IAM & Admin
- By default, all Google Cloud projects come with a single user: the original project creator.
- No other users have access to the project, until a user is added as a project member or is bound to a specific resource.
- Service accounts can be used to authenticate apps instead of using user credentials.
- To give users the ability to create and manage Compute Engine resources, add users as project members and grant permissions using Cloud Identity and Access Management roles.
- A team member can be an individual user with a valid Google Account, a Google Group, a service account, or a G Suite domain.
- When a team member is added to a project or to a resource, the roles to grant them are specified.
- Cloud IAM provides predefined, primitive, and custom roles.
- Resources inherit the policies of their parent resources in the Google Cloud resource hierarchy.
- The effective policy for a resource is the union of the policy set at that resource and the policy inherited from its parent.
- To give a user SSH access to VM instances and prevent access to all APIs, add the user's SSH keys to the project or instance instead of adding the user to the project and granting them wide ranging permissions.