Google Cloud Identity and Access Management Concepts: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 21: Line 21:


==IAM Policy==
==IAM Policy==
An IAM Policy is attached to a [[#Resource|resource]]. The policy contains [[#Role_Binding|role bindings]].
An IAM Policy is attached to a [[#Resource|resource]]. The policy contains [[#Role_Binding|role bindings]]. When an [[#Authenticated_Member|authenticated member]] attempts to access a resource, IAM checks the resource's policy to determine whether the action is permitted.

Revision as of 22:58, 24 August 2021

External

Internal

Overview

IAM allows granting granular access to Google Cloud resources. It supports the security principle of least privilege, which states that nobody should have more permission that they actually need. IAM manages control by defining who (the identity) has what access (the role) for which resource. Permissions to access resources are not granted directed to end users, but to roles. Roles are granted to authenticated members. The association between what roles are granted to which members is defined in an IAM Policy. IAM policies are attached to resources. When an authenticated member attempts to access a resource, IAM checks the resource's policy to determine whether the action is permitted.

Identity Concepts

Member

Authenticated Member

Google Account

Service Account

Access Management Concepts

Resource

Google Cloud Platform Concepts | Resources

Role

Role Binding

A role binding is the association between a member and a role. Role bindings are listed in IAM policies.

IAM Policy

An IAM Policy is attached to a resource. The policy contains role bindings. When an authenticated member attempts to access a resource, IAM checks the resource's policy to determine whether the action is permitted.