IntermediateLesson 6 of 12
Security and IAM
Master GCP IAM roles, service accounts, and identity controls to secure access to your resources.
Simple Explanation (ELI5)
IAM (Identity and Access Management) controls who can do what in GCP. Identities are users (your team), service accounts (for apps), or groups. Roles define permissions (like read, write, delete). You assign roles to identities on resources. Principle of least privilege: give people only the minimum permissions they need.
Why IAM Matters
- Security: Prevent accidental or malicious deletion of resources.
- Compliance: Audit who accessed what, when, and from where.
- Operational safety: Junior engineers can't delete production databases.
- Automation: Apps (service accounts) access only what they need.
Technical Explanation
1. IAM Roles
Bundles of permissions. Basic roles (Owner, Editor, Viewer) are broad. Predefined roles are service-specific. Custom roles allow fine-grained control.
# Grant a user the Editor role on a project
gcloud projects add-iam-policy-binding my-project \
--member=user:alice@example.com \
--role=roles/editor
# Grant compute.instanceAdmin on a specific instance
gcloud compute instances add-iam-policy-binding my-vm \
--member=user:bob@example.com \
--role=roles/compute.instanceAdmin \
--zone=us-central1-a
# Remove a role
gcloud projects remove-iam-policy-binding my-project \
--member=user:alice@example.com \
--role=roles/editor
2. Service Accounts
Google-managed accounts for applications and workloads. Unlike humans, service accounts don't have passwords. They authenticate using keys or Workload Identity. Perfect for apps, CI/CD pipelines, and automation.
# Create a service account
gcloud iam service-accounts create my-app-sa \
--display-name="Service account for my-app"
# Grant the service account a role
gcloud projects add-iam-policy-binding my-project \
--member=serviceAccount:my-app-sa@my-project.iam.gserviceaccount.com \
--role=roles/storage.objectAdmin
# Create and download a key (use for local dev only)
gcloud iam service-accounts keys create ~/key.json \
--iam-account=my-app-sa@my-project.iam.gserviceaccount.com
# List keys for a service account
gcloud iam service-accounts keys list \
--iam-account=my-app-sa@my-project.iam.gserviceaccount.com
# Delete a key
gcloud iam service-accounts keys delete KEY_ID \
--iam-account=my-app-sa@my-project.iam.gserviceaccount.com
3. Workload Identity (Kubernetes)
Pods in GKE authenticate as service accounts without storing keys. Each pod pod identity maps to a Kubernetes service account, which authenticates with a GCP service account token. This is the modern, secure way to deploy apps.
# Enable Workload Identity on cluster (at cluster creation time)
gcloud container clusters create my-cluster \
--workload-pool=my-project.svc.id.goog
# Create Kubernetes service account
kubectl create serviceaccount my-ksa -n default
# Create GCP service account
gcloud iam service-accounts create my-gcp-sa
# Bind Kubernetes SA to GCP SA
gcloud iam service-accounts add-iam-policy-binding my-gcp-sa@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[default/my-ksa]"
# Annotate Kubernetes SERVICE account
kubectl annotate serviceaccount my-ksa \
--namespace default \
iam.gke.io/gcp-service-account=my-gcp-sa@my-project.iam.gserviceaccount.com
4. Audit & Logging
Cloud Audit Logs capture who did what, when, and from where. Admin Activity logs (all API calls) are free. Data Access logs (read/write to resources) and System Events are optional and chargeable. Always enable audit logs in production.
# Enable audit logging on a project
gcloud projects add-iam-policy-binding my-project \
--member=serviceAccount:my-app-sa@my-project.iam.gserviceaccount.com \
--role=roles/logging.viewer
# Query audit logs (using Cloud Logging)
gcloud logging read 'resource.type="gce_instance"' --limit 10 --format json
# Filter for IAM changes
gcloud logging read 'protoPayload.methodName:"SetIamPolicy"' --limit 5
IAM Best Practices
💡Golden Rules
- Principle of Least Privilege: Always grant the minimal role needed. Start with Viewer, escalate only if necessary.
- Use Groups for Teams: Manage access via Google Groups, not individual users. Add/remove people without touching IAM policies.
- Service Accounts for Apps: Never use personal credentials in code. Use service accounts with narrow roles.
- Rotate Keys: Service account keys should be rotated monthly. Prefer Workload Identity over keys.
- Audit Everything: Enable Cloud Audit Logs. Review access regularly.
- Custom Roles Rarely: Use predefined roles. Custom roles are powerful but complex; document them thoroughly.
GCP vs AWS vs Azure IAM
| Aspect | GCP (IAM) | AWS (IAM) | Azure (RBAC) |
|---|
| Identity Type | Users, Service Accounts, Groups | Users, Roles, Federated | Users, Service Principals, Managed Identities |
| Role Model | Predefined + Custom Roles (100+ predefined) | Predefined + Inline Policies | Predefined Roles (100+) |
| Audit Logging | Cloud Audit Logs (Admin Activity free) | CloudTrail (free, logs to S3) | Azure Monitor Logs (logs to storage/workspace) |
| Container Auth | Workload Identity (native, short-lived tokens) | IRSA (IAM Roles for Service Accounts) | Managed Identities for AKS |
| Ease of Use | Simple UI, predefined roles cover most cases | Powerful but verbose policies | Familiar if coming from AD |
Interview Questions
Beginner
Identity and Access Management. It controls who (identity) can do what (permission) on which resources. Without IAM, anyone in the project could delete production databases.
A permission is a single action (e.g., compute.instances.create). A role bundles related permissions. You assign roles to identities; you don't directly assign permissions.
A non-human GCP account for applications and workloads. Apps authenticate using service account keys or Workload Identity. No password; designed for automation.
Give identities only the minimum permissions they need to do their job. If an account is compromised, the attacker can only do what that account is permitted to do.
Owner (full control), Editor (create/modify/delete), Viewer (read-only). They apply project-wide. Avoid using them; prefer specific predefined roles.
Intermediate
Organization > Folders > Projects > Resources. A role granted at the project level applies to all resources in that project. More specific policies at the resource level override project-level policies.
Service account keys are static credentials stored in files (high risk). Workload Identity uses short-lived tokens; a pod authenticates as a Kubernetes SA, which is bound to a GCP service account. Workload Identity is more secure and easier to manage.
Create a Google Group (data-team@company.com). Assign roles to the group. Add/remove users by managing group membership. Much easier to scale than managing individual user IAM bindings.
GCP's logging service for IAM and resource changes. Admin Activity logs (free) capture all API calls. Data Access logs (optional) capture reads/writes to resources. Essential for compliance and security incident response.
Immediately delete the compromised key. Create a new key. Review Cloud Audit Logs to see what was accessed. If the account had sensitive permissions, assume data was accessed and investigate further.
Scenario-based
Create two Google Groups: data-team@company.com and platform-team@company.com. Assign roles to groups: data-team gets storage.admin + bigquery.admin; platform-team gets all roles. Add/remove people by updating group membership. Centralized, scalable, auditable.
Create a service account (my-app-sa). Grant it storage.objectViewer (read-only on buckets) and logging.logWriter. Deploy the app; if using GKE, use Workload Identity. The app authenticates as the service account automatically.
1. Immediately remove the Owner role. 2. Review Cloud Audit Logs for the last 24 hours to see what they accessed. 3. If suspicious activity found, rotate all service account keys in the project and reset database passwords. 4. Investigate the incident.
1. Create a new key. Wait for the new key to be active in your app. 2. Delete the old key. 3. Keep this on a schedule (monthly or quarterly). For Workload Identity, this happens automatically (tokens are short-lived).
Real-world Scenarios
Scenario 1: Multi-team Project Structure
Your startup has data, backend, and mobile teams. Each team needs different permissions:
- Data team: BigQuery, Cloud Storage, Dataflow (data processing).
- Backend team: Compute Engine, Cloud SQL, Cloud Run (app hosting).
- Mobile team: Cloud Storage (for assets), Firebase (app backend).
Solution: Create three service accounts (or Google Groups for humans). Assign each the minimal roles needed. Each team's CI/CD pipeline uses its own service account. Audit logs show which team deployed what.
Scenario 2: Production vs Staging Access
You don't want engineers to delete production databases by mistake. Use separate projects: my-app-prod and my-app-staging. Grant engineers Editor on staging only. For production, require approval before access (using Cloud IAM Conditions or manual approval process).
Scenario 3: Contractor with Limited Access
A contractor needs to audit Cloud Storage buckets but can't delete anything. Grant storage.objectViewer role on the specific bucket only. When the contract ends, delete the IAM binding. Audit logs will show exactly what they accessed.
Summary
IAM is foundational to GCP security. Master these concepts:
- Roles bundle permissions. Assign roles to identities (users, service accounts, groups).
- Service accounts are for apps. Use Workload Identity in Kubernetes for modern, secure authentication.
- Always follow least privilege. Use Google Groups to scale access management.
- Enable Cloud Audit Logs. Review who accessed what regularly.
- In interviews, talk about principle of least privilege, best practices for key rotation, and real-world access control patterns.