When working on Google Cloud Platform (GCP), security and access control are paramount. GCP uses Identity and Access Management (IAM) to help you manage who (identity) has what access (role) to which resources. In this blog, we’ll explore the fundamentals of IAM in GCP, including principals, roles, permissions, service accounts, types of roles, and how to create and assign custom roles.
What is IAM in GCP?
IAM lets administrators authorize who can take what action on specific resources in GCP. It helps implement the principle of least privilege, ensuring that users and services only have the access they need — no more, no less.
Principals in GCP
A principal is any identity that can be authenticated and authorized to access GCP resources.
Types of Principals:
- Google Account – e.g.,
user@example.com - Service Account – Used by applications or virtual machines to interact with GCP APIs.
- Google Group – A group of Google accounts.
- Cloud Identity or Google Workspace domain – e.g.,
@example.com - AllAuthenticatedUsers – Anyone authenticated with a Google account.
- AllUsers – Public access; anyone on the internet.
Service Accounts (Service Principals)
A service account is a special kind of principal that is owned by an application or VM, not by a human user. It is commonly used to:
- Authenticate to GCP APIs
- Run workloads on Compute Engine, App Engine, or Cloud Functions
- Assign permissions to code running in the cloud
You can also grant roles to service accounts just like regular users.
Roles and Permissions
In IAM, permissions determine what actions a principal can perform, and roles are collections of permissions.
You cannot assign permissions directly to users; you must assign a role that bundles the permissions.
Example:
compute.instances.list– permission to list Compute Engine instancesroles/viewer– role that includes read-only access to most resources
Types of Roles
- Basic Roles (Primitive)
roles/owner,roles/editor,roles/viewer- Apply across all GCP services (not recommended for fine-grained access control)
- Predefined Roles
- Created and maintained by Google
- Service-specific (e.g.,
roles/compute.instanceAdmin,roles/storage.objectViewer)
- Custom Roles
- Created by users to define specific sets of permissions
- Useful when predefined roles grant too many or too few permissions
How to Create a Custom Role
You can create custom roles via Google Cloud Console, gcloud CLI, or Terraform. Here’s how to do it via the gcloud CLI:
gcloud iam roles create customComputeViewer \
--project=your-project-id \
--title="Custom Compute Viewer" \
--description="Custom role to view compute resources" \
--permissions=compute.instances.get,compute.instances.list \
--stage=GA
Custom roles are project-level or organization-level.
Assigning a Role to a Principal
You can assign a role using the Cloud Console, gcloud CLI, or Terraform.
Using gcloud CLI:
gcloud projects add-iam-policy-binding your-project-id \
--member="user:user@example.com" \
--role="roles/compute.viewer"Using Terraform:
resource “google_project_iam_member” “viewer” {
project = “your-project-id”
role = “roles/compute.viewer”
member = “user:user@example.com”
}
Summary
| Component | Description |
|---|---|
| Principal | Who needs access (user, service account, group) |
| Role | What actions they can perform |
| Permission | Specific actions within a role (e.g., compute.instances.list) |
| Service Account | A non-human identity used by apps or services |
| Custom Role | A user-defined set of permissions |
| Assignment | Mapping a role to a principal at a resource level |
Best Practices
- Follow the principle of least privilege.
- Use predefined roles where possible.
- Use custom roles for precise permission control.
- Regularly audit IAM policies for security compliance.
Conclusion
IAM (Identity and Access Management) is a foundational component of security and resource management in Google Cloud Platform. By understanding principals, roles, and permissions, and how they work together, you can control who has access to what in your cloud environment. GCP offers flexibility through basic, predefined, and custom roles, allowing you to implement fine-grained access control tailored to your project’s needs.
Whether you’re assigning roles to users or service accounts, or crafting your own custom roles, always follow the principle of least privilege — granting only the permissions necessary to get the job done. A strong IAM strategy not only enhances security but also improves operational clarity and accountability across your cloud infrastructure.
By mastering IAM, you’re taking a big step toward becoming a more effective and secure GCP practitioner.