Identity and Access Management (IAM) enables administrators to control the usage of resources and administrators can decide who takes action on which resources. IAM is one of the most important aspect and feature of Google cloud.


Working of IAM can be defined by three Ws (3Ws) as follows:



These 3Ws give the purpose of defining the responsibilities under IAM. IAM has various policies for resources to work in an efficient manner. IAM lets administrators choose who can take action on specific resources. An IAM policy let us define Who can do what on which resource.


The who part let us choose to which person we want to give responsibility or to which persons we want to include in our Google Cloud Project.



Sometimes the permissions are grouped together and called an IAM role. The IAM role defines the what part. After defining who, we define the type of actions these persons can perform. For example, which person can update a project. The what part enables to assign various types of tasks and responsibilities to the people selected at who stage. For example starting, stopping, deleting of a VM instance.



Which defines the resources and the actions authorized on those resources for whom (Who). When a group account, a user account or a service account is given permissions in the form of a IAM role on a particular part of the resource hierarchy by the administrator, the resulting policy applies to the element part chosen by the administrator. It applies on the elements that are below it in the hierarchy.

IAM Roles

There are three types of IAM Roles.


Primitive Roles

Primitive roles are applied on all the Google Cloud Project services in the project. Primitive roles have a wide reach. When applied to a Google Cloud Project (GCP) project, the changes are reflected in every segment and part of that project.

  • Primitive role offers fixed levels of access, each level has its further responsibilities and capabilities. The roles are Owner, Editor, Viewer.
  • The viewer of a resource, can examine and understand it but cannot modify it.
  • The editor can perform every task of viewer in addition to the fact that the viewer can also do modifications to the resource.
  • The owner can perform every task of editor in addition to the fact that the owner can also handle the permissions of the resource and can manage the billing.

Predefined Roles

Predefined roles are applicable to a particular Google Cloud Platform (GCP) service in the project.

Predefined Roles

The certain example of fine-grained permission includes
-Reading the configurations
-Changing the configurations
-Starting the configurations
-Stopping the configurations

Custom Roles

Identity and Access Management (IAM) custom role lets a user to define precise set of permissions.

What if we require something even finer-grained? We can make use of custom roles for this motive. Many organizations opt for a model, in which each person in their organization is given the minimum amount of privilege needed to do his or her task. Some important points about custom roles are-

-The permissions defined under them are to be managed first.
-Custom roles are applicable only on Project level or Organization and hence, not on Folder level.

Identity and Access Management


Sometimes, a user may want to give permissions to the Compute Engine instead of giving it to a person. For this, GCP provides us Service Accounts. Service accounts are named with an email address, but instead of passwords they use cryptographic keys to access resources.

Service Account and Identity and Access Management (IAM)

Different groups of Virtual Machines (VMs) can be granted in different project identities by the administrator. This results in managing different permissions for individual group more easily. The permissions can be changed also without recreating the Virtual Machines (VMs).

Identity and Access Management

Managing GCP Services

Commonly, GCP users log into the GCP console with a Gmail Account. They use Google Groups to bring together people performing same role. This approach has a disadvantage. This approach doesn’t allow to manage the identities of their team centrally. For instance, if the organization is left by someone, there is no centralized way to remove the person’s access to the organization’s GCP resources immediately.

GCP Services

GCP customers who are G Suite customers too can define GCP policies in terms of G Suite users and groups. This way, the administrator can disable the account of the person who has left the organization and by using Google Cloud Admin Console, can remove them from Google Groups.

Cloud Identity

The same administrative services and capabilities can also be availed by GCP customers who are not G Suit users using CLOUD IDENTITY. Cloud Identity let a customer manage groups and users through Google Admin Console, but the customer need not to pay for G Suite collaboration products such as Gmail, Docs, Drive, and Calendar. Cloud Identity is available in a free and a premium edition.

Cloud Identity

With the help of Google Cloud Directory Sync, administrators can manage GCP resources using the usernames and passwords already used by them. Google Cloud Directory Sync synchronizes users and groups from your existing Active Directory or LDAP system with the users and groups in your Cloud Identity domain.

Hence, the Identity and Access Management constitutes the most crucial part of the Google Cloud Project. One should have a deep understanding of the IAM before allocating resources to persons chosen by them. Indeed, you are the one to decide everything in Google Cloud. Hence, another reason to switch to this amazing product of the amazing company,’Google’!

Written By : Mitali Bhalla

Recommended Posts-
An Insight into the world of Google Cloud
Getting started with Google Cloud – Resource Hierarchy

Spread the love

Leave a Comment

Your email address will not be published. Required fields are marked *