Also read , Terraform and GCP Roles

Introduction - Granting access to Resources in GCP

In GCP, it is important to distinguish between 'Container Resources' and 'Individual Resources'.

When a user asks for access to a resource, you need to clarify whether they will need access to this SINGLE resource (e.g. storage bucket or compute instance) OR whether they will need access to MULTIPLE resources (e.g ALL storage buckets within a project...)

If the former (individual resources), all you do is grant them access to the resource (Storage Admin role (roles/storage.admin) for a particular Cloud Storage bucket  and (roles/compute.instanceAdmin) for a specific Compute Engine instance).

If the latter (entire set of resources in a project), you can grant IAM permissions at the project level.

These permissions are then inherited by all resources within that project.

To grant access to all Cloud Storage buckets in a project, grant access to the project instead of each individual bucket. This will also grant access to all Compute Engine instances within the same project.

The PROJECT Resource

Projects can be confusing in GCP, as can GCP IAM.

  • A Project is a resource - a resource that supports IAM Policies. What is the corresponding service that contains the 'project' resource?
  • IAM Policies are supported by certain resources (Projects being among those).
  • Each Resource belongs to a Service.

So what SERVICE does the PROJECT resource belong to?

It is the ResourceManager Service.

Why does this matter?

IAM policies (on a resource) are spelled out on the Service level. Hence, the IAM policy on a 'project' resource, is spelled out as follows (roles/service.rolename):

  • resourcemanager.projects.get
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy

Summary - and Least Privilege Principle (Use Predefined, Granular Roles)

To grant a human user access at a project level, you can either use primitive roles (and make them Project Owner or Editor). To make a human user a Project OWNER, you need to use the Cloud Console (that is the only way to grant Owner access).

However, if you want to follow the least privilege principle, you want to grant them granular access, which means various roles with the ResourceManager.projects scope.