Managing IAM Policies with the Google Cloud CLI

IAM policies are a critical aspect of managing access to your resources in Google Cloud. In this guide, we'll show how you can add and remove IAM policies using the Google Cloud CLI.

Patrick Londa
Jun 16, 2022
 min read
Share this post

An allow policy, or Identity and Access Management (IAM) policy, is a collection of statements defining access to resources. Every Google Cloud resource has an allow policy attached to enforce access control, listing the role bindings that connect a principal to a role. 

In this guide, we’ll explain how to add and update these IAM policies with the Google Cloud CLI. First, let’s cover the basics of principles and roles.

Understanding Principals and Roles


IAM policies define and enforce which roles are provided to different principals. Below is a listing of all principal types:

  • Google account: Represents an account for a developer, administrator, or any other user needing to interact with Google Cloud
  • Service account: Represents an account for a compute workload or an application versus an individual user
  • Google group: Represents a named collection of Google and service accounts. Each contains a unique email address connected to the group. Every member of a Google group inherits its IAM roles. Admins can use groups to manage user roles instead of granting IAM permissions to individual users.
  • Google workspace account: Represents all the Google accounts within a virtual group. Accounts within a Google workspace account receive access to Google workspace features and applications.
  • Cloud Identity domain: Represents a virtual group of Google accounts that do not receive access to Google workspace features and applications
  • Authenticated users: Represents an identifier for all internet service accounts and users with a Google account authentication
  • All users: Represents an identifier for any internet user

Any principal attempting to access a Google Cloud resource gets checked against the allow policy for a resource to determine the validity of the action. The principal needs the right role (as defined in the policy) to act on the resource.


IAM roles are sets of permissions that define how a principal can interact with a resource. For all resources, there are basic roles like “Viewer” (read-only), “Editor” (read/write), and “Owner” (read/write/admin). Beyond that, there are predefined roles that Google Cloud maintains, and custom roles that your organization can create and tailor to your specific needs. You can read more about roles here.

We recently wrote a guide on how you can assign roles to users using the Google CLI. 

Now that we’ve covered the basics on principals and roles, we’ll show you how to add IAM policies using the Google Cloud CLI that attach roles and principal permissions to a resource.

Blink Automation: Update IAM Policy for GCP Resources and Send Email Confirmation
Blink + GCP
Try This Automation

Viewing Existing IAM Policies on a Resource

If you wish to see the current allow policies on a resource before adding a new one, issue the “get-iam-policy” command via the GCloud CLI:

Gcloud [resourcetype] get-iam-policy [resource_id] -format=[format]>[path]
  • Resourcetype: Resource you wish to access
  • Resourceid: ID for Google Cloud project, organization ID, or folder
  • Format: The format for the policy, either JSON or YAML
  • Path: Outpath for the policy

Adding IAM Policies to a Resource

Once you’ve confirmed that your desired allowed policy does not exist, issue the "add-iam-policy-binding" command through the CLI to add a new one:

Gcloud [resourcetype] add-iam-policy-binding [resource_id] 
-member=[principal] -role[roleid] \ --condition=[condition]
  • Principal: An identifier for your principal or member
  • Roleid: Name of the role ID you wish to grant
  • Condition: Optional condition to add to a role binding

If you want to make updates to the policy you have added, you can use the "set-iam-policy" command to issue updates.

Removing IAM Policies from a Resource

You can revoke IAM policies using the following command:

Gcloud [resourcetype] remove-iam-policy-binding [resourceid] 
- member=[principal] -role=[roleid]

Making IAM Policy Updates with Blink

When you need to make IAM changes, looking up the specific commands for each of these actions is time-consuming and requires context-switching.

With Blink, you can run automation like this one to update IAM policies and manage your resources at scale in GCP.

Blink Automation: Update IAM Policy with GCP and Send Results via Email Input Parameters
Blink Automation: Update IAM Policy with GCP and Send Results via Email Input Parameters

When this automation runs, it executes the following actions:

  1. Updates a specified IAM policy with GCP.
  2. Sends a confirmation via Slack.

It’s a simple automation, and you can customize it however you like. For example, you could ensure that when a certain type of GCP resource is created, a GCP IAM policy is updated accordingly to reference it.

In Blink, you can either use one of the 5K automations in the Blink Library or create automations from scratch to meet your team’s unique needs using the hundreds of drag-and-drop actions available from a wide range of tools.

Get started with Blink today to see how easy automation can be.

Automate your security operations everywhere.

Blink is secure, decentralized, and cloud-native. 
Get modern cloud and security operations today.

Get a Demo