- Building Google Cloud Platform Solutions
- Ted Hunter Steven Porter Legorie Rajan PS
- 225字
- 2021-07-02 12:24:31
How IAM works
Cloud Identity and Access Management (IAM) is a platform-wide access control system that provides granular control over all GCP resources. As it's commonly phrased, IAM specifies WHO can do WHAT to WHICH THING.
- WHO: IAM is composed as a list of policies that apply to one or more actors. Actors are any entity that can take action against a Google Cloud resource. This includes both users and service accounts. Cloud IAM supports policies that apply to groups of actors, and groups can exist at the project level, or the organizational level to span multiple projects.
- WHAT: In general, policies apply to specific actions an actor can take, creating the concept of permissions. For example, the ability to control the types of actions an actor can take makes it possible to specify that one actor can view a given resource type, but not take actions such as creating, modifying, or deleting that resource type.
- WHICH THING: Virtually everything can be thought of as a resource in GCP. It's important to note that this includes things such as projects, service accounts, APIs, IAM policies, and billing accounts. This notion of everything as a resource makes IAM extremely powerful. For example, IAM policies can be made to grant control over billing accounts to specific users. This makes it possible to delegate responsibilities in meaningful ways.