who can do what on which resource
who (identity) – its user (userid or email-id)
what(action) – create, update, delete
which(resources)- cloud storage, bigquery.
in simple word user/employee(who) having given a permission of creating storage bucket, deleting storage bucket.
A employee given Creator role i.e. Storage Object Creator (roles/storage.objectCreator) then he can create objects in Google cloud storage bucket.
If we take real life example waiter can collect order from kitchen and deliver it to the table.
In the above example
who is the waiter what(action) he can do- he can deliver order from kitchen to customer table.he have limited access to kitchen he can only deliver the food he can not prepare the food inside the kitchen
which – he can having access to kitchen(kitchen is the resources). He can only access this resource to access the food for delivery he can not prepare the food there.
IAM – Identity
- Google Account : it is simple email account eg. user@gmail.com or employee@workmail.com
- Google Groups : number of users as a group. it is a number of email ids or users which pun into one group so we can provide similar level of access. eg. Group of developers, group of devops engineers we can provide different access level and permission both this groups.
- Cloud Identity Account
- Google Workspace account
- Service Account : when to services want to talk to each other we need service account if cloud machine want to access the cloud storage bucket then we need the service account to connect this services.
Roles & Permissions
Roles are collection of permissions
