Updating and Managing User Permissions with the Google Cloud CLI
Google Cloud uses an Identity and Access Management (IAM) system to provide access to resources within the environment. With IAM roles and groups, you can provide users with granular access to resources while using the principle of least privilege to prevent anyone from gaining unnecessary permissions.
In this guide, we’ll cover the basics of roles and groups, and how you can use the Google Cloud CLI to make updates to each.
Understanding IAM Roles in Google Cloud
IAM doesn’t grant permissions to individual users to access resources. Instead, users get assigned to a role. Roles contain permissions that allow users to perform specific actions on resources within Google Cloud. The three types of roles available within IAM include:
- Basic roles: Include viewer, editor, and owner roles existing before IAM
- Predefined roles: Google Cloud managed roles that provide granular access to specific services
- Custom roles: Provide granular access based on a user-specific permissions list
You can define and adjust roles using IAM policies. In a future post, we’ll explain how to make those updates. In this guide, we’ll assume you already have some roles set up, and we’ll show how to assign roles to users directly and through groups.
Assigning a Role to a New IAM User
Before creating a new IAM user, that person must have an existing Google email address. Once a user has created a Google account, you can grant them permissions by assigning them to a role using the following syntax within the GCloud CLI:
Below are definitions for the parameters in the above command:
- Resourcetype: Identifies the resource for which you want to manage access, like a project
- Resource_id: The Google Cloud folder, project, or organization ID
- Principal: The identifier for the member. A user would be identified in a format like user: new-user@test.com. You can find all available values for the principal parameter here.
- Role_id: Identifier for the role you wish to grant to a user
- Condition: An optional condition to add to a role binding
Here’s an example of adding a user to a project as a config editor:
Below is an example of the syntax to use if you wish to remove that role from a user:
Understanding IAM Groups in Google Cloud
While you can assign roles to individual users, groups are a way for Admins to extend standard roles and access to resources to a team or project group. Every member of a Google group inherits its IAM roles.
For example, if an “editor” role for a certain scope of resources is granted to a group, then any user who is added to that group will assume that role of “editor” and have editor permissions for those resources.
Adding a User to a Google Cloud Group
You can add members to an existing Google Cloud Group using the “add” command within the GCloud CLI:
The below flags are required:
- --group-email: Identifies the email address for the group to which you wish to add the new member
- --member-email: Identifies the email address of the member you wish to add to a group
You can also add the following optional flags:
- --expiration: Sets an expiration period for the new user’s membership3/333-
- --roles: Lists the roles to associate with a member within a group
Inversely, you can remove members from groups using the “delete” command:
Simplify Permission Updates with Blink
Most likely, as your organization grows, changing and updating permissions and policies will take up more time. Instead of having to look up the specific command for each of these actions, you could use a low-code tool like Blink to handle tasks like this in a couple clicks.
Get started and create your free Blink account today.