How to Manage IAM Policies with the Google Cloud CLI
Manage IAM policies in Google Cloud with ease using the CLI. Learn how to add and remove IAM policies to control access to your resources.
Manage IAM policies in Google Cloud with ease using the CLI. Learn how to add and remove IAM policies to control access to your resources.
An allow policy, or Identity and Access Management (IAM) policy, is a collection of statements defining access to resources. Every Google Cloud resource has an allow policy attached to enforce access control, listing the role bindings that connect a principal to a role.
In this guide, we’ll explain how to add and update these IAM policies with the Google Cloud CLI. First, let’s cover the basics of principles and roles.
IAM policies define and enforce which roles are provided to different principals. Below is a listing of all principal types:
Any principal attempting to access a Google Cloud resource gets checked against the allow policy for a resource to determine the validity of the action. The principal needs the right role (as defined in the policy) to act on the resource.
IAM roles are sets of permissions that define how a principal can interact with a resource. For all resources, there are basic roles like “Viewer” (read-only), “Editor” (read/write), and “Owner” (read/write/admin). Beyond that, there are predefined roles that Google Cloud maintains, and custom roles that your organization can create and tailor to your specific needs. You can read more about roles here.
We recently wrote a guide on how you can assign roles to users using the Google CLI.
Now that we’ve covered the basics on principals and roles, we’ll show you how to add IAM policies using the Google Cloud CLI that attach roles and principal permissions to a resource.
If you wish to see the current allow policies on a resource before adding a new one, issue the “get-iam-policy” command via the GCloud CLI:
Once you’ve confirmed that your desired allowed policy does not exist, issue the "add-iam-policy-binding" command through the CLI to add a new one:
If you want to make updates to the policy you have added, you can use the "set-iam-policy" command to issue updates.
You can revoke IAM policies using the following command:
When you need to make IAM changes, looking up the specific commands for each of these actions is time-consuming and requires context-switching.
With Blink, you can run automation like this one to update IAM policies and manage your resources at scale in GCP.
When this automation runs, it executes the following actions:
It’s a simple automation, and you can customize it however you like. For example, you could ensure that when a certain type of GCP resource is created, a GCP IAM policy is updated accordingly to reference it.
In Blink, you can either use one of the 5K automations in the Blink Library or create automations from scratch to meet your team’s unique needs using the hundreds of drag-and-drop actions available from a wide range of tools.
Get started with Blink today to see how easy automation can be.
Blink is secure, decentralized, and cloud-native. Get modern cloud and security operations today.