Google Cloud

GCP IAM Complete Guide: Roles, Service Accounts, Workload Identity, and Conditions

2026-05-24
NicheeLab Editorial Team

Google Cloud IAM (Identity and Access Management) is the permission control foundation of GCP. This article walks through the role system, resource hierarchy, Service Accounts, Workload Identity Federation, IAM Conditions, and Organization Policy in a structured way.

Resource Hierarchy

LevelDescription
OrganizationCompany-wide root, linked to Cloud Identity / Workspace
FolderPer business unit / environment (Prod / Dev); up to 10 levels deep
ProjectBase unit of resources and billing
ResourceIndividual resources (Bucket, VM, Dataset, etc.)

Higher-level policies are inherited downward (union semantics).

Role System

TypeExampleUse Case
Basic (formerly Primitive)roles/owner / editor / viewerNot recommended for production; dev use only
Predefinedroles/storage.objectViewer, etc.Production standard, fine-grained per service
CustomOrganization-definedWhen Predefined roles are insufficient

Types of Identity

  • Google Account: Individual user (user:[email protected])
  • Service Account: For apps / VMs / Functions (serviceAccount:[email protected])
  • Google Group: Bundle of users (group:[email protected])
  • Cloud Identity Domain: Entire domain (domain:example.com)
  • allUsers / allAuthenticatedUsers: Public access (used for public Buckets, etc.)
  • Workload Identity Pool: External IdP mapping

Service Account Best Practices

  1. Do not use default Service Accounts: Create dedicated SAs
  2. Do not download keys: Use Workload Identity / Workload Identity Federation
  3. Least privilege: Grant only the Predefined roles you need
  4. SA Impersonation: Temporarily borrow another SA's permissions (gcloud auth print-access-token --impersonate-service-account)
  5. Audit logs: Track SA operations via Cloud Audit Logs
  6. Key rotation: When you must use keys, rotate them within 90 days

Workload Identity Federation

A mechanism where Google Cloud trusts external IdPs (AWS / Azure / Okta / GitHub Actions / Kubernetes). It lets you call GCP APIs without SA keys, dramatically improving CI/CD security.

  • Create a Workload Identity Pool
  • Configure a Provider (AWS / OIDC / SAML)
  • Attribute Mapping (translate subject / claim into a GCP principal)
  • Grant impersonate permission to the Service Account

IAM Conditions

Attribute-Based Access Control for permissions. Example:

{
  "role": "roles/storage.objectAdmin",
  "members": ["user:[email protected]"],
  "condition": {
    "title": "Only specific bucket and during business hours",
    "expression": "resource.name.startsWith('projects/_/buckets/prod-data') && request.time.getHours('Asia/Tokyo') >= 9 && request.time.getHours('Asia/Tokyo') < 18"
  }
}

Organization Policy

  • constraints/compute.vmExternalIpAccess: Restrict VMs with external IPs
  • constraints/iam.disableServiceAccountKeyCreation: Forbid SA key creation
  • constraints/gcp.resourceLocations: Restrict allowed regions
  • constraints/iam.allowedPolicyMemberDomains: Allow only trusted domains (Domain Restricted Sharing)
  • constraints/storage.uniformBucketLevelAccess: Enforce IAM only, not ACLs

Privileged Access Manager (PAM)

  • Released in 2024; provides Just-in-Time access
  • Request -> approve -> time-bound grant workflow for privileged roles
  • Operate emergency break-glass access safely
  • Track who approved what and when via audit logs

Auditing and Monitoring

  • Cloud Audit Logs: Admin Activity (always on), Data Access, System Event, Policy Denied
  • IAM Recommender: ML-based excessive-permission suggestions (trims roles unused for 90 days)
  • Policy Troubleshooter: Analyzes why a user can or cannot perform X
  • Policy Analyzer: Search across the org for who can access what

Common Exam Traps

  • Basic roles are not recommended for production: roles/editor grants nearly every permission except ML and billing
  • Service Accounts are both Identity and Resource: Granting Token Creator to another SA enables impersonation
  • Conditions require API support: Not every API supports them; verify before relying on them
  • Organization Policy takes precedence over IAM: Deny policies override IAM Allow

What is the difference between Primitive, Predefined, and Custom roles?

Primitive roles (Owner / Editor / Viewer) are coarse-grained and not recommended for production. Predefined roles are fine-grained per service (e.g. roles/storage.objectViewer). Custom roles are organization-defined. Production should standardize on Predefined or Custom.

How does the IAM policy hierarchy work?

Organization -> Folder -> Project -> Resource. Lower levels inherit policies from higher levels. Org-level policies propagate to every project underneath.

What are the best practices for Service Accounts?

1) Do not use default Service Accounts, 2) do not download keys (use Workload Identity), 3) apply least privilege, 4) track activity via audit logs, 5) use SA Impersonation for temporary privilege borrowing.

What is Workload Identity Federation?

A mechanism that trusts external IdPs (AWS / Azure / Okta / GitHub Actions, etc.) so you can call GCP APIs without SA keys. It is becoming standard in CI/CD pipelines.

What can IAM Conditions do?

Attribute-based access control. Examples: allow only on weekdays between 9-17, restrict to specific resource names, or allow only from specific IPs. Combined with Access Levels (Context-Aware Access) for stronger control.

What is the difference between Organization Policy and IAM Policy?

IAM defines who can do what. Organization Policy defines what the organization permits or forbids overall (e.g. ban external IPs on VMs, restrict allowed regions). Combine both for governance.

What is Privileged Access Manager (PAM)?

A feature released in 2024. It provides a request/approval workflow for time-limited access to privileged roles, enabling Just-in-Time access for emergencies.

What is the difference between Cloud Identity and Google Workspace?

Cloud Identity = identity platform only (Free / Premium). Workspace = identity plus the Gmail / Drive / Meet SaaS suite. For GCP-only use, Cloud Identity Free is enough.

Related Articles: IAM and Security

Terraform on GCP 完全ガイド|IaC・Provider・Workload Identity・GitHub Actions (2026)

Google Cloud で Terraform を使う IaC 完全ガイド。Google Cloud Provider / Beta、State 管理 (gcs バックエンド)、Workload Identity Federation、Module 設計、GitHub Actions CI、Infracost、Config Connector を 2026 年最新版で網羅。

GitHub Actions + GCP CI/CD 完全ガイド|Workload Identity・Cloud Run/GKE デプロイ (2026)

GitHub Actions で GCP CI/CD を構築する完全ガイド。Workload Identity Federation、setup-gcloud、Cloud Run / GKE デプロイ、Cloud Build 連携、Reusable Workflow、Self-hosted Runner、Secrets 管理を 2026 年最新版で網羅。

GCP Professional Cloud Developer (PCD) 完全ガイド|Cloud Run・GKE・CI/CD・APM

Google Cloud Professional Cloud Developer の試験範囲、Cloud Run / GKE / Cloud Build / Cloud Trace、AWS DVA / Azure AZ-204 比較、学習ロードマップを徹底解説。

GCP Professional Cloud Security Engineer (PCSE) 完全ガイド|IAM・KMS・BeyondCorp・SCC

Google Cloud Professional Cloud Security Engineer の試験範囲、IAM / Cloud KMS / VPC Service Controls / BeyondCorp / Security Command Center、AWS SCS・Azure SC-100 比較を詳解。

Google Cloud is a trademark of Google LLC. For the latest information, see the official IAM documentation.

Check what you learned with practice questions

Practice with certification-focused question sets

See GCP Exam Prep
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Google Cloud

Google Cloud Certification Roadmap (2026)

Choose your GCP certification path — Foundational, Associate...

Google Cloud

CDL Cloud Digital Leader: Complete Exam Guide (2026)

Pass the Cloud Digital Leader exam — cloud business value, G...

Google Cloud

GAIL Generative AI Leader: Complete Exam Guide (2026)

Pass the Generative AI Leader exam — Gemini, Vertex AI, Work...

Google Cloud

Vertex AI Fundamentals for GCP Certs (2026)

Vertex AI basics every cert candidate needs — Workbench, Pip...

Google Cloud

Associate Cloud Engineer (ACE): Complete Guide (2026)

Pass the Associate Cloud Engineer exam — Console, gcloud, pr...

Browse all Google Cloud articles (103)
© 2026 NicheeLab All rights reserved.