Google Cloud IAM
Google Cloud IAM is the access-control system that decides which users and service accounts can touch which GCP resources through APIs. It forms the baseline security boundary for cloud operations before network paths and runtime code enter the picture.
▶Architecture Diagram
🔗 RelationshipDashed line animations indicate the flow direction of data or requests
As cloud resources grow, controlling who can access what becomes difficult. If developers have more permissions than they need, they might accidentally delete production data. Poorly managed service accounts can lead to security breaches.
On-premises, access was restricted via firewalls and network segmentation. In the cloud, resources are exposed via APIs, demanding more granular permission management. Role-Based Access Control (RBAC) became the foundation of cloud security.
IAM works through policies that bind roles to principals (users, service accounts, groups). A role is a bundle of permissions, and roles are inherited down the hierarchy: Organization > Folder > Project > Resource. A role granted at a higher level automatically applies to all resources below.
IAM controls access to GCP resources, while Firestore Security Rules control client access to Firestore documents. IAM is server/infrastructure-level permission management; Security Rules handle app-user-level data access control. They complement each other — IAM governs service account access to Firestore, and Security Rules govern end-user access to documents.
Used in every GCP project. Especially important when teams grow, production environments need isolation, or when setting up application-to-application authentication with service accounts. IAM alone doesn't cover network-level security or data encryption.