Chapter Eight

Identity & Access on GCP

The GCP-native heart of the book: the resource hierarchy and the inheritance that flows down it, the three kinds of role, the three IAM resource types that look alike and one of which can lock you out, service accounts and impersonation, conditions, org policies, and the three unrelated systems that all call themselves "tags."

8 topics

This is the chapter where Terraform stops being cloud-neutral and GCP's own model takes over. Identity and access on Google Cloud is not AWS IAM with the names changed — it is a tree of organization, folders, projects, and resources, with policies that inherit downward and add up rather than gate at an account boundary. Coming from AWS, this is the part you have to unlearn before you can learn.

Every example here is anchored to one running org — hatch.io, with its platform/, apps/, and data/ folders and its hatch-app-prod and hatch-data-prod projects — and every grant goes to a group, never to a named person. Eight topics: the hierarchy and inheritance, the three kinds of role, the three IAM resource types and the lockout one of them causes, service accounts and their keys, impersonation and actAs chains, IAM conditions, org policies as code, and the three "tag" systems that are constantly confused.

Topics in This Chapter

Topic 48
The Resource Hierarchy & IAM Inheritance
Organization, folders, projects, resources — and the additive inheritance that means a role granted high in the tree applies everywhere beneath it. The model AWS engineers get wrong first.
ConceptIAM
Topic 49
Roles — Primitive, Predefined, Custom
The three kinds of role, why owner/editor/viewer have no place in production, predefined as the default, and when a custom role is justified — project-scoped or org-wide.
IAMRoles
Topic 50
IAM Bindings: member vs binding vs policy
The most expensive footgun in GCP Terraform: three resource types with near-identical names and wildly different authority. One is additive and safe; one silently removes members; one can lock you out of a project.
IAMFootgun
Topic 51
Service Accounts and Keys
The identity for non-human workloads — both a principal you grant roles to and a resource with its own policy. The over-privileged default SAs, and why downloadable keys are a last resort.
IAMIdentity
Topic 52
Impersonation and actAs Chains
Deploy-time identity versus run-time identity, the actAs permission that lets a deployer hand a workload a service account, and why serviceAccountUser is not serviceAccountTokenCreator.
IAMIdentity
Topic 53
IAM Conditions
CEL expressions that constrain a binding to a time, a resource name, or a type — and the trap that a condition on an unsupported permission silently grants unconditionally.
IAMCEL
Topic 54
Org Policies as Code
The other half of governance: IAM controls who can act, an org policy controls what can be created at all — guardrails that inherit down the tree and that even an org owner cannot click past.
GovernanceGuardrails
Topic 55
Labels, Tags, and Network Tags
Three unrelated systems that all sound like "tags": labels for billing, Resource Manager tags for IAM conditions and org policies, and network tags for firewall rules. Not interchangeable.
MetadataComparison