GCP: Identity and Access Management

Identity and Access Management (IAM) lets administrators authorize who can take action on specific resources. An IAM policy has a "who" part, a "can do what" part, and an "on which resource" part.

"Who" part: The "who" part names the user or users you're talking about. The "who" part of an IAM policy can be defined either by a Google account, a Google group, a Service account, an entire G Suite, or a Cloud Identity domain.

"Can do What" part: The "can do what" part is defined by an IAM role. An IAM role is a collection of permissions. Most of the time, to do any meaningful operations, you need more than one permission. For example, to manage instances in a project, you need to create, delete, start, stop, and change an instance. So the permissions are grouped together into a role that makes them easier to manage.

There are three kinds of roles in Cloud IAM.

• Primitive roles are broad. You apply them to a GCP project and they affect all resources in that project. These are the owner, editor, and viewer roles. If you're a viewer on a given resource, you can examine it but not change its state. If you're an editor, you can do everything a viewer can do, plus change its state. And if you are an owner, you can do everything an editor can do, plus manage rolls and permissions on the resource. The owner role on a project also lets you do one more thing: set up billing. Often, companies want someone to be able to control the billing for a project without the right to change the resources in the project. And that's why you can grant someone the billing administrator role. Be careful, if you have several people working together on a project that contains sensitive data, primitive roles are probably too coarse.
• Pre-defined roles: GCP IAM provides a finer grained types of roles. GCP services offer their own sets of predefined roles. For ex. Compute Engine offers a set of predefined roles, and you can apply them to Compute Engine resources in a given project, a given folder, or in an entire organization.
• Custom roles: It gives us option to create custom roles based on permissions we select on our own.

"On which resource" it represents resources on which permissions/roles are applied.