12/20/2022, 2:44 PM
Hello folks, I was wondering what’s the most idiomatic way to manage IAM groups in GCP. In the best of worlds, I’d be able to create a group, add a few members (mostly real users, not service accounts) and then create either a IAMMembership or IAMBinding resource to grant explicitly the permissions required to use some cloud resources (e.g., database access). I looked into
, but am not quite sure this is the best way to go. Any thoughts? Many thanks,


12/27/2022, 1:18 PM
Actually cloud identity is the best option, you can use for free until 50 users, basically you will need to create and organization on GCP in order to do that(just need a valid domain). If you use other identify provider like AD or Okta you could just sync it with Google Cloud Identity. Cloud Identity will made you able to manage the groups too. Just a reminder that Google have a clear separation between Authentication and Authorization. Authentication is handled by Google Cloud Identity and Authorization by IAM. So probably you will need to use two packages: cloudidentity and the iam methods that are present at resources, project, folders and organization level. For example :