Cloud IAM policy Google Professional Data Engineer GCP

  1. Home
  2. Cloud IAM policy Google Professional Data Engineer GCP
  • Used to grant roles to users by creating a Cloud IAM policy
  • It is a collection of statements defining who has what type of access.
  • It is attached to a resource
  • used to enforce access control whenever that resource is accessed.
  • represented by the Cloud IAM Policy object.
  • A Cloud IAM Policy object consists of a list of bindings.
  • A Binding binds a list of members to a role.
    • role: The role you want to grant to the member and specified as roles/service.roleName.
    • members: list of one or more identities identified with a prefix like service account (serviceAccount:)

Cloud IAM and policy APIs

  • Cloud IAM provides a set of methods to create and manage access control policies
  • Applicable on GCP resources.
  • methods are exposed by the services supporting Cloud IAM.
  • The Cloud IAM methods are:
    • setIamPolicy(): Sets policies on resources.
    • getIamPolicy(): Gets a policy that was previously set.
    • testIamPermissions(): Tests whether the caller has the specified permissions for a resource.


Resource hierarchy

  • resources are organized hierarchically
    • The organization is the root node in the hierarchy.
    • Folders are children of the organization.
    • Projects are children of the organization, or of a folder.
    • Resources for each service are descendants of projects.
  • Each resource has exactly one parent.
  • can set a Cloud IAM policy at any level in the resource hierarchy
  • Resources inherit the policies of the parent resource.
  • a policy for organization level, is automatically inherited or a union of all parents by its children projects
  • This policy inheritance is transitive