Workspace

• Because Workspace offers more features than Cloud Identity, it is also more costly per license.

Cloud Identity

Cloud Identity is an Identity as a Service (IDaaS) solution that centrally manages users and groups

Cloud Identity offers a free edition and a premium edition.

Free edition

By default, the free edition of Cloud Identity provides 50 user licenses. And the free license can be applied by request with no

• Sign Up

Principal

A principal can be a

• Google Account (for end users)
• a service account (for applications and compute workloads)
  • Use service account for instance principal purpose
  • WARN: consider access scope impact on permission validation
• a Google group
• a Google Workspace account or Cloud Identity domain that can access a resource.

principal identifier is typically an email address.

Group

Group is a member group. This feature requires an organization

• Permissions to create, view, edit, and delete groups, are managed by Google Workspace, not IAM.
• Managed in organization layer, not project layer

User

User can be a Principal in IAM or Member of Group

• Invitation will be sent to Principal as email.
• There is no direct way to fetch all users within an org
  • https://medium.com/gdgcloudsantiago/how-to-track-active-users-in-google-cloud-platform-gcp-2b65b9191e8

Role

• A role is a collection of permissions.
• Permissions determine what operations are allowed on a resource.

Policy

• The allow policy is a collection of role bindings that bind one or more principals to individual roles.
• define who (principal) has what type of access (role) on a resource, you need to create an allow policy and attach it to the resource

Access scope

• It is considered as legacy
• It has effect if you have enabled the related API on the project
• The default scope is not best practise, use Allow full access to all Cloud APIs as best practise
• The default scope includes
  • Read-only access to Cloud Storage
  • Write access to write Compute Engine logs:
  • Write access to publish metric data to your Google Cloud projects:
  • Read-only access to Service Management features required for Google Cloud Endpoints(Alpha):
  • Read/write access to Service Control features required for Google Cloud Endpoints(Alpha):
  • Write access to Cloud Trace allows an application running on a VM to write trace data to a project.