Why it matters

IAM is the top control plane for security. Getting it right prevents most breach patterns. GCP's hierarchical model is often cleaner than AWS's for organizations that map to it well.

Advertisement

The architecture

Principals are users (Google accounts), groups, service accounts, and workload identities. Service accounts are especially important — they're the identity of running code.

Roles are collections of permissions. Predefined roles (roles/storage.admin, roles/compute.viewer) cover common cases. Custom roles let you define your own permission bundles.

GCP IAM modelPrincipalsusers + SAs + groupsRolespredefined + customResourceswith policy attachedPolicies attach to resources; roles bundle permissions; principals are granted roles
IAM triangle.
Advertisement

How it works end to end

IAM policies attach to resources. A policy is a set of bindings: (role, principal) pairs. Policies are inherited: a role granted at the folder level applies to every project in the folder and every resource in those projects.

Conditional bindings add context: time-of-day restrictions, resource-tag restrictions, IP-address restrictions.

Workload Identity Federation lets external identities (AWS, Azure, on-prem) assume GCP service accounts without service account keys.