Updating and Managing User Permissions with the Google Cloud CLI

There are many ways to use the Google Cloud CLI tool to script common activities. In this guide, we show how to assign roles to a new user and add them to a group.

Patrick Londa
Author
Jun 16, 2022
 • 
5
 min read
Share this post

Google Cloud uses an Identity and Access Management (IAM) system to provide access to resources within the environment. With IAM roles and groups, you can provide users with granular access to resources while using the principle of least privilege to prevent anyone from gaining unnecessary permissions. 

In this guide, we’ll cover the basics of roles and groups, and how you can use the Google Cloud CLI to make updates to each.

Understanding IAM Roles in Google Cloud

IAM doesn’t grant permissions to individual users to access resources. Instead, users get assigned to a role. Roles contain permissions that allow users to perform specific actions on resources within Google Cloud. The three types of roles available within IAM include:

  • Basic roles: Include viewer, editor, and owner roles existing before IAM
  • Predefined roles: Google Cloud managed roles that provide granular access to specific services
  • Custom roles: Provide granular access based on a user-specific permissions list

You can define and adjust roles using IAM policies. In a future post, we’ll explain how to make those updates. In this guide, we’ll assume you already have some roles set up, and we’ll show how to assign roles to users directly and through groups.

gcp logo
Blink Automation: Assign Role to IAM Users in GCP with Matching Conditions
Blink + GCP
Get Started

Assigning a Role to a New IAM User

Before creating a new IAM user, that person must have an existing Google email address. Once a user has created a Google account, you can grant them permissions by assigning them to a role using the following syntax within the GCloud CLI:

gcloud [resourcetype] add-iam-policy-binding [resource_id] \ 
-member=[principal/useraccount] -role=[role_id] \ condition=[condition]

Below are definitions for the parameters in the above command:

  • Resourcetype: Identifies the resource for which you want to manage access, like a project
  • Resource_id: The Google Cloud folder, project, or organization ID
  • Principal: The identifier for the member. A user would be identified in a format like user: new-user@test.com. You can find all available values for the principal parameter here.
  • Role_id: Identifier for the role you wish to grant to a user
  • Condition: An optional condition to add to a role binding

Here’s an example of adding a user to a project as a config editor:

Gcloud projects add-iam-policy-binding big-project -member=user:
new-user@test.com -roles=roles/accessapproval.configEditor

Below is an example of the syntax to use if you wish to remove that role from a user:

gcloud projects remove-iam-policy-binding big-project \  
--member=user:new-user@test.com --role= roles/accessapproval.configEditor

Understanding IAM Groups in Google Cloud

While you can assign roles to individual users, groups are a way for Admins to extend standard roles and access to resources to a team or project group. Every member of a Google group inherits its IAM roles.

For example, if an “editor” role for a certain scope of resources is granted to a group, then any user who is added to that group will assume that role of “editor” and have editor permissions for those resources.

Blink Automation: Add IAM Users with Matching Conditions to a Group in GCP
Blink + GCP
Try This Automation

Adding a User to a Google Cloud Group

You can add members to an existing Google Cloud Group using the “add” command within the GCloud CLI:

gcloud identity groups memberships add --group-email=[GRP_EMAIL] 
--member-email=[MBR_EMAIL]

The below flags are required:

  • --group-email: Identifies the email address for the group to which you wish to add the new member
  • --member-email: Identifies the email address of the member you wish to add to a group

You can also add the following optional flags:

  • --expiration: Sets an expiration period for the new user’s membership3/333-
  • --roles: Lists the roles to associate with a member within a group

Inversely, you can remove members from groups using the “delete” command:

gcloud identity groups memberships delete --group-email=[GRP_EMAIL] 
--member-email=[MBR_EMAIL]

Simplify Permission Updates with Blink

Most likely, as your organization grows, changing and updating permissions and policies will take up more time. Instead of having to look up the specific command for each of these actions, you could use a low-code tool like Blink to handle tasks like this in a couple clicks.

Get started with Blink today to see how easy automation can be.

Automate your security operations everywhere.

Blink is secure, decentralized, and cloud-native. 
Get modern cloud and security operations today.

Get a Demo