Google Cloud IAM (Identity and Access Management) is the permission control foundation of GCP. This article walks through the role system, resource hierarchy, Service Accounts, Workload Identity Federation, IAM Conditions, and Organization Policy in a structured way.
| Level | Description |
|---|---|
| Organization | Company-wide root, linked to Cloud Identity / Workspace |
| Folder | Per business unit / environment (Prod / Dev); up to 10 levels deep |
| Project | Base unit of resources and billing |
| Resource | Individual resources (Bucket, VM, Dataset, etc.) |
Higher-level policies are inherited downward (union semantics).
| Type | Example | Use Case |
|---|---|---|
| Basic (formerly Primitive) | roles/owner / editor / viewer | Not recommended for production; dev use only |
| Predefined | roles/storage.objectViewer, etc. | Production standard, fine-grained per service |
| Custom | Organization-defined | When Predefined roles are insufficient |
A mechanism where Google Cloud trusts external IdPs (AWS / Azure / Okta / GitHub Actions / Kubernetes). It lets you call GCP APIs without SA keys, dramatically improving CI/CD security.
Attribute-Based Access Control for permissions. Example:
{
"role": "roles/storage.objectAdmin",
"members": ["user:[email protected]"],
"condition": {
"title": "Only specific bucket and during business hours",
"expression": "resource.name.startsWith('projects/_/buckets/prod-data') && request.time.getHours('Asia/Tokyo') >= 9 && request.time.getHours('Asia/Tokyo') < 18"
}
}What is the difference between Primitive, Predefined, and Custom roles?
Primitive roles (Owner / Editor / Viewer) are coarse-grained and not recommended for production. Predefined roles are fine-grained per service (e.g. roles/storage.objectViewer). Custom roles are organization-defined. Production should standardize on Predefined or Custom.
How does the IAM policy hierarchy work?
Organization -> Folder -> Project -> Resource. Lower levels inherit policies from higher levels. Org-level policies propagate to every project underneath.
What are the best practices for Service Accounts?
1) Do not use default Service Accounts, 2) do not download keys (use Workload Identity), 3) apply least privilege, 4) track activity via audit logs, 5) use SA Impersonation for temporary privilege borrowing.
What is Workload Identity Federation?
A mechanism that trusts external IdPs (AWS / Azure / Okta / GitHub Actions, etc.) so you can call GCP APIs without SA keys. It is becoming standard in CI/CD pipelines.
What can IAM Conditions do?
Attribute-based access control. Examples: allow only on weekdays between 9-17, restrict to specific resource names, or allow only from specific IPs. Combined with Access Levels (Context-Aware Access) for stronger control.
What is the difference between Organization Policy and IAM Policy?
IAM defines who can do what. Organization Policy defines what the organization permits or forbids overall (e.g. ban external IPs on VMs, restrict allowed regions). Combine both for governance.
What is Privileged Access Manager (PAM)?
A feature released in 2024. It provides a request/approval workflow for time-limited access to privileged roles, enabling Just-in-Time access for emergencies.
What is the difference between Cloud Identity and Google Workspace?
Cloud Identity = identity platform only (Free / Premium). Workspace = identity plus the Gmail / Drive / Meet SaaS suite. For GCP-only use, Cloud Identity Free is enough.
Related Articles: IAM and Security
Terraform on GCP 完全ガイド|IaC・Provider・Workload Identity・GitHub Actions (2026)
Google Cloud で Terraform を使う IaC 完全ガイド。Google Cloud Provider / Beta、State 管理 (gcs バックエンド)、Workload Identity Federation、Module 設計、GitHub Actions CI、Infracost、Config Connector を 2026 年最新版で網羅。
GitHub Actions + GCP CI/CD 完全ガイド|Workload Identity・Cloud Run/GKE デプロイ (2026)
GitHub Actions で GCP CI/CD を構築する完全ガイド。Workload Identity Federation、setup-gcloud、Cloud Run / GKE デプロイ、Cloud Build 連携、Reusable Workflow、Self-hosted Runner、Secrets 管理を 2026 年最新版で網羅。
GCP Professional Cloud Developer (PCD) 完全ガイド|Cloud Run・GKE・CI/CD・APM
Google Cloud Professional Cloud Developer の試験範囲、Cloud Run / GKE / Cloud Build / Cloud Trace、AWS DVA / Azure AZ-204 比較、学習ロードマップを徹底解説。
GCP Professional Cloud Security Engineer (PCSE) 完全ガイド|IAM・KMS・BeyondCorp・SCC
Google Cloud Professional Cloud Security Engineer の試験範囲、IAM / Cloud KMS / VPC Service Controls / BeyondCorp / Security Command Center、AWS SCS・Azure SC-100 比較を詳解。
Google Cloud is a trademark of Google LLC. For the latest information, see the official IAM documentation.
Practice with certification-focused question sets
See GCP Exam PrepNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Google Cloud Certification Roadmap (2026)
Choose your GCP certification path — Foundational, Associate...
CDL Cloud Digital Leader: Complete Exam Guide (2026)
Pass the Cloud Digital Leader exam — cloud business value, G...
GAIL Generative AI Leader: Complete Exam Guide (2026)
Pass the Generative AI Leader exam — Gemini, Vertex AI, Work...
Vertex AI Fundamentals for GCP Certs (2026)
Vertex AI basics every cert candidate needs — Workbench, Pip...
Associate Cloud Engineer (ACE): Complete Guide (2026)
Pass the Associate Cloud Engineer exam — Console, gcloud, pr...