Google Cloud IAM
Status: Final
Google Cloud IAM controls access to all GCP resources. Unlike AWS where there is a clear IAM/STS separation, GCP IAM is unified — the same policy model covers all resource types.
Core Concepts
| Concept | Description |
|---|---|
| Principal | Who: Google Account, Service Account, Google Group, Workspace domain |
| Role | Collection of permissions (primitive, predefined, custom) |
| Policy Binding | Attaches a role to a principal on a resource |
| Resource Hierarchy | Organization → Folder → Project → Resource |
Permissions granted at a higher level inherit downward.
Role Types
| Type | Examples | Notes |
|---|---|---|
| Primitive (legacy) | Owner, Editor, Viewer | Overly broad; avoid |
| Predefined | roles/storage.objectAdmin, roles/compute.instanceAdmin | Granular per-service |
| Custom | User-defined | Fine-grained but complex |
Owner on a project = full control including IAM changes = equivalent to root.
Service Accounts
Service accounts are the primary non-human identity in GCP:
- Each project gets a default service account (often over-permissioned)
- Long-term key files (
*.json) can be created — these are persistent credentials - IMDS:
http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token— accessible from any GCE VM
Workload Identity Federation
Allows external identities (GitHub Actions, AWS roles, Kubernetes service accounts) to assume GCP service account roles via OIDC/SAML without service account key files.
Attack surface: if the external OIDC provider is compromised, or if the trust conditions are too permissive (e.g., any sub claim accepted).
Attack Surface
| Attack | Primitive |
|---|---|
| SSRF → IMDS token | http://metadata.google.internal/... → short-lived access token |
| Service account key exfil | .json key file found in repo/storage → persistent API access |
iam.serviceAccountTokenCreator role | Generate tokens for any service account |
iam.roles.update | Escalate by updating existing role permissions |
| Default service account auto-binding | Compute Engine default SA has Editor role by default in older projects |
Telemetry
Cloud Audit Logs: cloudaudit.googleapis.com/activity — all IAM changes, service account key creation, permission grants.
Cross-Links
| Topic | Link |
|---|---|
| GWS Overview | gws-overview |
| AWS IAM Overview | aws-iam-overview |