← Back to Labs Starter Track

GCP · Identity · IAM

GCP IAM Basics

Starter LAB for Google Cloud IAM principals, policy bindings, service accounts, Workspace identity, and workload identity federation concepts.

Status Starter
Cloud GCP
Domain Identity
Future Track Workspace

Overview

This starter lab introduces Google Cloud IAM as the authorization layer for projects, resources, service accounts, and federated identities.

Starter Identity-first Workspace-ready No live mutation

Concept Deep Dives

Expand these concepts when introducing Google Cloud IAM, Workspace identity, and workload federation.

What is Google Cloud IAM?

Google Cloud IAM controls who can do what on which Google Cloud resources. It uses principals, roles, permissions, policies, and resource hierarchy to evaluate access.

What is a service account?

A service account is a machine identity used by applications and workloads. Over-permissioned service accounts can become major privilege-escalation anchors.

What is Workspace identity?

Workspace identity connects users, groups, and organizational identity to Google services. It can become the foundation for future GCP Workspace and enterprise access labs.

What is Workload Identity Federation?

Workload Identity Federation allows external workloads to access Google Cloud without long-lived service account keys. It is a core pattern for safer cloud-to-cloud and CI/CD identity integration.

Core Concepts

Principals

Users, groups, service accounts, workload identities, and Google-managed identities.

Policy Bindings

Bindings that connect principals to roles on resources.

Service Accounts

Machine identities that can become privilege escalation anchors if over-permissioned.

Workspace Identity

Enterprise identity foundation for future GCP Workspace labs.

Learning Outcomes

  • Understand Google Cloud IAM principals and bindings
  • Explain service account identity risk
  • Prepare for GCP Workspace and workload identity federation labs

Future Expansion

This starter lane remains reserved for GCP Workspace identity, Workload Identity Federation, service account impersonation, and organization-level IAM governance labs.

GCP is intentionally retained as a future Principal LAB track.

Governance Boundary

  • Does not mutate GCP resources
  • Does not execute remediation
  • Does not claim Shield or Aegis linkage until explicitly mapped

Source Artifacts

metadata.jsonLab identity and starter metadata
index.htmlRendered starter lab page