IAM & Service Accounts
Grant least-privilege access in GCP with members, roles, and service accounts.
GCP IAM answers “who can do what on which resource”. A policy binds:
- Member — a user, group, or service account
- Role — a set of permissions
- on a resource at some level of the hierarchy
Roles come in three flavors: basic (Owner/Editor/Viewer — too broad, avoid in prod), predefined (granular, per-service), and custom. A service account is a non-human identity for apps/VMs; on GCP, attach one to a resource so it gets credentials automatically — never download a key file unless you truly must.
# Grant a predefined role to a user on a project
gcloud projects add-iam-policy-binding my-project \
--member="user:alex@example.com" \
--role="roles/storage.objectViewer"
# Create a service account and attach it to a VM (no key file)
gcloud iam service-accounts create app-sa
gcloud compute instances create app-vm \
--service-account=app-sa@my-project.iam.gserviceaccount.com \
--scopes=cloud-platform- Explain the three types of GCP IAM roles and when to use each.
- Grant a user a predefined read-only storage role on a project.
- Describe why an attached service account beats a downloaded key file.
- Identify the least-privileged role for “can view all resources, change none”.
Cheat Sheet▾
| Concept | Detail |
|---|---|
| Policy binding | member + role + resource |
| Basic roles | Owner/Editor/Viewer (broad) |
| Predefined roles | Granular per-service |
| Custom roles | Tailored permission sets |
| Service account | Non-human identity |
| Attached SA | Auto credentials, no key file |
| Workload Identity | Federate without keys |
Common Interview Questions▾
What is a service account in GCP?
A non-human identity used by applications and VMs to authenticate to Google Cloud APIs. Best practice is to attach it to the resource so credentials are managed automatically, avoiding exported key files.
What are the three types of IAM roles?
Basic (Owner/Editor/Viewer — broad, avoid in production), predefined (granular, service-specific), and custom (your own tailored permission sets).