You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
IAM policies are the mechanism by which roles are granted to members on resources. Understanding how policies work — including inheritance, the additive model, and deny policies — is essential for designing secure access control.
An IAM policy is a JSON document attached to a resource. It contains an array of bindings, each mapping members to a role:
{
"version": 3,
"bindings": [
{
"role": "roles/storage.objectViewer",
"members": [
"user:alice@example.com",
"group:analysts@example.com"
]
},
{
"role": "roles/storage.admin",
"members": [
"serviceAccount:storage-sa@my-project.iam.gserviceaccount.com"
],
"condition": {
"title": "Expires in 90 days",
"expression": "request.time < timestamp('2025-06-01T00:00:00Z')"
}
}
],
"etag": "BwXmq..."
}
| Field | Purpose |
|---|---|
version | Policy schema version (use 3 for conditions support) |
bindings | Array of role-to-member mappings |
role | The IAM role being granted |
members | Array of identities receiving the role |
condition | Optional — restricts when the binding is active |
etag | Concurrency control — prevents overwriting concurrent changes |
# View project IAM policy
gcloud projects get-iam-policy my-project
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.