IAM and service accounts
IAM in Google Cloud answers the question "who can do what on which resource." The model is consistent across the entire hierarchy, and a special role is played by service accounts — they are what ZEUS uses for read-only access.
Three elements: member, role, resource
An IAM policy is a set of bindings that connect:
- member — who (a user, group, service account, domain),
- role — a set of permissions,
- resource — where (organization/folder/project/resource).
# Nadaj rolę Viewer użytkownikowi na projekcie
gcloud projects add-iam-policy-binding zeus-prod-4471 \
--member="user:jan@professnet.pl" \
--role="roles/viewer"
# Podejrzyj politykę IAM projektu
gcloud projects get-iam-policy zeus-prod-4471
Types of roles
| Role type | Example | Note |
|---|---|---|
| Basic | roles/owner, roles/editor, roles/viewer | too broad — avoid in prod |
| Predefined | roles/compute.viewer | narrow, per service — preferred |
| Custom | your own set of permissions | when predefined ones don't fit |
Tip: basic roles (
editor,owner) grant a huge scope of permissions across the whole project. ZEUS flags their misuse as a finding — least privilege means predefined or custom roles.
Service accounts
A service account is an identity for applications and automation (not for
people). It is identified by an address like
name@project.iam.gserviceaccount.com. It can take on roles just like a user.
gcloud iam service-accounts create zeus-reader \
--display-name="ZEUS read-only connector"
gcloud projects add-iam-policy-binding zeus-prod-4471 \
--member="serviceAccount:zeus-reader@zeus-prod-4471.iam.gserviceaccount.com" \
--role="roles/viewer"
Service account keys — the risk
A service account can have a JSON key (a long-term secret). This is the biggest source of incidents in GCP — leaked service account keys grant persistent access. That is why Google (and ZEUS) recommend Workload Identity instead of keys:
# Liczba kluczy konta usługi (im mniej, tym lepiej — najlepiej zero)
gcloud iam service-accounts keys list \
--iam-account=zeus-reader@zeus-prod-4471.iam.gserviceaccount.com
How ZEUS sees it
ZEUS reads the complete IAM policies (at every level of the hierarchy) and all service accounts. It pays particular attention to: the use of basic roles, service accounts with excessive permissions, and the existence of JSON keys — because that is the makings of a serious incident. ZEUS itself authenticates without a key, through Workload Identity Federation (details in lesson 06), setting an example of good practice.
In the next lesson: Compute Engine and Cloud Storage.