Google Cloud IAM supports several member types that can be authorized to access Google Cloud resources. The following member types can be added to Google Cloud IAM to authorize access to your Google Cloud Platform services.

Google IAM Member Types:

  • Google account – individual (me@example.com)
  • Google group – (team@example.com)
  • G Suite domain – (@example.com)
  • Cloud Identity domain – same as G Suite domain without Google services
  • Service account – JSON or P12 file for program access
Useful commands:

List current project: gcloud config list project

List all projects: gcloud projects list

List service accounts: gcloud iam service-accounts list

Listing IAM members is more difficult. Roles are assigned to projects. Members are assigned to roles. This command will list everything: gcloud projects get-iam-policy development-123456.

For several gcloud commands such as add-iam-policy-binding you must prefix the member identifier with the type such as: user:, group:, serviceAccount: and domain:.

For example: john@example.com is specified as user:john@example.com.

Google Account

A Google Account is a username and password that can log in to Google applications and Google services. Any email address that is associated with a Google account can be an identity.

The following gcloud command will add the user john@example.com to IAM and assign the role roles/iam.serviceAccountUser

After this command (takes about 60 seconds to take effect) the user can list and get details for the project’s service accounts. Change the project development-123456 to match your project.

This command will remove the role from the user.

Note: You can replace “projects” in the previous commands with “organizations” for organization level commands and inheritance. I will discuss organizations in a future article.

Google Accounts Signup

Google Group

A Google Group is a G Suite Group that includes one or more Google Account members. These members are assigned the same privileges to access Google Cloud services.

The following gcloud command will add the G Suite group storage-admins@example.com to IAM and assign the role roles/storage.admin. Everyone in this group will have full control of buckets and objects.

Google Groups

Google G Suite Domain

A Google G Suite Domain represents all users in a G Suite domain name. They also call this Google Apps Domain.

Google Apps

Google Cloud Identity Domain

Google Cloud Identity is the authentication system from Google G Suite. Cloud Identity manages users, devices, and apps without providing Google services.

Cloud Identity

Service Account

A Service Account is a special type of Google account that belongs to your application or virtual machine, instead of to an individual user. Service Account credentials are typically stored in Json files, but can also be accessed thru other methods such as thru Compute Engine metadata.

The following gcloud command will add the service account sa-storage-admin@example.com to IAM and assign the role roles/storage.admin. This service account will have full control of buckets and objects.

Understanding Service Accounts

allUsers

The special identifier allUsers is an identifier that represents anyone who is on the internet, including authenticated and unauthenticated users. Note that some GCP APIs require authentication of any user accessing the service, and in those cases, allUsers will only imply authorization for all authenticated users.

Note: allUsers is a group, so this requires the group: type identifier.

Warning: I do not recommend using this member type. There is no security.

allAuthenticatedUsers

The special identifier allAuthenticatedUsers is a special identifier that represents anyone who is authenticated with a Google account or a service account. Users who are not authenticated, such as anonymous visitors, are not included.

Note: allAuthenticatedUsers is a group, so this requires the group: type identifier.

Warning: I do not recommend using this member type. There is no security.

 

Related Posts