Identity and Access Management Fundamentals and IAM Role Types

IAM Is Everywhere

In Google Cloud, almost every action is checked by Identity and Access Management (IAM). If you understand IAM, you can both secure environments and answer many exam questions confidently.

Core Definition

Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource. This 3-part idea is the core of this module.

Three Parts of IAM

• Who: the identity (user, group, service account)
• What access: the role (set of permissions)
• Which resource: the project, bucket, VM, dataset, etc.

Exam-Oriented Thinking

For a scenario like "developer needs read-only access to Cloud Storage", think: identity type, role type (basic, predefined, custom), and resource level (project vs bucket).

Connection to Observability

Earlier, you saw logging and monitoring roles such as `logs.viewer`. These are IAM roles. Misconfigured IAM is a common reason logs or metrics seem to "disappear".

Principals vs Resources

IAM connects principals (identities) to resources. Principals are who acts; resources are what they act on (projects, buckets, VMs, etc.).

Common Identity Types

• Google account (user)
• Google group
• service account
• Domain (all users in `@company.com`)
• Special: `allUsers`, `allAuthenticatedUsers`

Service Accounts

A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.

Resource Hierarchy

Resources form a tree: Organization → Folder(s) → Project → child resources (buckets, VMs, datasets, etc.). IAM policies can attach at each level.

IAM Binding Example

Example binding: give `devs@example.com` the `roles/storage.objectViewer` role on project `analytics-prod`. Principal = group, Role = viewer, Resource = project.

Permissions vs Roles

Permissions are low-level abilities like `storage.objects.get`. Roles are named collections of permissions, such as `roles/storage.objectViewer`.

How IAM Grants Access

IAM does not grant permissions directly. It grants roles to principals on resources. The role determines which permissions they effectively get.

Multiple Roles and Union

A principal can have several roles on a resource. Their effective permissions are the union of all permissions from all those roles (including inherited ones).

Role Naming Patterns

Common pattern: `roles/product.roleName`, like `roles/logging.viewer` or `roles/compute.admin`. Some cross-product roles exist, like `roles/viewer`.

Exam Expectations

You should match English descriptions ("view logs only") to appropriate roles, and prefer roles that give only the needed permissions.

Three IAM Role Types

Google Cloud defines three IAM role types: basic, predefined, custom. Knowing when to use each is critical for both security and the exam.

Basic Roles

Basic roles: `roles/viewer`, `roles/editor`, `roles/owner`. They span almost all services in a project and are very broad, often too permissive.

Predefined Roles

Predefined roles are created by Google for specific products and tasks, like `roles/storage.objectViewer` or `roles/logging.logWriter`. They are the usual choice for least privilege.

Custom Roles

Custom roles are built by your org from individual permissions when predefined roles are not precise enough. They can be defined at org or project level.

Exam-Friendly Rule of Thumb

Default to predefined roles for real workloads, avoid basic roles in production, and reach for custom roles only when predefined options cannot meet strict requirements.

Scenario 1: Intern Read-Only

Need: intern can view all resources in one project, no changes. A single basic `roles/viewer` on that project is simple and acceptable in non-production.

Scenario 2: Cloud Run + Logs + Bucket

Need: a Cloud Run service account writes logs and reads one bucket. Use predefined roles: `roles/logging.logWriter` on project and `roles/storage.objectViewer` on that bucket.

Avoid Overly Broad Roles

Do not give `roles/editor` to that service account. It would grant many write permissions across services, violating least privilege.

Scenario 3: Start/Stop Only

Need: a team can only start/stop Compute Engine VMs. Predefined instance admin roles allow too much. Build a custom role with just start/stop permissions.

Pattern to Remember

Pattern: basic roles for broad, low-risk read-only; predefined roles for most real workloads; custom roles for strict, unusual requirements.

What Is an IAM Policy?

An IAM policy is attached to a resource and contains bindings. Each binding pairs a role with a list of member identities.

Binding Structure

Binding: `{ role: roles/storage.objectViewer, members: [user:alice@example.com, group:devs@example.com] }`.

Evaluation Steps

On access: find the resource, gather its policy and ancestor policies, expand groups, union all permissions from roles, then check if the requested permission is present.

Deny-by-Default

If no binding grants the needed permission, the request is denied. There is no simple "deny overrides allow" feature in standard IAM for this exam.

Union of Roles

A principal may get roles from multiple bindings and levels. Their effective permissions are the union, which explains why removing one role may not remove access.

Hierarchy Overview

Hierarchy: Organization → Folder(s) → Project → child resources (buckets, VMs, datasets, etc.). IAM policies can attach at any level.

Inheritance Rule

A role granted at a higher level (org, folder, project) is inherited by all descendant resources unless you change the higher-level policy.

Org-Level Example

Grant `roles/logging.viewer` to `security-team` at the organization. They can view logs in all projects in that org automatically.

Project-Level Example

Give `roles/bigquery.dataViewer` to `data-analysts` at a project. They can read datasets and tables in that project without per-dataset IAM.

Design Implications

Higher-level bindings are powerful but risky. For least privilege, bind roles as close as practical to the resource, and always consider inheritance.

Core IAM Recap

IAM defines who (identity) has what access (role) for which resource. Principals get roles on resources; policies live on resources and inherit down the hierarchy.

Role Types Recap

Three IAM role types: basic, predefined, custom. Prefer predefined for least privilege, use basic sparingly, and custom only when necessary.

Troubleshooting Mindset

If access is surprising, check ancestor policies and group memberships. Remember deny-by-default and union of all granted roles.

Exam Patterns

Watch for questions that overuse roles/editor or roles/owner, or that hide higher-level grants. Always pick the least-privilege role that satisfies the requirement.

Your Next Moves

Continue with Skarp’s IAM diagnostic and mock exams. Missed items will appear in your spaced review queue so IAM reasoning becomes automatic.