Back to Blog

Managing IAM Policies with the Google Cloud CLI

IAM policies are a critical aspect of managing access to your resources in Google Cloud. In this guide, we'll show how you can add and remove IAM policies using the Google Cloud CLI.


An allow policy, or Identity and Access Management (IAM) policy, is a collection of statements defining access to resources. Every Google Cloud resource has an allow policy attached to enforce access control, listing the role bindings that connect a principal to a role. 

In this guide, we’ll explain how to add and update these IAM policies with the Google Cloud CLI. First, let’s cover the basics of principles and roles.

Understanding Principals and Roles


IAM policies define and enforce which roles are provided to different principals. Below is a listing of all principal types:

  • Google account: Represents an account for a developer, administrator, or any other user needing to interact with Google Cloud
  • Service account: Represents an account for a compute workload or an application versus an individual user
  • Google group: Represents a named collection of Google and service accounts. Each contains a unique email address connected to the group. Every member of a Google group inherits its IAM roles. Admins can use groups to manage user roles instead of granting IAM permissions to individual users.
  • Google workspace account: Represents all the Google accounts within a virtual group. Accounts within a Google workspace account receive access to Google workspace features and applications.
  • Cloud Identity domain: Represents a virtual group of Google accounts that do not receive access to Google workspace features and applications
  • Authenticated users: Represents an identifier for all internet service accounts and users with a Google account authentication
  • All users: Represents an identifier for any internet user

Any principal attempting to access a Google Cloud resource gets checked against the allow policy for a resource to determine the validity of the action. The principal needs the right role (as defined in the policy) to act on the resource.


IAM roles are sets of permissions that define how a principal can interact with a resource. For all resources, there are basic roles like “Viewer” (read-only), “Editor” (read/write), and “Owner” (read/write/admin). Beyond that, there are predefined roles that Google Cloud maintains, and custom roles that your organization can create and tailor to your specific needs. You can read more about roles here.

We recently wrote a guide on how you can assign roles to users using the Google CLI. 

Now that we’ve covered the basics on principals and roles, we’ll show you how to add IAM policies using the Google Cloud CLI that attach roles and principal permissions to a resource.

Viewing Existing IAM Policies on a Resource

If you wish to see the current allow policies on a resource before adding a new one, issue the “get-iam-policy” command via the GCloud CLI:

Gcloud [resourcetype] get-iam-policy [resource_id] -format=[format]>[path]
  • Resourcetype: Resource you wish to access
  • Resourceid: ID for Google Cloud project, organization ID, or folder
  • Format: The format for the policy, either JSON or YAML
  • Path: Outpath for the policy

Adding IAM Policies to a Resource

Once you’ve confirmed that your desired allowed policy does not exist, issue the "add-iam-policy-binding" command through the CLI to add a new one:

Gcloud [resourcetype] add-iam-policy-binding [resource_id] 
-member=[principal] -role[roleid] \ --condition=[condition]
  • Principal: An identifier for your principal or member
  • Roleid: Name of the role ID you wish to grant
  • Condition: Optional condition to add to a role binding

If you want to make updates to the policy you have added, you can use the "set-iam-policy" command to issue updates.

Removing IAM Policies from a Resource

You can revoke IAM policies using the following command:

Gcloud [resourcetype] remove-iam-policy-binding [resourceid] 
- member=[principal] -role=[roleid]

Making IAM Policy Updates with Blink

Instead of having to look up the specific command for each of these actions when the need arises, CloudOps automation tools like Blink enable you to keep your policies up-to-date easily in a few clicks with a low-code/ no-code UI.

Get started and create your free Blink account today.

Simplify your cloud operations

Sign up for Blink today

Transform your cloud operations today with a library of purpose-built DevOps and SecOps playbooks and hundreds of integrations.

Sign up