Google Cloud Identity Services Cheat Sheet

Identity & Access Management – IAM

  • administrators authorize who can take what action on which resources
  • IAM Member (Principal) can be a Google Account (for end users), a service account (for apps and virtual machines), a Google group, a Google Workspace or Cloud Identity domain, or a workforce/workload identity that can access a resource.
  • IAM Role is a collection of permissions granted to authenticated members.
  • supports 3 kinds of roles
    • Basic roles (formerly called Primitive roles) – broad level of access (Owner, Editor, Viewer)
    • Predefined roles – finer-grained granular access control
    • Custom roles – tailored permissions when predefined roles don’t meet the needs.
  • Best practice is to use Predefined over basic roles
  • IAM Policy binds one or more members to a role.
  • IAM policy can be set at any level in the resource hierarchy: organization level, folder level, the project level, or the resource level.
  • IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
  • Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
  • Service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person.
  • Access Scopes are the legacy method of specifying permissions for the instance for default service accounts
  • Best practice is to set the full cloud-platform access scope on the instance, then securely limit the service account’s access using IAM roles.
  • Delegate responsibility with groups (instead of individual users) and service accounts (for server-to-server interactions)

IAM Conditions

  • IAM Conditions allow granting resource access to identities (members) only if configured conditions are met.
  • Conditions are specified in role bindings of a resource’s IAM policy.
  • Conditions support attributes like date/time, resource type, resource name, IP address, and more.
  • Useful for temporary access, restricting access to specific resources, or limiting access based on device attributes.

IAM Deny Policies

  • IAM Deny Policies (GA) allow defining deny rules that prevent certain principals from using certain permissions, regardless of the roles they’re granted.
  • Deny policies act as guardrails and take precedence over allow policies.
  • Can be attached at the organization, folder, or project level.
  • Useful for centralizing management of administrative privileges and building defense in depth with Organization Policies.
  • Deny policies use the IAM v2 permission format (SERVICE_FQDN/RESOURCE.ACTION).

Workload Identity Federation

  • Workload Identity Federation allows external workloads (AWS, Azure, on-premises) to access Google Cloud resources without using service account keys.
  • Eliminates the maintenance and security burden associated with service account keys.
  • Uses identity pools and providers to map external identities to Google Cloud IAM.
  • Supports OIDC and SAML 2.0 protocols.
  • Recommended for GKE workloads — Workload Identity Federation for GKE enables pods to authenticate to Google Cloud services directly.

Privileged Access Manager (PAM)

  • Privileged Access Manager (PAM) is a Google Cloud native, managed solution for just-in-time temporary privilege elevation.
  • Enables on-demand, time-bound access to sensitive resources instead of always-on privileges.
  • Supports approval workflows — requesters can seek approval from designated approvers before access is granted.
  • Requesters can schedule grant requests up to seven days in advance (e.g., for maintenance windows or on-call shifts).
  • Provides audit logs to track who had access to what and when.
  • IAM recommender can remediate excessive permissions for Google groups by transitioning to PAM entitlements (Preview, 2026).

Principal Access Boundary Policies

  • Principal Access Boundary (PAB) Policies restrict which resources a principal is eligible to access.
  • By default, principals are eligible to access any Google Cloud resource (if they have the permission).
  • PAB policies define rules specifying which resources a set of principals can access — any resource not included is blocked.
  • Works alongside allow policies and deny policies for defense in depth.
  • Managed at the organization level with the Principal Access Boundary Admin role.

Agent Identity (GA – April 2026)

  • Agent Identity provides a first-class, strongly attested, cryptographic identity for AI agents — distinct from human identities or generic service accounts.
  • Based on the SPIFFE standard, tied to the lifecycle of the resource hosting the agent.
  • Enables agents to securely authenticate to MCP servers, cloud resources, endpoints, and other agents.
  • Supports acting on the agent’s own behalf or on behalf of an end user.
  • More secure than service accounts as the identity is per-agent and lifecycle-managed.
  • Agent Identity auth manager (Preview) helps authenticate agents to third-party services using OAuth or API keys.

Cloud Identity

  • Cloud Identity is an Identity as a Service (IDaaS) solution that helps centrally manage the users and groups.
  • configured to federate identities between Google and other identity providers, such as Active Directory and Microsoft Entra ID (formerly Azure Active Directory)
  • Cloud Identity and Google Workspace support Security Assertion Markup Language (SAML) 2.0 for single sign-on with authentication performed by an external identity provider (IdP)
  • With SAML, Cloud Identity or Google Workspace acts as a service provider that trusts the SAML IdP to verify a user’s identity on its behalf.
  • Google Cloud Directory Sync – GCDS implements the synchronization process between external IdP

Workforce Identity Federation

  • Workforce Identity Federation extends Google Cloud’s identity capabilities to support syncless, attribute-based single sign-on for human users.
  • Eliminates the need to synchronize user identities from an external IdP to Google-managed identities (no GCDS needed).
  • Supports multiple identity protocols: OpenID Connect (OIDC) and SAML 2.0.
  • Supports multiple IdPs per identity pool including Okta, Ping Identity, ADFS, and Microsoft Entra ID.
  • Over 95% of Google Cloud products now support Workforce Identity Federation.
  • Provides fine-grained, user-level access control without requiring users to have Google Accounts.

Cloud Billing

  • Google Cloud Billing defines billing accounts linked to Google Cloud Projects to determine who pays for a given set of Google Cloud resources.
  • To move the project to a different billing account, you must be a billing administrator and the project owner.
  • To link a project to a billing account, you must be a Billing Account Administrator or Billing Account User on the billing account OR Project Billing Manager on the project
  • Cloud Billing budgets can be created to monitor all of the Google Cloud charges in one place and configure alerts
  • supports BigQuery export with detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a specified BigQuery dataset
  • Google Cloud billing data is not added retroactively to BigQuery, so the data before export is enabled will not be visible.

FinOps Hub

  • FinOps Hub centralizes all cost optimization activities in one place, highlighting inefficiencies and providing actionable recommendations.
  • Uses Cloud Billing to retrieve cost data and various Google Cloud cost recommenders for optimization and utilization metrics.
  • FinOps Hub 2.0 (announced at Cloud Next 2025) focuses on bringing utilization insights on resources to the forefront to identify potential waste.
  • Enables collaboration between business professionals and development teams to drive cost optimization.

Cost Anomaly Detection (GA – 2025)

  • Cost Anomaly Detection uses AI to identify spending patterns based on historical and seasonal trends, forecasting expected daily spend per project.
  • Continuously monitors actual spend every hour and detects deviations.
  • Anomaly alerts are enabled by default for every customer across all projects.
  • Supports customizable thresholds for cost impact amount and percent of deviation.
  • Provides automated alerts/notifications and allows feedback to improve accuracy.

CUD Analysis (GA – June 2026)

  • CUD Analysis provides a unified interface to examine both spend-based and resource-based Committed Use Discounts (CUDs).
  • Helps understand savings, track how effectively commitments are used, and download data for offline analysis.
  • Supports the new spend-based CUD model with direct discounted pricing (replacing the previous credit-based model).

AI Cost Summary Agent (Preview – April 2026)

  • AI Cost Summary Agent analyzes AI costs and provides insights into AI-related spend.
  • Focuses on spending related to Gemini usage, including Gemini API and Vertex AI.
  • Available as a widget on the Billing Overview page.

Spend Caps (Private Preview – 2026)

  • Spend Caps allow administrators to set budget limits at the project level that are automatically enforced.
  • If a project reaches the limit, Google Cloud issues a warning and then pauses API traffic.
  • Addresses the limitation of budgets which only alert but don’t enforce spending limits.

Related Posts