IAM, principals and resources in GCP

In Google Cloud Platform (GCP), the concepts of principals and resources are central to understanding its Identity and Access Management (IAM) system. Here's a detailed explanation of these concepts:

Principals

A principal is an entity that can interact with Google Cloud resources. Principals are authenticated entities that make requests to access resources in GCP. There are several types of principals in GCP:

1. Google Accounts:

   • Individual user accounts, such as a personal Gmail account (e.g., [email protected]).
   • Managed Google accounts from Google Workspace or Cloud Identity domains.

2. Service Accounts:

   • Special accounts used by applications or virtual machines to make authorized API calls.
   • Example: [email protected].

3. Google Groups:

   • Collections of Google accounts or service accounts.
   • Useful for managing access for multiple users.
   • Example: [email protected].

4. Cloud Identity or Google Workspace Accounts:

   • Managed accounts from your organization’s domain.
   • Example: [email protected].

5. All Users:

   • Represents anyone on the internet.
   • Usually used in public resources.
   • Represented by allUsers.

6. All Authenticated Users:

   • Any user authenticated with a Google Account or a service account.
   • Represented by allAuthenticatedUsers.

Resources

Resources are the specific GCP services and objects that you can interact with. Everything you create or use in Google Cloud is considered a resource. Resources can be organized hierarchically in GCP:

1. Organization:

   • The root node of the resource hierarchy.
   • Represents your company or organization.

2. Folders:

   • Containers for organizing projects and other folders.
   • Useful for grouping projects by department, team, or other criteria.

3. Projects:

   • The basic unit of organization in GCP.
   • Contains resources such as VMs, databases, and storage buckets.
   • Each project has a unique ID and serves as the basis for enabling and using Google Cloud services.

4. Other Resources:

   • Specific GCP services and objects within a project, such as Compute Engine instances, Cloud Storage buckets, BigQuery datasets, etc.

IAM (Identity and Access Management)

IAM is the system that manages access to GCP resources. It defines who (principal) has what type of access (role) to which resource.

Roles

Roles are collections of permissions. They determine what actions a principal can perform on a resource. There are three types of roles in GCP:

1. Primitive Roles:

   • Basic roles that existed before IAM.
   • Include Owner, Editor, and Viewer.

2. Predefined Roles:

   • Fine-grained roles created and managed by Google.
   • Designed to provide granular access to specific Google Cloud services.

3. Custom Roles:

   • Roles that you create to fit the specific needs of your organization.
   • Allow for precise control over which permissions are included.

Example Scenario

Let's consider an example scenario where you have a project with a BigQuery dataset and you want to grant a data analyst read access to this dataset.

1. Resource: The BigQuery dataset.
2. Principal: The data analyst's Google account (e.g., [email protected]).
3. Role: The predefined roles/bigquery.dataViewer role, which grants read access to BigQuery datasets.

Steps to Grant Access:

1. Navigate to the IAM & Admin section of the GCP Console.
2. Select the Project where the dataset is located.
3. Add the Principal: Click on "Add" to add a new member.
4. Enter the Principal's Email: [email protected].
5. Assign the Role: Select BigQuery Data Viewer from the list of predefined roles.
6. Save: Click "Save" to apply the changes.