Also read Programmatic Identities on Google Cloud vs AWS

Policies in AWS

A policy definition by itself, contains very little in AWS. It contains what type of resources (NOT the actual resource), and what type of action is allowed on that type of resource. This is defined via a statement as shown below:

{ "Version": "2012-10-17", 
     "Statement": [ { "Effect": "Allow", "Action": "service-prefix:action-name", "Resource": "*", "Condition": { "DateGreaterThan": {"aws:CurrentTime": "2020-04-01T00:00:00Z"}, "DateLessThan": {"aws:CurrentTime": "2020-06-30T23:59:59Z"} 
   } 
  } 
 ] 
}

Such a standalone policy is called a Managed Policy. This policy can now be applied to a resource or to an identity.

Policies in GCP

A binding is a JSON file capturing mappings between users and permissions - i.e. a ROLE and a set of users (identities).

There are three key points to note:

  1. You can define MULTIPLE assignments within the same JSON file
  2. There is no TYING to an actual resource at this point. All you are doing is defining potential bindings to a potential resource
  3. The actual resource tie in - i.e. applying this policy to a resource, happens later.
  4. The actual resource attachment can be done via the console or via gCloud

e.g. A sample JSON definition  - note there are no actual RESOURCES in here yet. There are just permissions and users (identities)

{
  "bindings": [
    {
      "role": "roles/resourcemanager.organizationAdmin",
      "members": [
        "user:[email protected]",
        "group:[email protected]",
        "domain:google.com",
        "serviceAccount:[email protected]"
      ]
    },
    {
      "role": "roles/resourcemanager.organizationViewer",
      "members": [
        "user:[email protected]"
      ],
      "condition": {
        "title": "expirable access",
        "description": "Does not grant access after Sep 2020",
        "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')",
      }
    }
  ],
  "etag": "BwWWja0YfJA=",
  "version": 3
}

The Actual Tying of a Resource to a Policy

To actually tie this policy to a resource, one can use either via the Console (described here), or the gcloud command (shown below).

gcloud projects add-iam-policy-binding my-project-name –member='user:groupemail@blahblah' –role='roles/editor'

The Hierarchical Distinction in GCP

The one thing that is a potential source of confusion for GCP beginners, is the hierarchical nature of resources in GCP. This means that policies applied at a higher level resource (projects, folders...) are automatically inherited by lower level resources. If there is an additional policy on the lower level resource, the UNION of the two is considered the effective policy.

Policy Troubleshooting and Policy Auditing