updated IAM policy for project [example-project].
--member - Specifies the member to remove.
--role - Specifies the role to remove from the member.
Key Concept

If you remember nothing else from this pattern, remember: members are identities you grant roles to, controlling their access to cloud resources.

Common Mistakes
Using the wrong member type prefix like 'user:' when adding a service account.
The command will fail or assign permissions incorrectly because the member type must match the identity.
Use 'serviceAccount:' prefix for service accounts, 'user:' for individual users, and 'group:' for groups.
Not specifying the correct role when adding a member.
The member may get too many or too few permissions, causing security risks or inability to perform tasks.
Choose the least privilege role that fits the member's needs, like roles/viewer for read-only access.
Forgetting to verify the IAM policy after changes.
You might think the change worked but the member still lacks or has access.
Always run 'gcloud projects get-iam-policy' to confirm the current members and roles.
Summary
Use 'gcloud projects add-iam-policy-binding' to add users, groups, or service accounts with specific roles.
Check current members and roles with 'gcloud projects get-iam-policy'.
Remove access using 'gcloud projects remove-iam-policy-binding' when no longer needed.