Identity & Access Management
Cloud Platform Fundamentals
Chapter 6 · Identity & Access Management
Chapter 5 covered where traffic can go. This chapter covers who can do what, once they're already in — a genuinely different security layer, and per Chapter 1's shared responsibility model, IAM configuration sits squarely on the customer's side of the line, regardless of which service model (IaaS/PaaS/SaaS) is in use.
IAM's Core Building Blocks
- Users — individual identities, typically representing a specific person.
- Groups — collections of users that share the same set of permissions.
- Roles — an identity assumed temporarily, often by a service or application rather than a person (its own dedicated section below).
- Policies — documents (typically JSON) defining what actions are allowed or denied, on which resources.
Terminology diverges more here than in most of Chapter 2's mapping table: AWS uses IAM users/groups/roles/policies fairly directly; Azure uses Entra ID (formerly Azure AD) for users/groups, with separate Azure RBAC role assignments layered on top; GCP uses "members" (its umbrella term for any identity) combined with "roles," which in GCP specifically means a bundle of permissions assigned to a member — a subtly different use of the word "role" than AWS's assumable-identity meaning, worth keeping straight.
Roles — Why They're a Cloud-Native Concept
A role has no permanent credentials of its own — it's assumed temporarily, generating short-lived credentials that expire automatically. This solves a real, extremely common problem: an application running on a VM that needs to read from a storage bucket (Chapter 4) doesn't need a permanent access key embedded anywhere in its code or configuration at all — it can simply assume a role with exactly the permissions it needs, for exactly as long as it needs them.
pipelines1-5 ("a committed credential is compromised forever") and crypto1-11's key management chapter. Using a role instead of a static credential removes this risk entirely: there's no long-lived secret sitting in code for anyone to accidentally expose in the first place.
Roles are also used for cross-account access — letting a trusted identity in one account temporarily assume a role in another, without needing separate permanent credentials for every account involved.
The Principle of Least Privilege
This is exactly this site's own dbsec1-3 lesson, applied directly to cloud IAM: one identity per purpose, granular grants scoped to specific resources, and avoiding broad "allow everything" policies. The "just grant AdministratorAccess, it's easier" anti-pattern is genuinely common in practice, and genuinely risky — it turns any single compromised credential into a compromise of the entire account, rather than one narrow slice of it.
Real policy scoping goes further than just which actions are allowed — resource-level restrictions (access to this specific storage bucket, not every bucket in the account) and condition keys (restricting a grant by source IP address, time of day, or similar context) both narrow a policy's real-world blast radius considerably.
Authentication vs. Authorization in Cloud IAM
This site's own bc1-1 distinction applies directly: authentication is proving who you are (username and password, MFA, federated login); authorization is what that already-verified identity is actually allowed to do, determined by the policies attached to it.
This is a genuinely useful support-triage distinction — a "permission denied" or "access denied" error is an authorization problem, not a login problem, even though confused end users very commonly describe the two identically ("I'm logged in but I can't do X"). Recognizing that "logged in fine, action denied" almost always points at a missing or misconfigured policy — not a broken login — saves real troubleshooting time.
Multi-Factor Authentication (MFA)
Revisiting bc1-6's MFA coverage specifically for cloud console access: TOTP apps, hardware keys, and push notifications all apply here exactly as described there. One practice worth calling out as close to non-negotiable across every provider: enable MFA on the root/owner account specifically, since that account typically has unrestricted privileges that can't be scoped down by ordinary IAM policies the way a regular user's access can.
Federated Identity & Single Sign-On (SSO)
Rather than creating a separate cloud-native user account for every employee, organizations commonly federate identity from an existing corporate identity provider (Active Directory, Okta, or similar) via SAML or OIDC — so employees log in with their existing corporate credentials, and access is centrally managed from one place. Genuinely common in real enterprise environments; this course doesn't go deep on the protocol mechanics, but it's worth knowing the concept exists and why organizations reach for it.
A Support-Relevant IAM Troubleshooting Pattern
Facing an "access denied" error, the first question is exactly the AuthN-vs-AuthZ split above: can the user log in at all (authentication), or are they logged in fine but blocked from a specific action (authorization)? If it's authorization, the next question is: what policy is actually attached to this identity, and does it explicitly allow this specific action on this specific resource?
Hands-On Exercises
A user reports: "I'm logged in fine, but I get 'access denied' trying to do X." Is this an authentication or authorization problem, and what should be checked next?
📄 View solutionExplain why using an IAM role (rather than embedding a permanent access key directly in application code) is the correct pattern for an application that needs to read from a storage bucket, and connect this to the real-world risk of hardcoded credentials.
📄 View solutionA user has a policy granting them broad access to a service, but a separate, attached policy explicitly denies access to one specific resource within that service. What happens when they try to access that resource, and why?
📄 View solutionChapter 6 Quick Reference
- Users/groups/roles/policies — terminology diverges more here than most of Ch.2's map, especially GCP's "role" meaning
- Roles are temporary, assumable identities with no permanent credentials — the correct pattern instead of hardcoded access keys (
pipelines1-5,crypto1-11) - Least privilege —
dbsec1-3's lesson applied to cloud IAM; resource-level scoping and condition keys narrow blast radius - AuthN vs. AuthZ (
bc1-1) — "logged in but denied" is almost always an authorization problem, not a login problem - MFA on the root/owner account is close to non-negotiable — that account typically can't be scoped down by IAM policies at all
- Federated identity/SSO — centralizing access via an existing corporate identity provider (SAML/OIDC)
- An explicit deny always wins — policies aren't purely additive; one deny anywhere overrides an allow elsewhere
- Next chapter: Databases in the Cloud — managed relational and NoSQL options across providers