Table of Contents
hide
Identity & Access Management – IAM
- administrators authorize who can take what action on which resources
- IAM Member (Principal) can be a Google Account (for end users), a service account (for apps and virtual machines), a Google group, a Google Workspace or Cloud Identity domain, or a workforce/workload identity that can access a resource.
- IAM Role is a collection of permissions granted to authenticated members.
- supports 3 kinds of roles
- Basic roles (formerly called Primitive roles) – broad level of access (Owner, Editor, Viewer)
- Predefined roles – finer-grained granular access control
- Custom roles – tailored permissions when predefined roles don’t meet the needs.
- Best practice is to use Predefined over basic roles
- IAM Policy binds one or more members to a role.
- IAM policy can be set at any level in the resource hierarchy: organization level, folder level, the project level, or the resource level.
- IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
- Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
- Service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person.
- Access Scopes are the legacy method of specifying permissions for the instance for default service accounts
- Best practice is to set the full
cloud-platformaccess scope on the instance, then securely limit the service account’s access using IAM roles. - Delegate responsibility with groups (instead of individual users) and service accounts (for server-to-server interactions)
IAM Conditions
- IAM Conditions allow granting resource access to identities (members) only if configured conditions are met.
- Conditions are specified in role bindings of a resource’s IAM policy.
- Conditions support attributes like date/time, resource type, resource name, IP address, and more.
- Useful for temporary access, restricting access to specific resources, or limiting access based on device attributes.
IAM Deny Policies
- IAM Deny Policies (GA) allow defining deny rules that prevent certain principals from using certain permissions, regardless of the roles they’re granted.
- Deny policies act as guardrails and take precedence over allow policies.
- Can be attached at the organization, folder, or project level.
- Useful for centralizing management of administrative privileges and building defense in depth with Organization Policies.
- Deny policies use the IAM v2 permission format (
SERVICE_FQDN/RESOURCE.ACTION).
Workload Identity Federation
- Workload Identity Federation allows external workloads (AWS, Azure, on-premises) to access Google Cloud resources without using service account keys.
- Eliminates the maintenance and security burden associated with service account keys.
- Uses identity pools and providers to map external identities to Google Cloud IAM.
- Supports OIDC and SAML 2.0 protocols.
- Recommended for GKE workloads — Workload Identity Federation for GKE enables pods to authenticate to Google Cloud services directly.
Privileged Access Manager (PAM)
- Privileged Access Manager (PAM) is a Google Cloud native, managed solution for just-in-time temporary privilege elevation.
- Enables on-demand, time-bound access to sensitive resources instead of always-on privileges.
- Supports approval workflows — requesters can seek approval from designated approvers before access is granted.
- Requesters can schedule grant requests up to seven days in advance (e.g., for maintenance windows or on-call shifts).
- Provides audit logs to track who had access to what and when.
- IAM recommender can remediate excessive permissions for Google groups by transitioning to PAM entitlements (Preview, 2026).
Principal Access Boundary Policies
- Principal Access Boundary (PAB) Policies restrict which resources a principal is eligible to access.
- By default, principals are eligible to access any Google Cloud resource (if they have the permission).
- PAB policies define rules specifying which resources a set of principals can access — any resource not included is blocked.
- Works alongside allow policies and deny policies for defense in depth.
- Managed at the organization level with the Principal Access Boundary Admin role.
Agent Identity (GA – April 2026)
- Agent Identity provides a first-class, strongly attested, cryptographic identity for AI agents — distinct from human identities or generic service accounts.
- Based on the SPIFFE standard, tied to the lifecycle of the resource hosting the agent.
- Enables agents to securely authenticate to MCP servers, cloud resources, endpoints, and other agents.
- Supports acting on the agent’s own behalf or on behalf of an end user.
- More secure than service accounts as the identity is per-agent and lifecycle-managed.
- Agent Identity auth manager (Preview) helps authenticate agents to third-party services using OAuth or API keys.
Cloud Identity
- Cloud Identity is an Identity as a Service (IDaaS) solution that helps centrally manage the users and groups.
- configured to federate identities between Google and other identity providers, such as Active Directory and Microsoft Entra ID (formerly Azure Active Directory)
- Cloud Identity and Google Workspace support Security Assertion Markup Language (SAML) 2.0 for single sign-on with authentication performed by an external identity provider (IdP)
- With SAML, Cloud Identity or Google Workspace acts as a service provider that trusts the SAML IdP to verify a user’s identity on its behalf.
- Google Cloud Directory Sync – GCDS implements the synchronization process between external IdP
Workforce Identity Federation
- Workforce Identity Federation extends Google Cloud’s identity capabilities to support syncless, attribute-based single sign-on for human users.
- Eliminates the need to synchronize user identities from an external IdP to Google-managed identities (no GCDS needed).
- Supports multiple identity protocols: OpenID Connect (OIDC) and SAML 2.0.
- Supports multiple IdPs per identity pool including Okta, Ping Identity, ADFS, and Microsoft Entra ID.
- Over 95% of Google Cloud products now support Workforce Identity Federation.
- Provides fine-grained, user-level access control without requiring users to have Google Accounts.
Cloud Billing
- Google Cloud Billing defines billing accounts linked to Google Cloud Projects to determine who pays for a given set of Google Cloud resources.
- To move the project to a different billing account, you must be a billing administrator and the project owner.
- To link a project to a billing account, you must be a Billing Account Administrator or Billing Account User on the billing account OR Project Billing Manager on the project
- Cloud Billing budgets can be created to monitor all of the Google Cloud charges in one place and configure alerts
- supports BigQuery export with detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a specified BigQuery dataset
- Google Cloud billing data is not added retroactively to BigQuery, so the data before export is enabled will not be visible.
FinOps Hub
- FinOps Hub centralizes all cost optimization activities in one place, highlighting inefficiencies and providing actionable recommendations.
- Uses Cloud Billing to retrieve cost data and various Google Cloud cost recommenders for optimization and utilization metrics.
- FinOps Hub 2.0 (announced at Cloud Next 2025) focuses on bringing utilization insights on resources to the forefront to identify potential waste.
- Enables collaboration between business professionals and development teams to drive cost optimization.
Cost Anomaly Detection (GA – 2025)
- Cost Anomaly Detection uses AI to identify spending patterns based on historical and seasonal trends, forecasting expected daily spend per project.
- Continuously monitors actual spend every hour and detects deviations.
- Anomaly alerts are enabled by default for every customer across all projects.
- Supports customizable thresholds for cost impact amount and percent of deviation.
- Provides automated alerts/notifications and allows feedback to improve accuracy.
CUD Analysis (GA – June 2026)
- CUD Analysis provides a unified interface to examine both spend-based and resource-based Committed Use Discounts (CUDs).
- Helps understand savings, track how effectively commitments are used, and download data for offline analysis.
- Supports the new spend-based CUD model with direct discounted pricing (replacing the previous credit-based model).
AI Cost Summary Agent (Preview – April 2026)
- AI Cost Summary Agent analyzes AI costs and provides insights into AI-related spend.
- Focuses on spending related to Gemini usage, including Gemini API and Vertex AI.
- Available as a widget on the Billing Overview page.
Spend Caps (Private Preview – 2026)
- Spend Caps allow administrators to set budget limits at the project level that are automatically enforced.
- If a project reaches the limit, Google Cloud issues a warning and then pauses API traffic.
- Addresses the limitation of budgets which only alert but don’t enforce spending limits.