Understanding GCP IAM between multiple projects

0 votes
We use GCP at my company and have numerous projects there. I'm currently attempting to organize the IAM roles across all of the projects, however, some of the IAM settings are unclear to me. Are the two projects fully independent entities with distinct IAM roles and permissions, or is there any overlap that could make it possible for a change in one project to have an impact on the other project?
Nov 4 in GCP by Ashwini
• 2,760 points
40 views

1 answer to this question.

0 votes

Roles set on one project cannot be easily changed on another project. You need to take a few factors into account, though.

While individual projects may have their own access control policies, access can also be managed at levels above and beyond projects. The four resource locations where you can control access are as follows:

  • a company's level. The organizational resource speaks for your business. All resources inside the organization inherit any IAM roles provided at this level.
  • the folder level. Projects, other folders, or a combination of both can be found in folders. Projects or other folders included within the parent folder will inherit any roles provided at the top folder level.
  • Project scale. Within your business, a trust boundary is represented by projects. Services that are part of the same project are assumed to be trustworthy. For instance, Cloud Storage buckets located inside the same project can be accessed by App Engine instances. Resources within a project inherit IAM roles that have been granted at the project level.
  • level of resources. Genomics Datasets, Pub/Sub topics, and Compute Engine instances are additional resources that enable lower-level roles in addition to the current Cloud Storage and BigQuery ACL systems, allowing you to grant certain users access to a single resource inside a project.
  • Individual access, access through a service account, organization-wide access, and membership in Google Groups are all options. This means that you could unintentionally add or remove someone from numerous roles in various projects when you add or delete them from the organization or a Google group.
  • Additionally, anyone in that member group can alter permissions if they have been allocated a role that allows them to change IAM roles. They might alter the regulations in a way that you don't want 
answered Nov 7 by Tejashwini
• 2,860 points

Related Questions In GCP

0 votes
1 answer

GCP - Switching between projects.

You could use gcloud init command to ...READ MORE

answered Nov 5, 2019 in GCP by Sirajul
• 59,190 points
707 views
0 votes
1 answer

How do I setup a network peering connection from multiple GCP projects to the same MongoDB cluster

If you have a project and want ...READ MORE

answered Apr 11 in GCP by Korak
• 5,820 points
482 views
0 votes
1 answer

How can i grant access to a GCP project for a large scale multiple users at once?

gcloud auth to service accounts is allowed. ...READ MORE

answered Oct 16, 2019 in GCP by Sirajul
• 59,190 points
714 views
0 votes
0 answers
0 votes
0 answers

GCP - how to add a Google account as an IAM principal to a project?

How do I add a Google account ...READ MORE

Nov 9 in GCP by Ashwini
• 2,760 points
28 views
0 votes
1 answer

GCP - how to add a Google account as an IAM principal to a project?

I post this community wiki answer to ...READ MORE

answered Nov 10 in GCP by Ashwini
• 2,760 points
29 views
0 votes
2 answers
0 votes
1 answer

what is the difference between BigQuery and Storage on GCP?

Both a data warehouse and a SQL ...READ MORE

answered Nov 7 in GCP by Tejashwini
• 2,860 points
40 views
0 votes
1 answer

Linux Servers Patching - GCP

Yes, GCP currently lacks a product that ...READ MORE

answered Nov 4 in GCP by Tejashwini
• 2,860 points
30 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP