IAM allows you to define users and roles and help control user access to GCP resources. GCP offers Cloud IAM, which allows you to grant granular access to users for specific GCP resources based on the least privilege security principle.

Cloud IAM is made up of members to whom access is granted. The following diagram shows the different kinds of member types and also roles, which are collections of permissions. When a member is authenticated and makes a request, Cloud IAM uses roles to assess whether that member is allowed to perform an operation on a resource:

Let's briefly talk about different types of member accounts:

• Google Account: Any person who interacts with GCP over https://accounts.google.com/ServiceLogin/signinchooser?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1&scc=1&ltmpl=default&ltmplcache=2&emr=1&osid=1&flowName=GlifWebSignIn&flowEntry=ServiceLogin or custom domain account is represented by a Google account. This person can be a developer, an administrator, or an end user with access to GCP.
• Service Account: A service account is an account that is associated with an application. Code that runs on your GCP account runs under a service account. Multiple service accounts can be created and associated to different parts of your application. Service accounts help create granular access and permissions.
• Google Group: A Google group is a collection of Google accounts and service accounts. Google groups makes it easier to apply an access policy to a collection of users. Groups also make it easy to add and remove members.
• G Suite Domain: Google offers organizations a G Suite Account, which offers email, calendar, docs, drive, and other enterprise services. A G Suite domain represents a virtual group of all Google accounts created in an organization's G Suite account. If your organization's name is XYZ, then G Suite domains typically represent your domain and every user created in this domain will get a new Google account inside this virtual group. For example, a user's email address will be [email protected]. G Suite domains are primarily for grouping and permission management, and are not used to establish identity.
• Cloud Identity Domain: The primary difference between a Cloud Identity Domain and a G Suite domain is that all users in the Cloud Identity Domain do not have access to G Suite applications and features.

Let's briefly describe the roles and permissions involved in the authorization process:

• Roles: A role is a collection of permissions that determine what operations are allowed on any resource. Roles are granted to users, and all permissions that role contains are applied to that user. You cannot assign permissions to a user. Permissions are represented in the form of <service>.<resource>.<verb>, for example, compute.instances.delete. Remember that a resource here is a GCP resource such as projects, compute engine instances, cloud storage buckets, and so on.

GCP offers primitive roles such as owner, editor, and viewer roles. There are also predefined roles that give finer-grained access. You can also create custom roles that allow you to create custom-defined roles for your organizational needs.

• IAM policy: An IAM policy is a collection of statements that define the type of access a user gets. A policy is assigned to a resource and is used to govern access to that resource. An IAM policy can be set to any level in a resource hierarchy. You can set the policy at the organization level, the folder level, the project level, or at the resource level. Policies are inherited from parents so if you set a policy at the organization level, all the projects will inherit that policy, which in turn is inherited by all resources in those projects.

Let's explore the IAM page using the GCP console and familiarize ourselves with it:

1. In the GCP Console, you will find the IAM & admin section on the left-hand side of the screen:

2. Click on IAM. You will see a list of members with the roles assigned to them:

3. Click on ROLES to see the roles that are currently assigned to members. The members here are Google accounts and service accounts that were created when we accessed different services across GCP:

4. To add a team member, simply click ADD, enter the team member account, and assign it a role:

The account name has to be either a Google account email, a Google group, a service account, or a G Suite domain:

5. Next, click on the Select a role dropdown and pick a role. These are predefined roles, but you can create custom roles by clicking the Roles tab on the left-hand navigation tab. Remember, you can assign more than one role, but the most restrictive role takes precedence: