IAM policy bindings
In Google Cloud, access is managed through an IAM policy binding. An IAM policy is attached to a particular resource (remember, a resource could be a service account). An IAM policy contains a collection of role bindings that associate with one or more principals.
Recall that a principal could be one or more of the following:
- A Google account (a Gmail account is a form of Google account)
- A service account
- A Google group
- A Google Workspace account
- A Cloud Identity domain
- All authenticated users
- All users
IAM policy bindings (sometimes simply called bindings) associate a role to the principals both on the resource that the policy is attached to and on all the resource’s descendants (for example, a policy attached to a folder is applicable to all the resources underneath that folder).
Policy structure
IAM policies consist of role definitions and additional details. A role binding determines the resources that can...
