Google Cloud · Cloudintermediate
GCP IAM Policy Binding
A Google Cloud IAM policy binding JSON granting a role to members, with an etag for safe concurrent updates — the shape returned by getIamPolicy.
gcpiamsecuritypolicybinding
Preview
{
"version": 3,
"etag": "BwWWja0YfJA=",
"bindings": [
{
"role": "roles/storage.objectViewer",
"members": [
"group:[email protected]",
"serviceAccount:[email protected]"
]
},
{
"role": "roles/storage.objectAdmin",
"members": [
"user:[email protected]"
],
"condition": {
"title": "only-prod-bucket",
"expression": "resource.name.startsWith('projects/_/buckets/prod-assets')"
}
}
]
}AI actions
Documentation
Purpose
Grant IAM roles to members on a GCP resource, as consumed by setIamPolicy / gcloud.
When to use
Managing access on a project, bucket, or service via the IAM API or Terraform.
Required fields
- bindings — role-to-members mappings
- role — the IAM role, e.g. roles/storage.objectViewer
- members — the identities granted the role
Optional fields
- etag — concurrency token from getIamPolicy
- version — policy schema version (3 for conditions)
- condition — CEL expression scoping a binding
Best practices
- Always read-modify-write with the returned etag to avoid clobbering.
- Prefer predefined roles over primitive owner/editor/viewer.
- Use conditions to time-box or resource-scope access.
Security considerations
- allUsers / allAuthenticatedUsers make a resource public — avoid unless intended.
- Grant roles to groups, not individuals, for manageable access.
- Audit bindings with the Policy Analyzer regularly.