Identity and Access Management

An IAM defines 3 things:

• who
• can do what
• on which resource

who

The "who" part can be defined either by:

• Google account
• Google group
• Service account
• an entire G Suite or cloud identity domain

can do what

Defined by an IAM role.

An IAM role is a collection of permissions.

Three types of roles

1. Primitive
2. Predefined
3. Custom

Primitive roles

Primitive are broad. You apply them to a project and they affect all resources in that project.

Primitive roles:

• Owner
• Editor
• Viewer
• Billing administrator

Careful: if you have several people working together on a project that contains sensitive data, primitive roles are probably not enough. IAM provides a finer-grained types of roles.

GCP services offer their own sets of predefines roles, and they define where those roles can be applied.

Predefined roles

There was an example talking about the "InstanceAdmin" role, but it was really quick.

Custom roles

Allows more even control to achieve the "least privilege" principle.

Cautions:

1. You have to decide to use custom roles (some companies prefer to stick with the predefined roles).
2. Custom roles can only be used at the project or organization levels.

Service Account

When you want to give permissions to a machine instead of a user.