Google Cloud · Cloudintermediate

GCP IAM Policy Binding

A Google Cloud IAM policy binding JSON granting a role to members, with an etag for safe concurrent updates — the shape returned by getIamPolicy.

gcpiamsecuritypolicybinding

Preview

{
  "version": 3,
  "etag": "BwWWja0YfJA=",
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "group:[email protected]",
        "serviceAccount:[email protected]"
      ]
    },
    {
      "role": "roles/storage.objectAdmin",
      "members": [
        "user:[email protected]"
      ],
      "condition": {
        "title": "only-prod-bucket",
        "expression": "resource.name.startsWith('projects/_/buckets/prod-assets')"
      }
    }
  ]
}

AI actions

Documentation

Purpose

Grant IAM roles to members on a GCP resource, as consumed by setIamPolicy / gcloud.

When to use

Managing access on a project, bucket, or service via the IAM API or Terraform.

Required fields

  • bindings — role-to-members mappings
  • role — the IAM role, e.g. roles/storage.objectViewer
  • members — the identities granted the role

Optional fields

  • etag — concurrency token from getIamPolicy
  • version — policy schema version (3 for conditions)
  • condition — CEL expression scoping a binding

Best practices

  • Always read-modify-write with the returned etag to avoid clobbering.
  • Prefer predefined roles over primitive owner/editor/viewer.
  • Use conditions to time-box or resource-scope access.

Security considerations

  • allUsers / allAuthenticatedUsers make a resource public — avoid unless intended.
  • Grant roles to groups, not individuals, for manageable access.
  • Audit bindings with the Policy Analyzer regularly.