1. Overview
    1. Default original tole is project creator
    2. Add users as project members or bind to a resource
    3. Use service accounts to authenticate applications
    4. Member can be a Google Account, Google Group, service account, or Workspace domain
    5. Roles include predefined, primitive, and custom roles
    6. For SSH access, add SSH keys to project or instance
  2. Roles
    1. Contains permissions suitable for a specific task
    2. IAM policy assigns IAM roles to members
    3. Controls who has what permission on which resources
    4. IAM ensures API request has permissions to access the resource
    5. Permissions are granted by setting policies
    6. Legacy roles are viewer, editor, owner
    7. Use custom roles to limit instance access to APIs
    8. Limit access of default service account with access scopes
    9. Give each instance or set of instances a unique identity
    10. Managed instance groups use a service account identity to manage instances
    11. Use broader owner, editor, or viewer roles to grant permission to perform these operations
    12. Use predefined roles whenever possible
    13. Where IAM is not supported, use a primitive roles
    14. If predefined or primitive roles do not meet the requirements, create custom roles
  3. Policies
    1. Grant access by attaching IAM policies to resources
    2. Attach policies to resources or at project level
    3. Enables application of principle of least privilege
    4. Project level policies are inherited by child resources
    5. Policy is union of the policy at resource and parent
    6. Organization resource is the supernode in the resource hierarchy
    7. Projects created by domain members belong to the Organization resource
    8. Organization policies can restrict configurations across the resource hierarchy
  4. Instances
    1. Add public key to project or instance for SSH access
    2. Avoids adding a user as a project member
    3. compute.instanceAdmin role grants access via SSH
    4. Instance must not be setup to run as a service account
    5. iam.serviceAccountUser role needed to run as a SA
    6. Project owner or editor can SSH to VM instances
    7. Grant SA specific IAM roles to authenticate to GCP APIs
    8. A service account has no user credentials
    9. It is ideal for server-to-server interactions
    10. A public key is added to the project metadata when instance is accessed via browser or gcloud
  5. Audit logs
    1. Retain, query, process, and alert on events
    2. Used for forensic analysis and real-time alerting
    3. Used to catalog how services are used and by whom
    4. Google Cloud Platform logs admin activity by default
    5. Data access events can be optionally logged
    6. All console activities are logged