Eduarn – Online & Offline Training with Free LMS for Python, AI, Cloud & More

Tuesday, April 14, 2026

What is Google IAM

 

What is Google IAM?

Google Cloud Platform IAM (Identity and Access Management) is a service that helps you:

πŸ‘‰ Control who can access your cloud resources and what they can do

🧠 Simple Definition (Easy to Remember)

πŸ‘‰ IAM = Who + What + Where

  • Who → User / Service
  • What → Permissions (read, write, delete)
  • Where → Resource (VM, storage, database)

🎯 Why IAM is Important

Without IAM:

  • Anyone could access your resources ❌

With IAM:

  • Secure access control ✅
  • Limited permissions ✅
  • Better management ✅

🧩 Core Components

1️⃣ Members (Who)

  • User (email)
  • Group
  • Service Account (used by apps)

2️⃣ Roles (What they can do)

Types:

  • Viewer (read only)
  • Editor (modify)
  • Owner (full access)

3️⃣ Resources (Where)

  • Project
  • VM
  • Storage bucket

πŸ”— How IAM Works

πŸ‘‰ Member → Role → Resource

Example:

user@gmail.com → Viewer → Project

πŸš€ Step-by-Step: How to Use IAM

Step 1: Open IAM

  1. Go to Google Cloud Console
  2. Navigate:
    πŸ‘‰ IAM & Admin → IAM

Step 2: Add a User

  1. Click Grant Access
  2. Enter email (user)
  3. Select role (e.g., Viewer)
  4. Click Save

Step 3: Assign Role

Choose based on need:

  • Viewer → read only
  • Editor → edit resources
  • Admin → full control

Step 4: Create Service Account (for apps)

  1. Go to:
    πŸ‘‰ IAM & Admin → Service Accounts
  2. Click Create Service Account
  3. Assign role
  4. Save

Step 5: Test Access

  • Login as user
  • Check what they can access

🧠 Real-Life Example

Scenario:

You have:

  • Developer
  • Manager

Setup:

  • Developer → Editor
  • Manager → Viewer

πŸ‘‰ Developer can make changes
πŸ‘‰ Manager can only view

⚠️ Best Practices

✔ Give minimum access (least privilege)
✔ Avoid giving “Owner” role
✔ Use service accounts for apps
✔ Regularly review access

🧠 Easy Analogy

πŸ‘‰ IAM is like a building security system:

  • Members = People
  • Roles = Access cards
  • Resources = Rooms

✅ One-Line Summary

πŸ‘‰ Google IAM controls who can access what resources and what actions they can perform in the cloud.

 

πŸ” Required Permission (Simple Answer)

πŸ‘‰ The key permission is:

resourcemanager.projects.setIamPolicy

This allows a user to:

  • Add users
  • Remove users
  • Change roles

🎯 Recommended Roles

✅ 1. Project IAM Admin (Best Practice)

Role:
πŸ‘‰ roles/resourcemanager.projectIamAdmin

✔ Can:

  • Add/remove users
  • Assign roles
  • Manage IAM policies

❌ Cannot:

  • Modify billing
  • Access all resources like Owner

πŸ‘‰ This is the most recommended role

⚠️ 2. Owner (Full Access)

Role:
πŸ‘‰ roles/owner

✔ Can:

  • Do everything (including IAM)

❌ Risk:

  • Too much access (not recommended for security)

πŸ›‘ 3. Editor / Viewer

  • Editor ❌ cannot manage IAM
  • Viewer ❌ read-only

🧠 Simple Explanation

πŸ‘‰ To create users, a person must have:
permission to change IAM policies

🏒 Real-World Recommendation

Use:

πŸ‘‰ Project IAM Admin

Because:

  • Secure
  • Limited access
  • Follows best practices

πŸ“Œ Example

If you assign:

user1@gmail.com → Project IAM Admin

πŸ‘‰ That user can:

  • Add new users
  • Assign roles
  • Manage access

⚠️ Important Security Tip

✔ Always follow least privilege principle
✔ Avoid giving Owner role unless necessary

✅ One-Line Answer

πŸ‘‰ To allow a user to create/manage other users, assign Project IAM Admin role (roles/resourcemanager.projectIamAdmin).

 

at

No comments:

Post a Comment