100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cloud

Google Cloud IAM

By Google Cloud

IntermediateService10.5K learners

Google Cloud IAM (Identity and Access Management) is Google Cloud Platform's service for controlling who has what access to which resources, using roles that bundle permissions and policy bindings that grant those roles to specific members.

Definition

Google Cloud IAM (Identity and Access Management) is Google Cloud Platform's service for controlling who has what access to which resources, using roles that bundle permissions and policy bindings that grant those roles to specific members.

Overview

Google Cloud IAM governs access across Google Cloud, following a model built around three core concepts: members (users, groups, service accounts, or domains), roles (collections of permissions), and policy bindings that grant a role to a member on a specific resource. Google Cloud's resource hierarchy — organization, folders, projects, and individual resources — means IAM policies can be applied at different levels and are inherited downward, so a policy set at the organization level applies to every project beneath it unless overridden. Google Cloud IAM distinguishes between three types of roles: basic roles (broad, legacy roles like Owner, Editor, and Viewer that predate fine-grained IAM and are generally discouraged for production use), predefined roles (curated by Google for specific services, offering more targeted permissions), and custom roles (organizations can define their own precise permission sets). Service accounts are a particularly important IAM concept, functioning as non-human identities that applications and services use to authenticate to other Google Cloud APIs, similar in purpose to IAM roles in AWS or managed identities in Azure. Because permissions can be granted at any level of the resource hierarchy, understanding how bindings inherit and combine across organization, folder, and project levels is central to designing a secure, least-privilege Google Cloud environment, a topic commonly covered in Cloud Security training.

Key Features

  • Resource-hierarchy-aware access control (organization, folder, project, resource)
  • Basic, predefined, and custom roles for different levels of permission granularity
  • Policy bindings that grant roles to members on specific resources
  • Service accounts as non-human identities for application-to-API authentication
  • Policy inheritance down the resource hierarchy with override capability
  • Conditional IAM bindings based on attributes like time or resource type
  • Audit logging of IAM policy changes and access decisions
  • Integration with Google Workspace and external identity providers

Use Cases

Granting least-privilege access to engineers across GCP projects
Assigning service accounts to applications for secure API access
Applying consistent access policies across an entire organization via hierarchy
Creating custom roles for permissions not covered by predefined roles
Auditing who has access to sensitive resources and why
Enforcing conditional access rules based on context like time or resource attributes

Frequently Asked Questions

From the Blog