GCPcloud~5 mins

Why IAM is foundational in GCP - Why It Works

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Managing who can do what in your cloud projects is very important. IAM in GCP helps you control access to resources safely and clearly. It solves the problem of keeping your cloud secure by giving the right permissions to the right people.

When you want to allow a team member to deploy applications but not change billing settings

When you need to give a service account permission to access a storage bucket

When you want to restrict access to sensitive data only to certain users

When you want to audit who accessed or changed cloud resources

When you want to follow security rules by giving minimum permissions needed

Commands

This command shows the current IAM policy for the project named example-project. It helps you see who has what permissions.

Terminal

gcloud projects get-iam-policy example-project

Expected OutputExpected

bindings: - members: - user:alice@example.com role: roles/editor - members: - serviceAccount:my-service-account@example-project.iam.gserviceaccount.com role: roles/storage.objectViewer etag: BwWWja0YfJA= version: 1

This command gives Bob read-only access to the example-project. It adds a policy binding so Bob can view resources but not change them.

Terminal

gcloud projects add-iam-policy-binding example-project --member=user:bob@example.com --role=roles/viewer

Expected OutputExpected

Updated IAM policy for project [example-project].

→

--member - Specifies the user or service account to grant the role

→

--role - Specifies the role to assign to the member

This command removes the read-only access for Bob from the example-project. It cleans up permissions when they are no longer needed.

Terminal

gcloud projects remove-iam-policy-binding example-project --member=user:bob@example.com --role=roles/viewer

Expected OutputExpected

Updated IAM policy for project [example-project].

→

--member - Specifies the user or service account to remove the role from

→

--role - Specifies the role to remove from the member

Key Concept

If you remember nothing else from this pattern, remember: IAM controls who can do what in your cloud, keeping your resources safe and organized.

Common Mistakes

Giving users more permissions than they need

This can lead to accidental or malicious changes that harm your project or data.

Assign only the minimum roles needed for users to do their tasks.

Not checking the current IAM policy before adding new permissions

You might duplicate roles or create conflicts that confuse access control.

Always review the existing IAM policy with 'gcloud projects get-iam-policy' before making changes.

Forgetting to remove permissions when they are no longer needed

Unused permissions increase security risks over time.

Regularly audit and remove unnecessary IAM bindings.

Summary

Use 'gcloud projects get-iam-policy' to see who has access and what roles they have.

Add permissions with 'gcloud projects add-iam-policy-binding' to give users or service accounts access.

Remove permissions with 'gcloud projects remove-iam-policy-binding' to keep access tight and secure.