Skip to main content

Identity and Access Management (IAM)

Security forms the absolute bedrock foundation of any public cloud provider. In GCP, access explicitly operates heavily relying on Cloud IAM.

IAM fundamentally maps Who (identity) has What Access (role) specifically for Which Resource.

Service Accounts

If a regular developer account represents a human executing infrastructure, a Service Account represents a Machine mapping identical permissions logically.

You rigidly attach service accounts directly to virtual machines or serverless triggers. Therefore, applications executing on that machine authenticate perfectly utilizing the exact permissions specifically granted to that service account natively!

IAM Roles

Roles logically dictate practically the exact API capabilities securely exposed.

  • Basic Roles: Highly destructive legacy roles (Owner, Editor, Viewer). These roles apply massively broad configurations affecting the entire parent project. It is universally highly unrecommended to ever issue Basic Roles in production environments!
  • Predefined Roles: Securely configured targeting minimal constraints (e.g. Storage Object Creator).
  • Custom Roles: Developer-compiled roles surgically extracting individual specific API permissions cleanly.

Principle of Least Privilege: Never grant an entity (human or Service Account) more permissions than they absolutely minimally require dynamically.