IAM in Google Cloud Platform

From Luis Gallego Hurtado - Not Another IT guy
Jump to: navigation, search

It allows you to create accounts with limited access to project:

  • Accounts for Users
  • Accounts for Processes: services, automated processes, etc.

Important Roles

  • Compute Engine Services Engine
  • Kubernetes Engine Services Engine

Service Accounts

Service accounts are created to allow applications, deployed in VMs to access Google Cloud resources. They are used based on secure token.

Types of service accounts

  1. Created by users.
  2. Built-in for VMs and Google App Engine.
  3. Used by Google API internally.

Assign a service account to a VM

  1. Create a key for your service account.
  2. Copy the key into a file into your VM.
  3. gcloud auth activate-service-account <service-account-name> --key-file <path-to-file>


The IAM policy controls access to the resource for which is defined, as well as any descendants of that resource that inherit the policy.

  • An IAM policy is a collection of role bindings and metadata. It binds principals (user account, service account, Google group, or domain) to roles.
  • If parent's policy is less restrictive, more restrictive policy apply.
  • You can create Audit on policy changes.