When working with Google Cloud, controlling who can access what is critical. That’s where Identity and Access Management (IAM) policies come in.
Let’s break it down step-by-step in an easy way 👇
🧩 What is a Google Cloud IAM Policy?
An IAM Policy is like a set of access rules attached to a Google Cloud resource (like a Project, VM, or Bucket).
It decides who (identity) can do what (role/permission) on which resource.
🏗️ How IAM Policies Work (The Hierarchy)
Google Cloud resources are organized hierarchically like this:
Organization
├── Folder
│ └── Project
│ └── Cloud Resource (VM, Bucket, etc.)
You can attach an IAM Policy at any of these levels:
- Organization level
- Folder level
- Project level
- Resource level (for some services like Storage, Compute Engine)
✅ Key Concept:
Policies are inherited down the hierarchy.
That means:
If you give someone a role at the organization level, they’ll automatically have that access for all folders, projects, and resources inside it.
🧠 Example of Policy Inheritance
Imagine your company structure like this:
Company (Organization)
└── Department B (Folder)
└── Team B (Folder)
└── Product 1 (Project)
└── Development VM (Resource)
If you set a policy at each level, the effective IAM policy for the “Development VM” is a combination (union) of all the policies above it:
Effective Policy = Company Policy + Department B Policy + Team B Policy + Product 1 Policy
So if the company allows viewer access and the project gives editor access,
the final (effective) permissions include both viewer and editor.
🎯 What’s Inside an IAM Policy?
An IAM Policy is a collection of Role Bindings.
A binding simply connects:
👤 One or more Members (Principals)
🎭 To a Role
📦 On a specific Resource
Example Binding (in YAML format)
bindings:
- members:
- user:devops.engineer@gmail.com
role: roles/compute.admin
This means the user devops.engineer@gmail.com has the Compute Admin role on that resource.
🧰 IAM Policy Commands (gcloud CLI)
You can add, view, or remove IAM policies using the gcloud command-line tool.
Let’s use an example project: gcplearn9
🔹 Add a Policy Binding
gcloud projects add-iam-policy-binding gcplearn9 \
--member="user:gcpuser08@gmail.com" \
--role="roles/storage.admin"
➡️ This gives gcpuser08@gmail.com the Storage Admin role on the gcplearn9 project.
🔹 View (Get) IAM Policy
gcloud projects get-iam-policy gcplearn9
➡️ This shows all current members and roles for that project.
🔹 Remove a Policy Binding
gcloud projects remove-iam-policy-binding gcplearn9 \
--member="user:gcpuser08@gmail.com" \
--role="roles/storage.admin"
➡️ This removes that user’s Storage Admin access from the project.
🔹 Replace or Set a New IAM Policy
gcloud projects set-iam-policy gcplearn9 policy.yaml
➡️ This replaces the entire IAM policy with what’s in policy.yaml.
🧭 Quick Recap
| Concept | Description | Example |
|---|---|---|
| IAM Policy | Collection of bindings (who → what → where) | Storage bucket policy |
| Binding | Connects members to roles | user → roles/viewer |
| Inheritance | Policy at higher level applies to all children | Org → Project → Resource |
| Commands | Manage IAM via CLI |
add-iam-policy-binding, get-iam-policy, etc. |
🚀 Real-World Example
You can imagine this like giving permissions in an office:
- Organization Policy: CEO has full access everywhere
- Folder Policy: IT Department has access to infrastructure projects
- Project Policy: Developers can manage Compute Engine
- Resource Policy: Tester has access to one VM
Every layer builds on top of the previous one — that’s IAM Policy inheritance in action!
🏁 Summary
- IAM Policies define access control on Google Cloud resources.
- They consist of role bindings (members + roles).
- Policies can be inherited from higher-level resources.
- Use gcloud commands to view, add, or remove policies.
- Always follow the principle of least privilege — give only what’s needed!
🌟 Thanks for reading! If this post added value, a like ❤️, follow, or share would encourage me to keep creating more content.
— Latchu | Senior DevOps & Cloud Engineer
☁️ AWS | GCP | ☸️ Kubernetes | 🔐 Security | ⚡ Automation
📌 Sharing hands-on guides, best practices & real-world cloud solutions
Top comments (0)