Swiftorial Logo
Home
Swift Lessons
Matchups
CodeSnaps
Tutorials
Career
Resources

Google Cloud IAM Tutorial

Introduction to IAM

Identity and Access Management (IAM) in Google Cloud is a critical component for managing access to resources. IAM enables you to control who (users) has what access (roles) to which resources. By using IAM, you can enforce the principle of least privilege, ensuring users have the minimum level of access necessary to perform their jobs.

IAM Concepts

Understanding the core concepts of IAM is essential for implementing effective security policies. The key concepts include:

  • Members: Entities that interact with Google Cloud resources. Members can be Google accounts, service accounts, Google groups, or domains.
  • Roles: A collection of permissions. Roles define what actions a member can perform.
  • Policies: Bindings of members to roles. Policies define who has what role.
  • Permissions: Specific actions that can be performed on resources. Permissions are assigned to roles.

Getting Started with IAM

To start using IAM, you need to have a Google Cloud account and a project. Follow these steps to set up IAM:

Step 1: Create a Project

Go to the Google Cloud Console and create a new project.

gcloud projects create my-new-project --name="My New Project"

Step 2: Enable Billing

Enable billing for your project to utilize Google Cloud resources.

gcloud beta billing projects link my-new-project --billing-account=XXXXXX-XXXXXX-XXXXXX

Managing IAM Roles and Policies

Roles and policies are fundamental to IAM. Follow these steps to manage them:

Step 1: Assigning a Role to a Member

To assign a role to a member, use the following command:

gcloud projects add-iam-policy-binding my-new-project --member='user:email@example.com' --role='roles/editor'

Step 2: Viewing IAM Policies

To view the IAM policies of your project, use the following command:

gcloud projects get-iam-policy my-new-project

{
  "bindings": [
    {
      "members": [
        "user:email@example.com"
      ],
      "role": "roles/editor"
    }
  ]
}

Step 3: Removing a Member from a Role

To remove a member from a role, use the following command:

gcloud projects remove-iam-policy-binding my-new-project --member='user:email@example.com' --role='roles/editor'

Custom Roles

While predefined roles cover many use cases, custom roles can be created for specific needs. Follow these steps to create a custom role:

Step 1: Define a Custom Role

Create a JSON file to define the custom role:

{ "title": "Custom Role", "description": "A custom role with specific permissions", "stage": "GA", "includedPermissions": [ "resourcemanager.projects.get", "resourcemanager.projects.list" ] }

Step 2: Create the Custom Role

Use the following command to create the custom role:

gcloud iam roles create customRole --project=my-new-project --file=custom-role.json

Step 3: Assign the Custom Role

Use the following command to assign the custom role to a member:

gcloud projects add-iam-policy-binding my-new-project --member='user:email@example.com' --role='projects/my-new-project/roles/customRole'

Service Accounts

Service accounts are special accounts used by applications or virtual machines (VMs) to access Google Cloud services. Follow these steps to manage service accounts:

Step 1: Create a Service Account

Use the following command to create a service account:

gcloud iam service-accounts create my-service-account --display-name="My Service Account"

Step 2: Assign Roles to the Service Account

Assign roles to the service account using the following command:

gcloud projects add-iam-policy-binding my-new-project --member='serviceAccount:my-service-account@my-new-project.iam.gserviceaccount.com' --role='roles/editor'

Step 3: Create and Download Service Account Keys

Create a key for the service account and download it using the following command:

gcloud iam service-accounts keys create ~/key.json --iam-account=my-service-account@my-new-project.iam.gserviceaccount.com

Best Practices

Following IAM best practices helps ensure the security and manageability of your Google Cloud environment. Some best practices include:

  • Follow the principle of least privilege by granting only the permissions necessary for a member to perform their tasks.
  • Regularly review and audit IAM policies and roles.
  • Use service accounts for automated processes and applications instead of user accounts.
  • Organize your resources with projects, folders, and organizations to simplify policy management.

Conclusion

Google Cloud IAM is a powerful tool for managing access to your cloud resources. By understanding and implementing IAM concepts, roles, policies, and best practices, you can ensure that your Google Cloud environment is secure and well-managed.