Google Cloud Identity and Access Management Concepts
External
Internal
Overview
IAM allows granting granular access to Google Cloud resources. It supports the security principle of least privilege, which states that nobody should have more permission that they actually need. IAM manages control by defining who (the identity) has what access (the role) for which resource. Permissions to access resources are not granted directed to end users, but to roles. Roles are granted to authenticated members. The association between what roles are granted to which members is defined in an IAM Policy. IAM policies are attached to resources. When an authenticated member attempts to access a resource, IAM checks the resource's policy to determine whether the action is permitted.
Identity Concepts
Member
A member can be a Google account, a service account, a Google group, a Google Workspace or a Cloud Identity domain.
Google Account
A Google Account represents a developer, an administrator, or any other person who interacts with Google Cloud. The identity of the member in this case is the email address that's associated with a Google account.
Service Account
The identity of the member in this case is the email address that's associated with the service account.
Google Group
The identity of the member in this case is the email address that's associated with the Google group.
Google Workspace
The identity of the member in this case is the domain name that's associated with the Google Workspace.
Cloud Identity Domain
The identity of the member in this case is the domain name that's associated with the Cloud Identity domain.
Authenticated Member
Access Management Concepts
Resource
Role
Role Binding
A role binding is the association between a member and a role. Role bindings are listed in IAM policies.
IAM Policy
An IAM Policy is attached to a resource. The policy contains role bindings. When an authenticated member attempts to access a resource, IAM checks the resource's policy to determine whether the action is permitted.