Google Cloud IAM
Guide to Google Cloud IAM covering resource hierarchy, role types, IAM Conditions, Workload Identity Federation, and least privilege enforcement.
Continue your mission
Guide to Google Cloud IAM covering resource hierarchy, role types, IAM Conditions, Workload Identity Federation, and least privilege enforcement.
# Google Cloud IAM
Google Cloud IAM (Identity and Access Management) is the unified access control system for Google Cloud Platform resources. It determines who (identity) has what access (role) for which resource, using a hierarchical model that flows from organization to folder to project to individual resources.
IAM exists because cloud environments require granular permission management across distributed teams, applications, and infrastructure components. Unlike traditional on-premises environments where access control often relies on network segmentation, cloud platforms expose services through APIs that can be called from anywhere. This creates the need for a centralized system that can authenticate identities, authorize specific actions, and audit access decisions at scale.
Google Cloud IAM fits into the broader GCP ecosystem as the foundational security service. Every other Google Cloud service integrates with IAM for access control. When a developer calls the Cloud Storage API, when a virtual machine accesses a database, when a CI/CD pipeline deploys code, IAM evaluates the request against configured policies. This centralization allows security teams to establish consistent access controls across the entire cloud environment rather than managing permissions service by service.
The system's hierarchical design reflects how organizations actually structure cloud resources. An enterprise might have multiple divisions (folders), each running several applications (projects), each containing numerous services and data stores (resources). IAM policies can be set at any level of this hierarchy, with permissions inherited downward unless explicitly restricted. This inheritance model enables broad policy statements at high levels while allowing specific restrictions at lower levels.
Google Cloud IAM operates on a simple conceptual model: policies bind identities to roles on resources. However, the implementation details reveal significant complexity that security practitioners must understand to deploy IAM effectively.
The resource hierarchy forms the foundation of IAM's inheritance model. At the top sits the organization node, typically tied to a company's Google Workspace or Cloud Identity domain. Below the organization are folders, which can be nested to reflect business unit structures. Projects sit within folders and contain the actual cloud resources: virtual machines, storage buckets, databases, and services. Policies applied at higher levels automatically flow down to everything beneath them unless explicitly overridden.
IAM principals represent the entities requesting access to resources. Google accounts are individual user identities, typically employees with company email addresses. Service accounts represent applications, workloads, and automated systems. These non-human identities can be created within projects and granted only the permissions needed for specific functions. Google Groups aggregate individual users for easier permission management. Workforce identity federation extends IAM to external identity providers, allowing companies to use their existing Active Directory or LDAP systems instead of creating duplicate Google accounts.
The role system defines what actions principals can perform. Basic roles (Owner, Editor, Viewer) provide broad permission sets that were useful in Google Cloud's early days but are now considered security anti-patterns. Owner grants full control including IAM policy modification. Editor allows resource modification but not permission changes. Viewer provides read-only access. These roles are overly permissive for production environments.
Predefined roles offer service-specific permissions aligned with common job functions. For example, Cloud SQL Admin can create and configure database instances but cannot modify IAM policies. Compute Instance Admin can manage virtual machines but cannot access the data stored on them. Google maintains hundreds of predefined roles that cover most operational scenarios.
Custom roles enable precise permission engineering. Organizations can create roles that contain exactly the permissions needed for specific functions. A deployment role might include compute.instances.start and compute.instances.stop but not compute.instances.delete. Custom roles require deeper IAM knowledge but provide the most security value.
IAM Conditions add attribute-based access control using Common Expression Language (CEL). Conditions can restrict access based on time (business hours only), resource attributes (specific project labels), request context (IP address ranges), or resource names (production databases only). For example, a developer might have Editor access to development projects during business hours but only Viewer access to production resources.
Service account management represents a critical security boundary. Service accounts should use short-lived, automatically rotating credentials rather than static JSON keys. Workload Identity Federation enables GCP services to impersonate service accounts without possessing permanent credentials. External workloads (AWS instances, on-premises systems, GitHub Actions) can authenticate to Google Cloud using their native identity systems.
Organization Policy Service provides constraint-based governance across the resource hierarchy. Policies can require specific resource locations (data residency), disable risky services (serial port access), or mandate security configurations (OS Login requirement). These constraints apply regardless of IAM permissions, creating hard boundaries that individual project owners cannot override.
IAM Recommender continuously analyzes access patterns and suggests permission reductions. The service tracks which permissions are actually used and flags roles that grant unused access. Security teams can implement these recommendations to reduce attack surface without impacting operations.
Policy Analyzer provides tools for understanding complex permission inheritance. Given the hierarchical model and role composition, determining whether a specific principal can perform a particular action requires tracing through multiple policy layers. Policy Analyzer automates this analysis. Policy Troubleshooter helps debug access denials by showing which policies were evaluated and why access was denied.
Google Cloud IAM failures cascade through cloud environments with devastating effect. The hierarchical inheritance model amplifies misconfigurations: a single overprivileged role assigned at the organization level grants excessive permissions to every project, folder, and resource beneath it. Unlike traditional network-based security models where breaches require lateral movement through multiple systems, cloud IAM mistakes can grant immediate access to an organization's entire cloud infrastructure.
Service account compromise represents the most common attack vector in Google Cloud environments. Many organizations create service accounts with broad Editor or Owner roles for simplicity, then distribute static JSON credentials across multiple systems. When these credentials are exposed through code repositories, container images, or compromised systems, attackers gain persistent access with extensive permissions. The 2019 Capital One breach followed this pattern: a misconfigured web application firewall allowed an attacker to access AWS credentials that had excessive IAM permissions.
The business impact of IAM failures extends beyond data breaches. Overprivileged accounts enable resource manipulation that can cause operational outages, data corruption, or unexpected cloud billing. An automated system with unnecessary deletion permissions might remove critical resources during a configuration error. A developer with production database access might accidentally modify customer data. A compromised account with compute permissions might launch cryptocurrency mining instances that generate millions in unexpected charges.
Common misconceptions about Google Cloud IAM create additional risk. Many organizations assume that basic roles (Owner, Editor, Viewer) are appropriate for production use because they appear simple and are prominently featured in Google's documentation. In reality, these roles grant far more access than most users need. The Editor role, commonly assigned to developers, includes permissions to modify IAM policies, delete production resources, and access sensitive data across all services.
Another misconception involves service account security. Teams often treat service account keys like traditional API credentials that can be safely embedded in applications or stored in configuration management systems. However, service account keys provide persistent access that cannot be easily revoked or rotated. Google's security model assumes service accounts will use metadata-based authentication or Workload Identity Federation, not static credentials.
The shared responsibility model creates additional complexity. While Google secures the underlying infrastructure and provides IAM capabilities, customers remain responsible for configuring policies appropriately. Google cannot prevent an organization from assigning Owner roles to every employee or storing service account keys in public repositories. This responsibility gap means that sophisticated security features are often deployed with insecure configurations.
Regulatory compliance adds another dimension to IAM importance. Financial services, healthcare, and government organizations must demonstrate access controls that support audit requirements, data residency rules, and segregation of duties. Google Cloud IAM provides the technical capabilities to meet these requirements, but implementation requires deep understanding of both the business requirements and the platform's capabilities.
CDA maps Google Cloud IAM to the Identity Access and Trust (IAT) domain within the Precision Defense Model. IAT recognizes that identity-based security controls form the primary defense perimeter in cloud environments where traditional network boundaries have dissolved. Google Cloud IAM represents a critical control plane that requires active management rather than configuration-and-forget deployment.
CDA's approach to Google Cloud IAM implementation centers on Zero Possession Architecture principles. "Trust nothing. Possess nothing. Verify everything." This methodology directly challenges conventional IAM deployment patterns that rely on persistent credentials and assumed-secure identities.
The "possess nothing" principle eliminates service account key usage across client environments. CDA mandates Workload Identity Federation for all external systems that need Google Cloud access. On-premises workloads authenticate using existing identity systems rather than storing Google Cloud credentials. Container workloads use metadata service authentication. CI/CD pipelines authenticate through OIDC tokens rather than embedded service account keys. This approach removes the credential management burden while eliminating a primary attack vector.
"Trust nothing" applies to both identity verification and permission assignment. CDA implements continuous authentication through IAM Conditions that evaluate device state, network location, and request patterns for every access attempt. Geographic restrictions prevent access from unexpected locations. Time-based conditions enforce business hour limitations for sensitive operations. Resource-specific conditions ensure that broad roles cannot be used across project boundaries.
"Verify everything" manifests through comprehensive IAM monitoring and analysis. CDA deployments include automated policy analysis that identifies permission drift, unused roles, and policy violations. IAM Recommender suggestions are automatically evaluated and implemented where appropriate. Access logs feed into security information and event management (SIEM) systems for behavioral analysis and anomaly detection.
CDA's methodology differs from conventional Google Cloud IAM approaches in several key ways. Most organizations treat IAM as a provisioning problem: create accounts, assign roles, and move on to other concerns. CDA treats IAM as an ongoing security operation that requires continuous optimization, monitoring, and adjustment.
Where conventional approaches use basic roles for simplicity, CDA mandates custom role engineering that provides exactly the permissions needed for specific functions. Where conventional approaches assign long-lived permissions, CDA implements time-bounded access through IAM Conditions and just-in-time elevation workflows. Where conventional approaches focus on user convenience, CDA prioritizes security boundary enforcement even when it requires additional operational complexity.
Organization Policy Service deployment represents a core CDA capability. Rather than relying on individual project owners to implement security controls correctly, CDA establishes organization-wide constraints that cannot be circumvented. These policies enforce data residency requirements, disable risky service features, and mandate security configurations across all projects and folders.
CDA's service account strategy eliminates the concept of persistent, widely-distributed credentials. Every service account is scoped to specific functions and bound to specific resources. Cross-project access requires explicit federation rather than shared credentials. This approach increases implementation complexity but dramatically reduces the attack surface and blast radius of potential compromises.
• Google Cloud IAM's hierarchical inheritance model amplifies both security benefits and risks, making organization-level policy decisions critical to overall security posture.
• Service account credentials represent the highest-risk component of IAM implementations; Workload Identity Federation should replace static keys in all production environments.
• Basic roles (Owner, Editor, Viewer) provide excessive permissions for most use cases; custom roles engineered for specific functions dramatically improve security outcomes.
• IAM Conditions enable attribute-based access control that can restrict permissions by time, location, resource tags, and request context, providing fine-grained security controls.
• Organization Policy Service creates enforceable constraints across the entire resource hierarchy, preventing individual project owners from circumventing security requirements.
• Google Cloud Security Fundamentals • Workload Identity Federation • Cloud Service Account Security • Organization Policy Management • Zero Trust Access Controls
• NIST Special Publication 800-162: Guide to Attribute Based Access Control (ABAC) Definition and Considerations • NIST Special Publication 800-207: Zero Trust Architecture • Center for Internet Security (CIS) Google Cloud Platform Foundation Benchmark v1.3.0 • MITRE ATT&CK Framework: Cloud Service Dashboard (T1538) • Google Cloud Security Best Practices: Identity and Access Management
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Editorial
Found an issue? Help improve this article.