Google Cloud Identity and Access Management (IAM) Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security

Category

Security

1. Introduction

Identity and Access Management (IAM) is Google Cloud’s authorization system for controlling who (a principal) can do what (a permission) on which resource (project, bucket, dataset, secret, etc.). It is the foundation of Google Cloud Security because every API call to a Google Cloud resource is evaluated against IAM policy.

In simple terms: IAM is how you grant the minimum access needed for people, groups, service accounts, and workloads—without sharing passwords or giving everyone “Owner” on a project.

Technically, IAM is a policy-based access control layer integrated into Google Cloud’s resource hierarchy (organization → folders → projects → resources). IAM policies consist of bindings that map principals to roles (roles are collections of permissions). Requests are authenticated (who you are) and then authorized (what you can do) by evaluating applicable policies, optional IAM Conditions, and (where used) IAM Deny policies.

IAM solves the core problem of safe, scalable, auditable access control in cloud environments. It enables least privilege, separation of duties, centralized governance, and strong auditability across teams and services.

Naming note: Google documentation often refers to “Cloud IAM”, but the official service name used across training and the console is Identity and Access Management (IAM). It is active and foundational (not deprecated).

---

2. What is Identity and Access Management (IAM)?

Official purpose

Identity and Access Management (IAM) provides fine-grained access control for Google Cloud resources by letting administrators define and enforce who can perform actions on resources.

Official docs: https://cloud.google.com/iam/docs/overview

Core capabilities

• Authorization using IAM policies and roles.
• Role-based access control (RBAC) with:
• Basic roles (legacy, broad access)
• Predefined roles (service-specific, recommended)
• Custom roles (organization or project scoped)
• Principals management: users, groups, service accounts, domains, and federated identities.
• Policy inheritance across the Google Cloud resource hierarchy.
• Conditional access with IAM Conditions (attribute-based constraints like time, resource name, request attributes).
• Service account security patterns including:
• Service account impersonation
• Short-lived credentials
• Workload Identity Federation (keyless external identity)
• Policy troubleshooting and analysis (Policy Intelligence tools like Policy Troubleshooter, Policy Analyzer, IAM Recommender—availability varies by feature).

Major components

Component	What it is	Why it matters
Principal	The identity requesting access (user, group, service account, etc.)	“Who” in access control
Permission	A specific action like storage.objects.get	“What action” is allowed
Role	A collection of permissions	Easier, scalable permission management
Policy	A set of bindings attached to a resource	The enforceable access document
Binding	Maps principals to a role (optionally with a condition)	The core policy unit
Resource hierarchy	Organization → folder → project → resource	Enables inheritance and centralized governance
IAM Conditions	CEL expressions that constrain a binding	Enables context-aware least privilege

Service type and scope

• Service type: a global control-plane authorization system integrated with Google Cloud Resource Manager and individual service control planes.
• Scope:
• Policies are attached at multiple levels: organization, folder, project, and individual resources (service-dependent).
• Custom roles can be created at organization or project level.
• IAM evaluation is effectively global (not regional/zonal), though the resources it protects may be regional/zonal.

How it fits into the Google Cloud ecosystem

IAM is the authorization layer across Google Cloud services such as: – Compute Engine, GKE, Cloud Run, Cloud Functions – Cloud Storage, BigQuery, Pub/Sub – Secret Manager, Cloud KMS, Artifact Registry – Logging/Monitoring, Cloud Build, Cloud SQL (and many others)

IAM integrates with identity sources: – Google accounts and Google Groups – Cloud Identity / Google Workspace identities – Workforce identity federation and workload identity federation (for external identity providers)

---

3. Why use Identity and Access Management (IAM)?

Business reasons

• Reduce breach risk by enforcing least privilege rather than shared admin accounts.
• Improve audit readiness (who changed what, who accessed what).
• Enable centralized governance across multiple projects and teams.

Technical reasons

• Consistent RBAC across most Google Cloud services.
• Hierarchical policy inheritance simplifies administration at scale.
• Integrates with service accounts and modern keyless auth patterns.

Operational reasons

• Standardizes onboarding/offboarding (add/remove from groups rather than editing many resources).
• Supports separation of duties (admin vs developer vs auditor).
• Enables repeatable access patterns via infrastructure-as-code (Terraform, gcloud, Config Controller—verify best fit in official docs for your platform).

Security/compliance reasons

• Enforces least privilege and access review practices.
• Supports conditional access (time bounds, resource constraints).
• Works with audit logging (Cloud Audit Logs) for compliance evidence.
• Helps meet common requirements (SOC 2, ISO 27001, PCI DSS, HIPAA) when combined with broader controls (logging, data protection, change management).

Scalability/performance reasons

• Scales to many projects using org/folder policies and group-based access.
• Avoids brittle per-user access configuration.

When teams should choose it

Use Identity and Access Management (IAM) for: – Any Google Cloud environment beyond a personal sandbox. – Production workloads needing controlled access and clear ownership. – Multi-team and multi-project organizations. – Workloads requiring service-to-service authentication and authorization with service accounts.

When teams should not choose it (or should use more than IAM)

IAM is not a full identity provider or SSO product by itself. Consider complementary services: – If you need customer identity (sign-up/sign-in for end users): look at Identity Platform (separate product). – If you need device-aware zero trust access to web apps: Identity-Aware Proxy (IAP) / BeyondCorp (separate product set). – If you need policy constraints on resource configuration (e.g., “no public IPs”): Organization Policy Service (complementary to IAM).

---

4. Where is Identity and Access Management (IAM) used?

Industries

• Financial services (strong access controls, auditability)
• Healthcare (HIPAA-aligned access governance)
• Retail and e-commerce (prod/dev separation, least privilege for CI/CD)
• SaaS and tech (multi-team access, automated deployments)
• Government and education (centralized governance with org/folder controls)

Team types

• Platform engineering teams managing shared infrastructure
• Security engineering teams enforcing least privilege and governance
• DevOps/SRE teams managing CI/CD identities and runtime permissions
• Data engineering teams controlling data access (BigQuery, Storage)
• Application teams using service accounts for workload access

Workloads and architectures

• Microservices on GKE / Cloud Run using service accounts
• Event-driven architectures with Pub/Sub and Cloud Functions
• Data lakes/warehouses with Cloud Storage + BigQuery
• CI/CD pipelines (Cloud Build, GitHub Actions, GitLab CI) using federated identity
• Shared VPC and multi-project environments

Real-world deployment contexts

• Centralized IAM at org/folder for baseline roles (security/auditors).
• Project-level IAM for team-specific admin and developer permissions.
• Resource-level IAM for sensitive assets (KMS keys, secrets, specific buckets/datasets).

Production vs dev/test usage

• Dev/test often uses broader roles for speed—this is common but risky.
• Production should use:
• group-based access,
• predefined roles,
• minimal custom roles,
• conditions for high-risk access,
• service account impersonation and keyless patterns,
• strong logging and periodic access reviews.

---

5. Top Use Cases and Scenarios

Below are realistic ways teams use Identity and Access Management (IAM) in Google Cloud.

1) Least-privilege developer access to projects

• Problem: Developers need to deploy and debug without becoming project admins.
• Why IAM fits: Predefined roles map to job functions; policies can be project-scoped.
• Scenario: Grant roles/run.developer and roles/logging.viewer to a dev group on the dev project; restrict prod to deploy group only.

2) Service-to-service access using service accounts

• Problem: A Cloud Run service must read from a Cloud Storage bucket securely.
• Why IAM fits: Service accounts act as identities; bucket IAM grants precise permissions.
• Scenario: Cloud Run runtime service account gets roles/storage.objectViewer on a single bucket.

3) CI/CD deployments without long-lived keys

• Problem: Pipelines need to deploy resources without storing JSON keys.
• Why IAM fits: Workload Identity Federation and service account impersonation enable short-lived credentials.
• Scenario: GitHub Actions federates to a service account with roles/run.admin and roles/iam.serviceAccountUser.

4) Segregation of duties (SoD) for compliance

• Problem: Auditors require read-only access; admins should not view sensitive data.
• Why IAM fits: Different roles for configuration vs data access; can separate duties with careful role selection.
• Scenario: Security team gets roles/resourcemanager.projectIamAdmin; auditors get roles/viewer and logging read access.

5) Temporary privileged access (JIT-style) with conditions

• Problem: On-call engineers need elevated access only during incidents.
• Why IAM fits: IAM Conditions can time-bound bindings (within limits).
• Scenario: Grant roles/compute.admin with a condition that expires after a defined timestamp (verify condition patterns in official docs).

6) Cross-project access to shared resources

• Problem: Multiple projects need access to a centralized artifact or dataset.
• Why IAM fits: IAM policies can be attached at the resource level and shared via groups/service accounts.
• Scenario: Grant a build service account from Project A access to Artifact Registry in Project B.

7) Tenant isolation for shared environments

• Problem: Multiple internal teams share a platform but must not access each other’s resources.
• Why IAM fits: Folder/project boundaries + distinct groups + minimal cross-access.
• Scenario: One folder per team; restrict folder-level admins; shared services project grants only specific consumer roles.

8) Data governance for storage and analytics

• Problem: Sensitive data must only be read by approved groups.
• Why IAM fits: BigQuery datasets and Storage buckets support IAM-based access control.
• Scenario: finance-analysts@ group gets roles/bigquery.dataViewer on a dataset; engineering gets only metadata viewer.

9) Secure access to secrets and encryption keys

• Problem: Applications need secrets and keys; admins should not automatically decrypt data.
• Why IAM fits: Separate roles for viewing metadata vs accessing secret payloads; KMS encrypter/decrypter roles.
• Scenario: App service account gets Secret Manager accessor and KMS encrypter/decrypter; ops team only manages secret versions.

10) Central policy governance across a large org

• Problem: Hundreds of projects need consistent baseline access and guardrails.
• Why IAM fits: Org/folder IAM with inheritance + group-based access.
• Scenario: Security team granted org-level security reviewer roles; project creators get limited set of admin capabilities via groups.

11) M&A or multi-domain access management

• Problem: External contractors or acquired teams need controlled access.
• Why IAM fits: IAM supports external principals and federated identities; policies can be scoped per project/resource.
• Scenario: Contractor group gets time-bound, resource-limited access to a single project.

12) Reducing over-permission with recommendations

• Problem: Long-lived projects accumulate unused permissions.
• Why IAM fits: IAM-related analysis tools (like IAM Recommender) can help identify overly broad access (verify availability for your services in official docs).
• Scenario: Use recommendations to downscope from Editor to specific predefined roles.

---

6. Core Features

6.1 Resource hierarchy and policy inheritance

• What it does: Policies can be set at organization, folder, project, and resource levels; lower levels inherit higher-level policies.
• Why it matters: Central control with local flexibility.
• Practical benefit: Set baseline security at org/folder, delegate project-level control to teams.
• Caveats: Inheritance can cause unexpected access if you forget about higher-level bindings. Always test effective access.

6.2 Principals (who can access)

• What it does: IAM recognizes principals like:
• Google Accounts (users)
• Google Groups
• Service accounts
• Domains (e.g., domain:example.com)
• Federated identities (workforce/workload identity federation)
• Why it matters: Clear, consistent identity model.
• Practical benefit: Prefer groups over individual users for operations at scale.
• Caveats: Ensure group ownership and lifecycle management is defined (who can add members).

6.3 Roles: basic, predefined, custom

• What it does:
• Basic roles (Owner, Editor, Viewer) are broad and considered legacy.
• Predefined roles are curated per service and job function.
• Custom roles let you tailor permission sets.
• Why it matters: Least privilege hinges on choosing appropriate roles.
• Practical benefit: Use predefined roles first; create custom roles only when needed.
• Caveats: Custom roles require maintenance when services add new permissions; they can break workflows after platform changes.

Official roles docs: https://cloud.google.com/iam/docs/understanding-roles

6.4 IAM policies and bindings

• What it does: A policy contains bindings of the form: (principal(s) + role + optional condition).
• Why it matters: This is the enforceable authorization configuration.
• Practical benefit: Bind a group to a role once rather than managing per-user permissions.
• Caveats: Policy changes can take time to propagate; avoid rapid repeated edits during incident response without validation.

6.5 IAM Conditions (conditional role bindings)

• What it does: Adds context-aware constraints using Common Expression Language (CEL).
• Why it matters: Enables stronger least privilege (e.g., only allow access to object prefixes, only during a period).
• Practical benefit: Reduce blast radius without creating many buckets/projects.
• Caveats: Not all services and permissions support the same condition attributes. Always verify supported condition keys for the target service in official docs.

Docs: https://cloud.google.com/iam/docs/conditions-overview

6.6 Service accounts (workload identity inside Google Cloud)

• What it does: Provides an identity for applications and services.
• Why it matters: Avoids using human identities for automation.
• Practical benefit: Each workload has its own least-privileged identity.
• Caveats: Long-lived service account keys are a common security risk; prefer keyless patterns and impersonation.

Docs: https://cloud.google.com/iam/docs/service-accounts

6.7 Service account impersonation

• What it does: Lets a principal obtain short-lived credentials to act as a service account, controlled by IAM permissions.
• Why it matters: Replaces distributing service account keys.
• Practical benefit: Safer CI/CD and admin workflows; easier key rotation (because there are no keys).
• Caveats: Requires careful control of roles/iam.serviceAccountTokenCreator and roles/iam.serviceAccountUser.

Docs: https://cloud.google.com/iam/docs/impersonating-service-accounts

6.8 Workload Identity Federation (keyless external workloads)

• What it does: Allows external identities (AWS, Azure, OIDC providers like GitHub) to exchange tokens for Google short-lived credentials without service account keys.
• Why it matters: Strong security posture for hybrid and multi-cloud.
• Practical benefit: Remove secrets from CI systems and external runtimes.
• Caveats: Setup can be subtle (issuer/audience/attribute mapping). Validate with official guides and test token exchange carefully.

Docs: https://cloud.google.com/iam/docs/workload-identity-federation

6.9 Policy troubleshooting and analysis (Policy Intelligence)

• What it does: Tools to understand “why access is allowed/denied” and to analyze access across resources.
• Why it matters: Debugging IAM can otherwise be time-consuming.
• Practical benefit: Faster incident resolution and safer policy changes.
• Caveats: Features and scope vary; confirm tool availability and supported resource types in official docs.

Start here: https://cloud.google.com/iam/docs/policy-intelligence-overview

6.10 Auditability via Cloud Audit Logs (integration)

• What it does: Most IAM policy changes and many access events are logged via Cloud Audit Logs.
• Why it matters: Required for investigations and compliance.
• Practical benefit: Trace who changed IAM and when; detect suspicious access patterns.
• Caveats: Data Access logs can be high-volume and may incur costs in Logging; configure sinks, retention, and exclusions responsibly.

Docs: https://cloud.google.com/logging/docs/audit

6.11 IAM Deny policies (deny rules)

• What it does: Lets you explicitly deny certain permissions for certain principals, even if they have an allow via roles.
• Why it matters: Helps enforce “never allow” constraints (for example, prevent deleting audit logs) in some governance models.
• Practical benefit: Defense-in-depth when role grants are complex.
• Caveats: Deny policies have specific scope and evaluation semantics. Verify current GA status, constraints, and supported services in official docs before relying on them broadly.

Docs entry point: https://cloud.google.com/iam/docs/deny-overview (verify in official docs)

---

7. Architecture and How It Works

High-level architecture

IAM sits in the authorization path for Google Cloud API requests:

1. A principal authenticates (Google identity, service account, federated identity).
2. The principal calls a Google Cloud API (e.g., Storage, Compute, BigQuery).
3. Google Cloud evaluates: – Applicable IAM policies from the resource hierarchy and resource-level IAM – Role permissions – Optional IAM Conditions – Optional IAM Deny policies (if configured and applicable)
4. The request is allowed or denied.
5. The event is logged (admin activity and/or data access) according to Cloud Audit Logs behavior.

Request / data / control flow

• Control plane: Setting IAM policies, creating service accounts, creating custom roles.
• Data plane: Access to actual data resources (objects, rows, secrets, etc.)—often produces Data Access logs if enabled.

Integrations with related services

• Cloud Resource Manager: project/folder/org hierarchy and IAM policy attachment.
• Cloud Identity / Google Workspace: group and user lifecycle, SSO.
• Cloud Audit Logs + Cloud Logging: audit trails.
• Security Command Center (SCC): findings related to IAM misconfigurations (depending on SCC tier and features; verify).
• VPC Service Controls: perimeter-based controls complement IAM (not a replacement).
• Secret Manager / Cloud KMS: sensitive access patterns heavily rely on IAM.
• Policy Controller / OPA (GKE): complements IAM with Kubernetes admission policies; different control plane.

Dependency services

• IAM policy APIs are part of Google Cloud’s management plane. In practice you will use:
• Google Cloud Console
• gcloud CLI
• REST APIs / client libraries (for some IAM operations)
• Infrastructure-as-code tooling (e.g., Terraform Google provider)

Security/authentication model

• Authentication is handled by Google identity systems:
• User accounts (interactive)
• Service accounts (workloads)
• Federated identities (external workloads/workforce)
• Authorization is handled by IAM policies and role evaluation.

Networking model

• IAM itself is not deployed inside your VPC; it’s a Google-managed control-plane service.
• Access decisions apply to Google Cloud APIs regardless of where the caller runs (inside/outside Google Cloud), as long as they can reach the APIs and authenticate.
• Use network controls (private access, VPC SC, firewalling, egress policies) to complement IAM for defense-in-depth.

Monitoring/logging/governance considerations

• Track:
• IAM policy changes (Admin Activity logs)
• Privileged role grants (Owner/Editor, IAM admin roles)
• Service account key creation
• Unusual impersonation/token creation events
• Centralize logs via:
• Log sinks to a security project
• Export to BigQuery/SIEM

Simple architecture diagram (Mermaid)

flowchart LR
  U[User / Workload Principal] -->|Authenticate| ID[Google Identity / Federated Identity]
  U -->|API Request| API[Google Cloud API<br/>(e.g., Storage, Compute)]
  API -->|Authorize| IAM[Identity and Access Management (IAM)]
  IAM -->|Evaluate Policies, Roles, Conditions| DEC{Allow / Deny}
  DEC -->|Allow| RES[Resource Access]
  DEC -->|Deny| DENY[Access Denied]
  API --> LOG[Cloud Audit Logs]

Production-style architecture diagram (Mermaid)

flowchart TB
  subgraph Org[Organization]
    subgraph Folders[Folders]
      subgraph Prod[Prod Folder]
        P1[Project: prod-app]
        P2[Project: prod-data]
      end
      subgraph Shared[Shared Folder]
        P3[Project: security-logging]
        P4[Project: shared-services]
      end
    end
  end

  CI[CI/CD (GitHub Actions)] -->|OIDC| WIF[Workload Identity Federation]
  WIF -->|Impersonate| SADeploy[Service Account: deploy-sa]
  SADeploy -->|Deploy| P1
  SADeploy -->|Read Artifacts| P4

  Users[Engineers (Google Groups)] --> P1
  Users --> P2

  P1 -->|Writes Logs| Logging[Cloud Logging]
  P2 -->|Writes Logs| Logging
  Logging -->|Log Sink| P3

  Sec[Security Team] -->|Org-level IAM + Review| Org
  Audit[Auditors] -->|Read-only + Logs| P3

---

8. Prerequisites

Account / project requirements

• A Google Cloud account with access to a Google Cloud project.
• Billing enabled for the project (recommended even for low-cost labs, because some logging/export features require it).

Required permissions for this tutorial

You need permissions to: – Create service accounts – Create custom roles (optional in the lab; predefined roles are enough) – Set IAM policy bindings on a project and on a Cloud Storage bucket – Create a Cloud Storage bucket – View logs in Cloud Logging

Practical role options: – In a sandbox, roles/owner on the project is simplest. – In a controlled org, you may need a combination like: – roles/iam.serviceAccountAdmin – roles/resourcemanager.projectIamAdmin – roles/storage.admin – roles/logging.viewer

Tools

• Google Cloud CLI (gcloud): https://cloud.google.com/sdk/docs/install
• A shell environment (Cloud Shell is fine).
• Optional: gsutil (installed with the Cloud SDK). You can also use gcloud storage commands.

APIs

For this lab, enable: – IAM API: iam.googleapis.com – Cloud Resource Manager API: cloudresourcemanager.googleapis.com – Cloud Storage API: storage.googleapis.com – Cloud Logging API (for viewing logs via API; console works regardless): logging.googleapis.com

Region availability

• IAM is global.
• Cloud Storage buckets have location settings (region/multi-region/dual-region). Choose a low-cost region appropriate for your environment.

Quotas/limits to be aware of

IAM has limits around: – Number of policy bindings and members – Policy size – Number of service accounts per project – Custom role limits

Always check the current quota/limit docs (these can change): – IAM quotas: https://cloud.google.com/iam/quotas – Resource Manager limits: https://cloud.google.com/resource-manager/quotas (verify in official docs)

Prerequisite services

• Cloud Storage (used in the lab as a resource protected by IAM).
• Cloud Logging (for audit visibility).

---

9. Pricing / Cost

Pricing model (accurate, non-fabricated)

Identity and Access Management (IAM) policy management and evaluation is generally included with Google Cloud—you do not typically pay a standalone “IAM fee” for creating roles, bindings, and policies.

However, IAM-related activities can drive costs indirectly through: – Cloud Logging / Cloud Audit Logs ingestion, retention, and exports (especially Data Access logs). – Security Command Center (if used for IAM findings; tiered pricing). – Identity Platform (separate product) for customer identity. – BeyondCorp / IAP (separate products) for secure app access. – BigQuery (if exporting logs to BigQuery). – Pub/Sub / Storage (if exporting logs to sinks).

Always confirm current details here: – IAM pricing: https://cloud.google.com/iam/pricing (verify in official docs) – Cloud Logging pricing: https://cloud.google.com/logging/pricing – Cloud Audit Logs overview: https://cloud.google.com/logging/docs/audit – Google Cloud Pricing Calculator: https://cloud.google.com/products/calculator

Pricing dimensions (what can cost money)

Area	Potential cost driver	Notes
Cloud Logging	Log volume, retention, exports	Admin Activity logs are typically available by default; Data Access logs can be high-volume and may be billable depending on configuration and destination. Verify in Logging pricing.
Log sinks	Destination costs	BigQuery storage/queries, Pub/Sub messages, Storage object storage, SIEM ingestion.
Operational tooling	SCC, SIEM, monitoring	Separate products and SKUs.
Runtime identity patterns	Minimal direct cost	Workload Identity Federation and impersonation focus on security and operations; confirm any related product SKUs in official docs if using workforce identity features.

Free tier / included usage

• IAM itself is typically “no additional charge”.
• Logging has free allotments and different billing behaviors depending on log type and usage. Do not assume unlimited free logs—verify your Logging configuration.

Hidden/indirect costs to plan for

• Enabling high-volume Data Access logs (e.g., object read logs on busy buckets).
• Exporting logs to BigQuery and running frequent queries.
• Retaining logs for long periods without archiving strategy.

Network/data transfer implications

IAM is control-plane; network egress is usually not driven by IAM itself. Indirectly, exporting logs to external systems can incur egress charges depending on destination and topology.

How to optimize cost (without reducing security)

• Keep IAM itself simple: fewer bindings, prefer group-based access.
• Use Data Access logs selectively (enable for sensitive resources, not everything).
• Route security logs to a dedicated project; use retention policies appropriately.
• Export only the necessary logs to BigQuery/SIEM; apply exclusions carefully (do not exclude critical audit logs).

Example low-cost starter estimate (conceptual)

A small team using IAM for a single project with: – A few groups and service accounts – Standard Admin Activity audit logs – Minimal Data Access logging

…will generally see no direct IAM charges, and low-to-moderate logging costs depending on overall project activity. Exact numbers vary by usage and Logging pricing—use the calculator and Logging pricing page to estimate.

Example production cost considerations

In production environments, IAM-related cost discussions are usually about: – Audit log volume (especially Data Access) – Centralized log storage and SIEM ingestion – Governance tooling (SCC, third-party)

A realistic production cost approach: 1. Estimate log volume per service (Storage, BigQuery, GKE, etc.). 2. Decide which Data Access logs are required for compliance. 3. Pick log destinations and retention. 4. Model BigQuery/SIEM costs.

---

10. Step-by-Step Hands-On Tutorial

Objective

Implement a practical, least-privilege IAM pattern in Google Cloud: – Create a Cloud Storage bucket. – Create a service account for an application. – Grant restricted read access to a specific object prefix using IAM Conditions. – Use service account impersonation (no keys) to test access. – Verify with real commands and review audit signals. – Clean up resources.

Lab Overview

You will: 1. Set up environment variables and enable required APIs. 2. Create a Cloud Storage bucket and sample objects. 3. Create a service account. 4. Grant conditional bucket access to the service account. 5. Allow your user to impersonate the service account. 6. Validate allowed vs denied access. 7. (Optional) Review audit logs. 8. Clean up.

This lab is designed to be low-cost. Cloud Storage charges for stored data and operations are typically small for a few tiny files, but always clean up.

---

Step 1: Set project, authenticate, and enable APIs

1) Open Cloud Shell (recommended) or your local terminal with gcloud installed.

2) Set your project:

gcloud config set project PROJECT_ID

3) Confirm identity:

gcloud auth list
gcloud config list

4) Enable APIs:

gcloud services enable \
  iam.googleapis.com \
  cloudresourcemanager.googleapis.com \
  storage.googleapis.com \
  logging.googleapis.com

Expected outcome: APIs enable successfully (may take a minute).

Verification:

gcloud services list --enabled --filter="name:iam.googleapis.com OR name:storage.googleapis.com"

---

Step 2: Create a Cloud Storage bucket and sample objects

1) Choose a globally unique bucket name and a location.

export BUCKET_NAME="iam-lab-$RANDOM-$RANDOM"
export BUCKET_LOCATION="us-central1"   # pick a region near you

2) Create the bucket:

gcloud storage buckets create "gs://$BUCKET_NAME" \
  --location="$BUCKET_LOCATION" \
  --uniform-bucket-level-access

Notes: – --uniform-bucket-level-access enforces IAM-only access (recommended). It disables object ACLs.

3) Create two prefixes and upload sample files:

echo "public file" > public.txt
echo "private file" > private.txt

gcloud storage cp public.txt "gs://$BUCKET_NAME/public/public.txt"
gcloud storage cp private.txt "gs://$BUCKET_NAME/private/private.txt"

Expected outcome: Bucket exists with two objects.

Verification:

gcloud storage ls "gs://$BUCKET_NAME/**"

---

Step 3: Create a dedicated service account for read-only access

1) Create a service account:

export SA_NAME="sa-prefix-reader"
export SA_EMAIL="$SA_NAME@$(gcloud config get-value project).iam.gserviceaccount.com"

gcloud iam service-accounts create "$SA_NAME" \
  --display-name="Service Account: Conditional prefix reader"

2) Confirm it exists:

gcloud iam service-accounts describe "$SA_EMAIL"

Expected outcome: Service account details are returned.

---

Step 4: Grant conditional access to only public/ objects (IAM Conditions)

You will grant roles/storage.objectViewer on the bucket, but only when the object is under public/.

1) Create a condition expression.

For Cloud Storage, a common approach is to restrict by resource.name. Use: – projects/_/buckets/BUCKET_NAME/objects/public/ as a prefix.

export CONDITION_TITLE="AllowReadOnlyPublicPrefix"
export CONDITION_DESC="Allow objectViewer only for objects under public/ prefix"
export CONDITION_EXPR="resource.name.startsWith('projects/_/buckets/$BUCKET_NAME/objects/public/')"

2) Apply the IAM policy binding to the bucket:

gcloud storage buckets add-iam-policy-binding "gs://$BUCKET_NAME" \
  --member="serviceAccount:$SA_EMAIL" \
  --role="roles/storage.objectViewer" \
  --condition="expression=$CONDITION_EXPR,title=$CONDITION_TITLE,description=$CONDITION_DESC"

Expected outcome: IAM policy binding added with a condition.

Verification (inspect bucket IAM policy):

gcloud storage buckets get-iam-policy "gs://$BUCKET_NAME"

Look for a binding like: – role: roles/storage.objectViewer – member: your service account – condition: title/expression shown

Common pitfall: If the condition expression is invalid or unsupported for the resource type, the command will fail. If it fails, verify the correct condition attributes for Cloud Storage in official docs: – https://cloud.google.com/iam/docs/conditions-overview (and Cloud Storage IAM conditions docs—verify)

---

Step 5: Allow your user to impersonate the service account (no keys)

To test the service account’s access without creating keys, grant your user permission to impersonate it.

1) Identify your user email:

export USER_EMAIL="$(gcloud config get-value account)"
echo "$USER_EMAIL"

2) Grant roles/iam.serviceAccountTokenCreator on the service account to your user:

gcloud iam service-accounts add-iam-policy-binding "$SA_EMAIL" \
  --member="user:$USER_EMAIL" \
  --role="roles/iam.serviceAccountTokenCreator"

Expected outcome: You can now impersonate the service account and obtain short-lived tokens.

Verification:

gcloud iam service-accounts get-iam-policy "$SA_EMAIL"

---

Step 6: Test access (allowed vs denied) using impersonation

Now you will attempt to read objects as the service account identity.

1) Confirm you can list objects (listing may or may not be permitted depending on the exact permissions and how you test; object read is the main goal here). Start with reading the public object:

gcloud storage cat "gs://$BUCKET_NAME/public/public.txt" \
  --impersonate-service-account="$SA_EMAIL"

Expected outcome: Output should be:

public file

2) Try to read the private object:

gcloud storage cat "gs://$BUCKET_NAME/private/private.txt" \
  --impersonate-service-account="$SA_EMAIL"

Expected outcome: Access is denied (a 403 error), because the IAM condition restricts access to public/.

This is the key result: same role, same bucket, but conditional restriction reduces access scope.

---

Step 7 (Optional): Review audit visibility in Cloud Logging

IAM itself doesn’t “store logs,” but Google Cloud services generate Cloud Audit Logs for administrative actions, and can generate Data Access logs depending on configuration.

1) In Google Cloud Console: – Go to Logging → Logs Explorer – Set resource type to Cloud Storage Bucket – Filter by bucket name and recent time window

2) Look for: – Admin Activity logs for IAM policy changes (bucket policy updates). – Data Access logs for object reads (may require enabling Data Access logs and may have billing implications—verify current Logging/Audit Logs behavior and pricing before enabling broadly).

Docs: – Audit logs: https://cloud.google.com/logging/docs/audit – Logging pricing: https://cloud.google.com/logging/pricing

Expected outcome: You should be able to find entries for the bucket IAM policy change. Object read events might not appear unless Data Access logs are enabled for Cloud Storage and routed/retained appropriately.

---

Validation

Use this checklist:

• Bucket exists:

gcloud storage buckets describe "gs://$BUCKET_NAME"

• IAM policy includes a conditional binding:

gcloud storage buckets get-iam-policy "gs://$BUCKET_NAME"

• Impersonation works:

gcloud storage cat "gs://$BUCKET_NAME/public/public.txt" --impersonate-service-account="$SA_EMAIL"

• Private object read is denied:

gcloud storage cat "gs://$BUCKET_NAME/private/private.txt" --impersonate-service-account="$SA_EMAIL"

---

Troubleshooting

Issue: 403 when reading public object – Confirm the condition expression matches the correct resource.name format. – Confirm the binding is on the bucket and the bucket uses uniform bucket-level access. – Confirm you are impersonating the correct service account email. – IAM policy propagation can take short time; retry after 1–2 minutes.

Issue: Cannot impersonate service account – Ensure you granted roles/iam.serviceAccountTokenCreator on the service account to your user. – Confirm you’re using the same account in gcloud config get-value account.

Issue: Condition fails to apply or command rejects expression – Not all condition attributes work for all resource types and permissions. – Verify Cloud Storage IAM Conditions documentation and examples in official docs (do not guess condition keys in production).

Issue: You still can read private object – Check if you (your user) also has broad roles (like Storage Admin) on the bucket/project and you forgot to impersonate. – Make sure the command includes --impersonate-service-account. – Check for other bindings granting the service account broader access (project-level Storage roles could override your expectation).

---

Cleanup

To avoid ongoing costs, delete the bucket and remove IAM bindings.

1) Delete bucket contents and bucket:

gcloud storage rm --recursive "gs://$BUCKET_NAME"

2) Delete the service account:

gcloud iam service-accounts delete "$SA_EMAIL"

Expected outcome: No lab resources remain.

---

11. Best Practices

Architecture best practices

• Design access around the resource hierarchy:
• Org/folder for baseline governance
• Project for team/environment boundaries
• Resource-level IAM for sensitive assets
• Separate projects for prod vs non-prod; avoid shared IAM across them except for central security/auditing.
• Use dedicated “security logging” projects for centralized logs and sinks.

IAM/security best practices

• Prefer Google Groups (or managed groups via Cloud Identity/Workspace) over individual users in policies.
• Prefer predefined roles over basic roles; treat Owner/Editor as break-glass or temporary.
• Use service account impersonation and Workload Identity Federation instead of long-lived JSON keys.
• Minimize who can:
• set IAM policies (resourcemanager.projectIamAdmin),
• create service account keys,
• grant roles/iam.serviceAccountTokenCreator.
• Use IAM Conditions for:
• prefix-restricted object access
• time-bounded access
• environment restrictions where supported (verify condition attributes per service)

Cost best practices

• Turn on Data Access logs only where needed (sensitive datasets/buckets) and plan log routing/retention.
• Use log sinks and exclusions carefully; do not exclude critical admin/audit logs.
• Regularly review unused privileged roles; remove or downscope.

Performance best practices

• IAM evaluation overhead is handled by Google; you don’t tune performance directly.
• Operationally, reduce policy complexity:
• fewer bindings
• group-based access
• avoid excessive custom roles where predefined roles suffice

Reliability best practices

• Implement break-glass access with tight controls:
• separate accounts
• MFA enforcement (via identity provider policies)
• monitored usage and periodic validation
• Avoid embedding service account keys in workloads; keys become an operational reliability risk (rotation, accidental leaks).

Operations best practices

• Use Policy Intelligence tools to troubleshoot access issues rather than trial-and-error changes.
• Monitor:
• IAM policy changes
• service account key creation
• suspicious token creation / impersonation usage
• Establish a lightweight access request and review process (ticketing + approvals).

Governance/tagging/naming best practices

• Standardize names:
• grp-gcp-prod-deployers@
• sa-prod-myservice-runtime@...
• proj-prod-app1, proj-dev-app1
• Use labels/tags on projects and resources for ownership and cost allocation (IAM doesn’t require labels, but operations do).
• Maintain an IAM “role catalog” and group-to-role mapping documentation.

---

12. Security Considerations

Identity and access model

• Authentication: Google identities, service accounts, federated identities.
• Authorization: IAM policies, roles, conditions; optionally deny policies.
• Use least privilege and separation of duties:
• Avoid granting broad roles that include IAM admin permissions to people who only deploy apps.
• Separate security/audit duties from development duties.

Encryption

IAM is not an encryption service. It controls who can access encryption keys and encrypted data: – Use IAM to control access to Cloud KMS keys and Secret Manager secrets. – Combine IAM with CMEK/CSEK strategies where required (verify per service).

Network exposure

• IAM does not replace network controls:
• Protect workloads with VPC firewalls, private access patterns, and VPC Service Controls (where applicable).
• Use IAP/BeyondCorp patterns for admin access to internal web apps.

Secrets handling

• Avoid service account keys when possible.
• If keys are unavoidable:
• restrict who can create keys,
• rotate and inventory keys,
• monitor key creation events,
• store keys in Secret Manager (not in repos).
• Prefer Workload Identity Federation or metadata-based credentials (Compute/GKE/Cloud Run).

Audit/logging

• Ensure Admin Activity logs are retained and monitored.
• Consider enabling Data Access logs for sensitive resources and routing them to a central project (with budget awareness).
• Build detections for:
• granting roles/owner, roles/editor
• changes to IAM policy at org/folder/project
• new service account key creation
• unusual impersonation activity

Compliance considerations

IAM supports compliance by enabling: – least privilege – audit trails – separation of duties – centralized policy control

But compliance typically also requires: – change management – incident response – data retention – encryption controls – identity lifecycle policies (offboarding, MFA)

Common security mistakes

• Using basic roles (Owner/Editor) broadly.
• Assigning permissions directly to users instead of groups.
• Distributing service account keys to developers or CI systems.
• Over-granting service account impersonation permissions.
• Forgetting inheritance (org/folder policies granting access you didn’t expect).
• Enabling broad Data Access logs without a cost/retention plan.

Secure deployment recommendations

• Establish an access model:
• groups per job function
• minimal admin roles
• environment separation
• Adopt keyless identity for CI/CD and external workloads.
• Use conditions for sensitive access boundaries where supported.
• Centralize audit logs and periodically review IAM policies.

---

13. Limitations and Gotchas

Known limitations (practical)

• Policy complexity and readability: Large organizations can accumulate complex, inherited IAM policies.
• Propagation delay: IAM changes may take a short time to fully apply.
• Custom role maintenance: Custom roles can become outdated as services evolve.
• Conditions support varies: Not every service/permission supports the same condition attributes.
• Deny policy scope/behavior: Deny policies have specific semantics; verify applicability carefully before relying on them for critical controls.

Quotas and limits (do not guess exact numbers)

IAM has documented quotas such as: – number of service accounts per project – policy size limits – number of role bindings / members – number of custom roles

Check: – https://cloud.google.com/iam/quotas

Regional constraints

• IAM is global, but resource-level behavior depends on the service (e.g., Storage location, BigQuery dataset location). Authorization is consistent, but auditing and data residency concerns are service-specific.

Pricing surprises

• Data Access logging volume can generate unexpected Logging costs.
• Log exports to BigQuery/SIEM can increase cost quickly.

Compatibility issues

• Some legacy access models exist (e.g., ACLs in Storage) but recommended mode is IAM with uniform bucket-level access. Migrating from ACLs requires planning.
• Kubernetes RBAC is separate from Google Cloud IAM (though they can integrate). Don’t assume a GKE RBAC grant equals Google Cloud resource access.

Operational gotchas

• Granting roles/iam.serviceAccountTokenCreator too broadly effectively allows acting as powerful service accounts.
• A project-level Storage role grant can unintentionally override a carefully scoped bucket-level plan (because it grants on all buckets in the project).
• Don’t test access as yourself when you intend to test a service account—use impersonation explicitly.

Migration challenges

• Moving from basic roles to predefined/custom roles requires inventory, impact analysis, and phased rollout.
• Reorganizing hierarchy (folders/projects) changes policy inheritance—plan and validate.

---

14. Comparison with Alternatives

IAM is the authorization layer for Google Cloud resources, but it’s often used alongside other identity and policy products.

Comparison table

Option	Best For	Strengths	Weaknesses	When to Choose
Identity and Access Management (IAM) (Google Cloud)	Authorizing access to Google Cloud resources	Native, hierarchical, role-based, integrates with service accounts and audit logs	Can be complex at scale; conditions/deny nuances; not a full IdP	Always for Google Cloud resource authorization
Cloud Identity / Google Workspace	Managing workforce identities, groups, lifecycle, SSO	Central identity lifecycle, groups, MFA policies (via IdP features)	Not a replacement for resource authorization	Use with IAM to manage users/groups at scale
Identity Platform (Google Cloud)	Customer identity (CIAM) for apps	App sign-in, federation, user management	Separate product; not for Google Cloud admin authorization	When you need end-user login for applications
Identity-Aware Proxy (IAP) / BeyondCorp	Zero-trust access to web apps/admin consoles	Strong app-layer access control	Not a general-purpose cloud resource RBAC	When securing HTTP(S) app access beyond network perimeter
Organization Policy Service	Enforcing resource configuration constraints	Prevents insecure configs (e.g., public IP, external sharing)	Not “who can do what”; complementary	When you need guardrails beyond IAM
AWS IAM (AWS)	AWS resource authorization	Deep AWS integration, mature policy language	Different model/semantics; not for GCP	Choose when operating on AWS
Azure RBAC + Microsoft Entra ID	Azure resource authorization and identity	Strong enterprise identity and RBAC	Different scope and terms; not for GCP	Choose when operating on Azure
Keycloak + OPA (self-managed)	Custom authZ/authN patterns in self-hosted apps	Full control, portable	Operational burden; not integrated with GCP resource authorization	For app-level auth needs, not replacing GCP IAM

---

15. Real-World Example

Enterprise example (regulated environment)

• Problem: A financial services company runs 200+ projects across prod/non-prod. Auditors require immutable audit trails, strict separation of duties, and least-privilege access across compute and data.
• Proposed architecture:
• Organization and folder structure: prod/, nonprod/, security/, shared/
• Folder-level IAM:
  • Security team: read-only security review roles across org
  • Central platform team: limited admin roles for provisioning
• Project-level IAM:
  • Developer groups get only developer roles in non-prod
  • Production deploy group gets narrow deploy permissions
• Sensitive resources (KMS keys, secrets, data buckets) use resource-level IAM + conditions
• Central logging project with aggregated sinks for audit logs
• Keyless CI/CD via Workload Identity Federation and service account impersonation
• Why IAM was chosen: It is the native authorization system for all Google Cloud services and supports hierarchical governance and auditing.
• Expected outcomes:
• Reduced overprivilege (fewer editors/owners)
• Faster audits via centralized, consistent access controls
• Lower incident risk from leaked keys (keyless patterns)

Startup/small-team example

• Problem: A startup runs a single production project and needs to ship quickly while preventing accidental deletion and limiting access to customer data.
• Proposed architecture:
• Two projects: dev and prod
• Groups:
  • eng-dev@ has developer access in dev
  • eng-prod-deploy@ can deploy to prod
  • founders retain break-glass owner access with MFA
• Service accounts per app component; least privilege to Storage/DB/Secrets
• Use impersonation for deployments, avoid service account keys
• Why IAM was chosen: Minimal setup, integrates with every Google Cloud service, and scales as the startup grows.
• Expected outcomes:
• Fewer production outages caused by accidental permission misuse
• Cleaner onboarding/offboarding via group membership changes
• Security baseline without slowing development too much

---

16. FAQ

1) Is Identity and Access Management (IAM) the same as authentication?
No. Authentication verifies who you are. IAM handles authorization—what you can do on Google Cloud resources after you authenticate.

2) What’s the difference between a role and a permission?
A permission is a specific allowed action (e.g., storage.objects.get). A role is a bundle of permissions you grant to principals.

3) Should I use basic roles like Owner/Editor/Viewer?
Avoid them in production when possible. They are broad and can violate least privilege. Prefer predefined roles.

4) What is the best way to manage IAM for many users?
Use groups (from Cloud Identity/Workspace) and grant roles to groups rather than individual users.

5) What are IAM Conditions used for?
To add context constraints to role bindings (for example, restrict to a time window or a resource name prefix). Verify supported attributes per service.

6) Do IAM changes apply instantly?
Often quickly, but not always instantly. Expect short propagation delays and validate access after changes.

7) What’s a service account and when should I use it?
A service account is an identity for workloads. Use it for apps, automation, and services instead of using human accounts.

8) Should I create service account keys for CI/CD?
Prefer not to. Use Workload Identity Federation or service account impersonation to avoid long-lived keys.

9) What does “service account impersonation” mean?
A principal can act as a service account using short-lived tokens, controlled by IAM permissions—no key files required.

10) Why can someone access a resource even though I didn’t grant them access on that resource?
They may have access via inheritance from the project/folder/org, or via membership in a group. Check effective IAM across hierarchy.

11) How do I debug an “access denied” error?
Use Policy Troubleshooter/Analyzer (Policy Intelligence) when applicable, and check: – principal identity – resource IAM policy – inherited policies – condition expressions – deny policies (if used)

12) Can I restrict access by IP address using IAM Conditions?
IAM Conditions support certain request/resource attributes; IP-based restrictions are not universally supported. For IP controls, consider network-layer solutions or IAP/BeyondCorp patterns. Verify current capabilities in official docs.

13) What’s the difference between Cloud Identity and IAM?
Cloud Identity manages identities and groups. IAM grants permissions to access Google Cloud resources.

14) Can IAM prevent public access to a bucket?
IAM can control who has access, but also use Cloud Storage features like uniform bucket-level access and public access prevention (Storage-specific). For org-wide controls, also consider Organization Policy constraints.

15) What should I log for IAM governance?
At minimum: – IAM policy changes (Admin Activity logs) – service account key creation – high-privilege role grants For sensitive data, consider Data Access logs with a cost plan.

16) When should I use custom roles?
Only when predefined roles don’t meet least-privilege needs. Custom roles require maintenance and testing.

17) Does IAM replace application-level authorization?
No. IAM controls access to Google Cloud resources/APIs. Your application still needs its own authorization logic for end users.

---

17. Top Online Resources to Learn Identity and Access Management (IAM)

Resource Type	Name	Why It Is Useful
Official documentation	IAM Overview	Core concepts: principals, roles, policies, hierarchy. https://cloud.google.com/iam/docs/overview
Official documentation	Understanding roles	Explains basic vs predefined vs custom roles. https://cloud.google.com/iam/docs/understanding-roles
Official documentation	Managing IAM policies	Practical policy operations and inheritance. https://cloud.google.com/iam/docs/manage-access-to-resources
Official documentation	IAM Conditions overview	How to write and apply conditional role bindings. https://cloud.google.com/iam/docs/conditions-overview
Official documentation	Service accounts	Best practices and lifecycle. https://cloud.google.com/iam/docs/service-accounts
Official documentation	Service account impersonation	Keyless admin/CI patterns. https://cloud.google.com/iam/docs/impersonating-service-accounts
Official documentation	Workload Identity Federation	Keyless external workload auth. https://cloud.google.com/iam/docs/workload-identity-federation
Official documentation	IAM Deny overview	Explicit deny model (verify current scope and status). https://cloud.google.com/iam/docs/deny-overview
Official documentation	Policy Intelligence overview	Troubleshooting and analysis tools. https://cloud.google.com/iam/docs/policy-intelligence-overview
Official documentation	Cloud Audit Logs	Audit logging model and log types. https://cloud.google.com/logging/docs/audit
Official pricing	IAM pricing	Confirms IAM pricing approach (often no additional charge). https://cloud.google.com/iam/pricing
Official pricing	Cloud Logging pricing	Key indirect cost driver for IAM governance. https://cloud.google.com/logging/pricing
Official tool	Google Cloud Pricing Calculator	Model logging/export and other costs. https://cloud.google.com/products/calculator
Official videos	Google Cloud Tech YouTube channel	Many IAM and security walkthroughs. https://www.youtube.com/@GoogleCloudTech
Official samples	GoogleCloudPlatform GitHub	Official SDK/API examples (search IAM repos). https://github.com/GoogleCloudPlatform

---

18. Training and Certification Providers

Institute	Suitable Audience	Likely Learning Focus	Mode	Website URL
DevOpsSchool.com	DevOps engineers, SREs, cloud engineers	Google Cloud Security fundamentals, IAM operationalization, CI/CD identity patterns	check website	https://www.devopsschool.com/
ScmGalaxy.com	Beginners to intermediate engineers	DevOps and cloud basics that support IAM usage and governance	check website	https://www.scmgalaxy.com/
CLoudOpsNow.in	Cloud operations and platform teams	Cloud operations practices; may include IAM governance patterns	check website	https://www.cloudopsnow.in/
SreSchool.com	SREs, reliability engineers	Production operations, reliability practices that intersect with IAM and auditability	check website	https://www.sreschool.com/
AiOpsSchool.com	Ops teams exploring AIOps	Monitoring/operations learning; may touch IAM for operational controls	check website	https://www.aiopsschool.com/

---

19. Top Trainers

Platform/Site	Likely Specialization	Suitable Audience	Website URL
RajeshKumar.xyz	DevOps/cloud training content (verify current offerings)	Beginners to intermediate	https://rajeshkumar.xyz/
devopstrainer.in	DevOps training platform (verify course catalog)	DevOps engineers, SREs	https://www.devopstrainer.in/
devopsfreelancer.com	Freelance DevOps guidance/training (verify services)	Teams needing hands-on help	https://www.devopsfreelancer.com/
devopssupport.in	DevOps support/training style resources (verify scope)	Ops/DevOps practitioners	https://www.devopssupport.in/

---

20. Top Consulting Companies

Company	Likely Service Area	Where They May Help	Consulting Use Case Examples	Website URL
cotocus.com	Cloud/DevOps consulting (verify offerings)	IAM design, landing zone security, automation	IAM role redesign; service account and CI/CD hardening; audit logging architecture	https://cotocus.com/
DevOpsSchool.com	DevOps and cloud consulting/training	IAM governance rollout, DevSecOps enablement	Group/role model design; IaC for IAM; operational runbooks and access review processes	https://www.devopsschool.com/
DEVOPSCONSULTING.IN	DevOps consulting (verify offerings)	Security posture improvements, automation	Reduce overprivilege; implement keyless pipelines; logging and monitoring integration	https://www.devopsconsulting.in/

---

21. Career and Learning Roadmap

What to learn before IAM

• Google Cloud fundamentals:
• projects, folders, organizations
• billing accounts
• basic networking concepts (VPC, firewalls)
• Identity basics:
• users vs groups
• MFA and account security hygiene
• Command-line basics with gcloud

What to learn after IAM

• Cloud Logging and Cloud Audit Logs (central security operations)
• Service account patterns:
• impersonation
• Workload Identity Federation
• Organization Policy Service (guardrails)
• Secret Manager and Cloud KMS (securing secrets and encryption keys)
• Security Command Center (security posture and findings)
• VPC Service Controls (data exfiltration controls)
• CI/CD security (Cloud Build or third-party pipelines)

Job roles that use IAM

• Cloud engineer / cloud administrator
• DevOps engineer
• Site Reliability Engineer (SRE)
• Platform engineer
• Security engineer / cloud security engineer
• Cloud architect
• Compliance/audit-focused technical roles

Certification path (Google Cloud)

Google Cloud certifications change over time; verify the current set in official docs. IAM commonly appears in: – Associate-level cloud certifications – Professional Cloud Security Engineer – Professional Cloud Architect

Start here (official): https://cloud.google.com/learn/certification

Project ideas for practice

1. Build a multi-project layout with folders for prod/dev and implement inheritance.
2. Implement keyless GitHub Actions → Workload Identity Federation → deploy to Cloud Run.
3. Create a “break-glass” access model with monitoring and strict process controls.
4. Implement central logging project with sinks and retention policies.
5. Replace basic roles in a sample environment with predefined roles and validate workloads.

---

22. Glossary

• IAM (Identity and Access Management): Google Cloud’s system for authorizing access to resources using policies and roles.
• Principal: The identity that requests access (user, group, service account, domain, federated identity).
• Permission: A specific allowed action on a resource (e.g., resourcemanager.projects.get).
• Role: A named collection of permissions. Can be basic, predefined, or custom.
• Basic roles: Legacy broad roles (Owner, Editor, Viewer).
• Predefined roles: Google-managed roles designed for specific services and job functions.
• Custom role: A role you define with a specific set of permissions (project- or org-scoped).
• IAM Policy: A set of bindings attached to a resource that define who can do what.
• Binding: A policy entry connecting principals to a role, optionally with a condition.
• Resource hierarchy: Organization → folders → projects → resources; determines policy inheritance.
• IAM Conditions: Conditional expressions (CEL) that constrain when a binding applies.
• CEL (Common Expression Language): Expression language used in IAM Conditions.
• Service account: A workload identity used by applications and automation.
• Impersonation: Acting as a service account using short-lived credentials without key files.
• Workload Identity Federation: Keyless authentication for external workloads using identity federation.
• Workforce identity federation: Federation for human workforce identities from external IdPs (verify current product scope in official docs).
• Cloud Audit Logs: Logs that record administrative actions and (optionally) data access events.
• Admin Activity logs: Audit logs for administrative actions; important for IAM governance.
• Data Access logs: Audit logs for reading/writing data; can be high-volume.
• Deny policy: An explicit deny rule that can block permissions even if an allow exists (verify current scope/status).
• Least privilege: Granting only the minimum permissions required for a task.

---

23. Summary

Identity and Access Management (IAM) is Google Cloud’s built-in authorization system for controlling access to cloud resources using principals, roles, and policies across the organization/folder/project hierarchy. It matters because it is the foundation of Google Cloud Security: every environment needs least-privilege access, separation of duties, and auditability.

Cost-wise, IAM itself typically has no standalone charge, but IAM-driven governance depends heavily on Cloud Logging and audit log strategy—especially Data Access logs and exports. Security-wise, the biggest wins come from using predefined roles, group-based bindings, conditional access where appropriate, and keyless workload identities (impersonation and Workload Identity Federation) instead of service account keys.

Use Identity and Access Management (IAM) whenever you run workloads or store data on Google Cloud—particularly in production and multi-team environments. Next, deepen your skills by studying IAM Conditions, service account impersonation, Workload Identity Federation, and Cloud Audit Logs using the official documentation links provided above.