Search⌘ K
AI Features
Home
Courses
Cracking the Google Associate Cloud Engineer Certification

IAM Roles and Permissions

Explore how IAM roles and permissions govern access to Google Cloud resources in this lesson. Understand the differences between primitive, predefined, and custom roles, and learn how to assign permissions correctly to manage security. This knowledge is essential for controlling access and avoiding common permission errors in your projects.

We'll cover the following...

IAM is an important topic on the GCP Associate Cloud Engineer Exam. You should know what role to assign for what tasks. Most of the problems are caused solely by wrong permissions. So, this lesson is crucial for you to learn how to control IAM easily.

As you read in the last lesson, IAM controls who can do what on which resource. So, let’s break this sentence down into IAM components.

  • Who: Members
  • Can do what: Permissions and Roles
  • On which resource: Services

Let’s look at each component in detail.

Permissions

Permissions are the building block of IAM. Permission defines what can be done on which resource. The format of permission is service.resource.verb. For example, the compute.instances.stop permission will manage to stop a VM. If a user doesn’t have this permission, they will be unable to stop the instances.

We cannot create new permissions. All the required permissions are created by Google Cloud and are specific for every resource. **

Roles

A role is a group of permissions you can assign to members/users. You can create a “role” and add “permissions” to it or copy an existing “role” and adjust its “permissions.”

IAM has three types of roles.

  1. Primitive roles
  2. Predefined roles
  3. Custom roles

Let’s see each of them in brief.

Primitive roles

Primitive roles are roles historically available in the Google Cloud Console. These roles are the owner, editor, and viewer.

Caution: Basic roles include thousands of permissions across all Google Cloud services. In production environments, do not grant the “basic roles” unless there is no alternative. Instead, grant the “predefined roles” or the “custom roles” that meet your needs.

Predefined roles

Google Cloud has already created the most frequently used organization roles. These are specific to resources. Consider Compute Admin. This role is defined as compute.instanceAdmin and has multiple permissions bundled inside it.

Predefined roles allow us to follow the most important principle of GCP, the "principle of least privilege."

This principle states that a user should be given only the required permission, and no extra permission should be given.

Custom roles

If predefined roles don’t satisfy your requirements, you can create custom roles by combining more than permissions or by modifying predefined roles.

One thing to note is that custom roles cannot be applied at the folder level.

Custom roles are a great way to grant permission to an organization’s newly created or unconventional role. However, these roles need to be managed by the organization or anyone with this responsibility.

Keep in mind that GCP does not manage custom roles, and you need to take care of those.

This is enough about roles and permissions. In the next lesson, you will learn about IAM roles and types of members.