Google Cloud Identity and Access Management (IAM)

Home » Google Cloud » Google Cloud Identity and Access Management (IAM)

Google Cloud Identity and Access Management (IAM)

Last updated on June 26, 2023

Google Cloud IAM Cheat Sheet

  • Create and manage permissions for your Google Cloud resources with Identity Access Management (IAM).
  • Provides a unified view into your organization’s security policy with built-in auditing to ease compliance purposes.

Features

  • Lets you authorize who can take specific actions on resources to give you full control and visibility on your Google Cloud services centrally.
  • Permissions are represented in the form of service.resource.verb
  • Can map job functions into groups and roles.
  • With IAM, users only get access to what they need to get the job done.
  • Cloud IAM enables you to grant access to cloud resources at fine-grained levels, well beyond project-level access.
  • You can leverage Cloud Identity to easily create or sync user accounts across applications and projects.
  • IAM lets you set policies at the following levels of the resource hierarchy:
    • Organization level
      • The organization resource represents your company.
      • IAM roles granted at this level are inherited by all resources under the organization.
    • Folder level
      • Folders can contain projects, other folders, or a combination of both.
      • Roles granted at the highest folder level will be inherited by projects or other folders that are contained in that parent folder.
    • Project level
      • Projects represent a trust boundary within your company.
      • Services within the same project have a default level of trust. For example, App Engine instances can access Cloud Storage buckets within the same project.
      • IAM roles granted at the project level are inherited by resources within that project.
    • Resource level
      • Grant certain users permission to a single resource within a project.
  • Tutorials dojo strip

Roles

  • A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources.
  • You don’t directly grant users permissions in IAM. Instead, you grant them roles, which bundle one or more permissions.
  • To make permissions available to members, including users, groups, and service accounts, you grant roles to the members.
  • There are three types of roles in Google Cloud IAM:
    • Basic Roles
      • Includes Owner, Editor, and Viewer role that existed prior to the introduction of IAM.
    • Predefined Roles
      • Provides granular access for a specific service and is managed and defined by Google Cloud.
      • Prevents unwanted access to other resources.
      • Google is responsible for updating and adding permissions as necessary.
    • Custom Roles
      • Provides granular access according to a user-defined list of permissions.
      • You can create a custom IAM role with one or more permissions and then grant that custom role to users or groups.
      • Custom roles are not maintained by Google.
    • You can grant multiple roles to a user or a group.

Service Accounts

  • A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person.
  • Applications use service accounts to make authorized API calls, authorized as either:
    • the service account itself
    • as Google Workspace
    • as Cloud Identity users through domain-wide delegation
  • A service account is identified by its email address, which is unique to the account.
    • service-account-name@project-id.iam.gserviceaccount.com
  • Each service account is associated with two sets of public/private RSA key pairs used to authenticate to Google.
  • Types of service accounts:
    • User-managed service accounts
    • Default service accounts
      • Google creates a user-managed service account when you use Google Cloud services. These accounts are called default service accounts.
      • The default service accounts help you get started with Google Cloud services quickly.
    • In addition to being an identity, a service account is also a resource with IAM policies attached to it, which means you can define who can use the account and who can perform specific actions on the service account.

Policy

  • A policy is a collection of bindings, audit configuration, and metadata.
  • A binding associates (or binds) one or more members with a single role and any context-specific conditions that change how and when the role is granted. 
  • Each binding includes the following fields:
    • A member, known as an identity or principal, can be a:
      • User Account
      • Service Account
      • Google group
      • Domain
    • A role, which is a named collection of permissions that grant access to perform actions on Google Cloud resources.
    • A condition, which is a logical expression that further constrains the role binding based on attributes about the request, such as its origin, the target resource, and more.

Groups

  • Groups help you manage your users at scale. It is a simple way to attach roles to users with the same job functions.
  • Each member of a Google group inherits the Identity and Access Management (IAM) roles granted to that group.
  • A user can belong to multiple groups.

Best Practices

  • Enforce least privilege at all times.
  • Mirror your Google Cloud resource hierarchy structure to your organization structure.
  • Set policies at the organization level and at the project level rather than at the resource level.
  • It is easier and better to manage members in a Google group than to update an IAM policy.
  • In deciding how to use a service account, use the following flow-chart to guide you in your decision-making process.

  • Rotate your service account keys using the IAM service account API.
  • For production workloads, it’s best practice to use user-managed service accounts instead of the default service accounts.

Validate Your Knowledge

Question 1

Your company wants to review the IAM users and roles assigned on a specific Google Cloud project named finance-project.

What should you do to fulfill this requirement?

  1. Set up the Cloud SDK to run the gcloud iam roles list command and review the output.
  2. Use the Cloud Shell to run the gcloud iam service-accounts list command and then review the output.
  3. Using the Cloud Console, navigate to the finance-project, and go to the IAM section. Under the ‘Permissions’ tab, review the Members and Roles section.
  4. Using the Cloud Console, navigate to the finance-project, and go to the Roles section. From there, review the Roles and Status of the project.

Correct Answer: 3

Member – A member can be a Google Account (for end-users), a service account (for apps and virtual machines), a Google group, or a Google Workspace or Cloud Identity domain that can access a resource. The identity of a member is an email address associated with a user, service account, or Google group; or a domain name associated with Google Workspace or Cloud Identity domains.

Role – A role is a collection of permissions. Permissions determine what operations are allowed on a resource. When you grant a role to a member, you grant all the permissions that the role contains.

https://media.tutorialsdojo.com/google_cloud_iam_storage_admin.PNG

As seen in the image above, you can view the users and roles assigned by navigating to the IAM section of Cloud Console.

Hence, the correct answer is: Using the Cloud Console, navigate to the finance-project, and go to the IAM section. Under the ‘Permissions’ tab, review the Members and Roles section.

The option that says: Set up the Cloud SDK to run the gcloud iam roles list command and then review the output is incorrect because this just gives you a list of roles that you can use. This option does not give you a list of users and roles.

The option that says: Use the Cloud Shell to run the gcloud iam service-accounts list and then review the output is incorrect because this will only list the service accounts created. It does not include a list of end-users.

The option that says: Using the Cloud Console, navigate to the finance-project, and go to the Roles section. From there, review the Roles and Status of the project is incorrect because this only allows you to review the roles but not the users.

References:

https://cloud.google.com/iam/docs/overview#concepts_related_identity
https://cloud.google.com/iam/docs/understanding-roles
https://cloud.google.com/iam/docs/granting-changing-revoking-access

Note: This question was extracted from our Google Certified Associate Cloud Engineer Practice Exams.

Question 2

Your company is having its yearly business audit. Your external editor needs to review the Data Access and Access Transparency audit logs of your Google Cloud Platform account. Your company also wants to keep a copy of these logs as a reference for the next audit. You want to follow Google-recommended practices on granting Cloud IAM roles.

What should you do?

    AWS Exam Readiness Courses
  1. Grant the external auditor the roles/logging.privateLogViewer IAM role. Create a log sink and export the logs to Cloud Storage.
  2. Grant the external auditor the roles/logging.viewer IAM role. Create a log sink and export the logs to Cloud Storage.
  3. Grant the external auditor a custom role that has logging.logs.list and logging.logServices.list permissions. Create a log sink and export the logs to BigQuery.
  4. Grant the external auditor the Project Viewer IAM role. Create a log sink and export the logs to BigQuery.

Correct Answer: 1

Cloud Audit logs provide consolidated audit logs by tracking and logging all administrative activities within your GCP account. These audit logs can be exported to Cloud Storage, Bigquery, Pub/Sub, or to another Cloud Project.

Audit logs provide the following logs:

– Admin Activity audit logs

– Data Access audit logs

– System Event audit logs

– Policy Denied audit logs

Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data.

To view the Data Access audit logs, one must have the Logging/Private Logs Viewer or Project/Owner IAM role. The following IAM roles apply to Cloud Logging:

Logs Viewer ( roles/logging.viewer ) – gives you read-only access to all features of Logging, except Access Transparency logs and Data Access audit logs.

Private Logs Viewer ( roles/logging.privateLogViewer ) – includes roles/logging.viewer, plus the ability to read Access Transparency logs and Data Access audit logs.

Access Transparency logs record the actions that Google personnel take when accessing your content. Access Transparency logs give you different information than Cloud Audit Logs. Cloud Audit Logs record the actions that members in your Google Cloud organization have taken in your Google Cloud resources, whereas Access Transparency logs record the actions taken by Google personnel.

Hence the correct answer is: Grant the external auditor the roles/logging.privateLogViewer IAM Role. Create a log sink and export the logs to Cloud Storage.

The option that says: Grant the external auditor the IAM role roles/logging.viewer. Create a log sink and export the logs to Cloud Storage is incorrect. Although the roles/logging.viewer IAM role may grant read-only access to all features of Cloud Logging, but it still doesn’t give you access to the Access Transparency audit logs and Data Access audit logs.

The option that says: Grant the external auditor a custom role that has the logging.logs.list and logging.logServices.list permissions. Create a log sink and export the logs to BigQuery is incorrect because having the logging.logs.list and logging.logServices.list permissions don’t allow you to view the Data Access audit logs or the Access Transparency audit logs.

The option that says: Grant the external auditor the Project Viewer IAM role. Create a log sink and export the logs to BigQuery is incorrect because the Project Viewer IAM role has the same set of permissions with roles/logging.viewer. It doesn’t give you access to Admin Activity logs or the Data Access audit logs. BigQuery is not an ideal export destination because the logs will only be stored for a minimum of 1 year. It is more practical to export and store these logs on Cloud Storage instead.

References:

https://cloud.google.com/logging/docs/audit/configure-data-access
https://cloud.google.com/logging/docs/access-control
https://cloud.google.com/logging/docs/export

s question was extracted from our Google Certified Associate Cloud Engineer Practice Exams.

For more Google Cloud practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:

Google Certified Associate Cloud Engineer Practice Exams

Google Cloud IAM Cheat Sheet References:

https://cloud.google.com/iam/docs/concepts
https://cloud.google.com/iam/docs/resource-hierarchy-access-control#best_practices

Tutorials Dojo portal

Be Inspired and Mentored with Cloud Career Journeys!

Tutorials Dojo portal

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Recent Posts

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from MapĂşa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?