You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
This lesson consolidates IAM best practices across all the topics covered in this course. Following these practices will help you build a secure, manageable, and auditable GCP environment.
The most important principle in IAM: grant only the minimum permissions needed for the task.
| Action | Detail |
|---|---|
| Use predefined roles | They are scoped to specific services and tasks |
| Create custom roles | When predefined roles grant too many permissions |
| Avoid basic roles | roles/editor and roles/owner grant thousands of unnecessary permissions |
| Use IAM Recommender | Identifies permissions that have not been used and suggests downgrades |
| Use IAM Conditions | Grant time-limited or context-aware access |
| Review regularly | Audit access quarterly and revoke unused permissions |
# Check IAM Recommender for a project
gcloud recommender recommendations list \
--project=my-project \
--location=global \
--recommender=google.iam.policy.Recommender
Never assign roles to individual users when managing more than a handful of people:
BAD:
roles/storage.admin → user:alice@co.com
roles/storage.admin → user:bob@co.com
roles/storage.admin → user:carol@co.com
(Must update IAM for every joiner/leaver)
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.