GCP - Granting Users Access to a GCP Project
To grant access to a GCP project or project resources, Google has some great documentation.
We suggest that you use Google Groups to make logical groups for GCP Identity & Access Management (IAM) permissions. See UW-Madison Google Workspace - Getting Started with Google Groups for a getting started with google groups (note: you want to use the "create a group" link in that KB article, not "log in to google groups")
With GCP IAM, users can be granted access with much granularity, from overall project and resource access, to individual resources within the projects. In addition to using the Google Console, IAM controls can be added using the GCP Command Line Interface, and other methods.
By default, each GCP account will be set up with a single Google Group that will match [account name]@g-groups.wisc.edu. For projects that are low- or medium-risk, this group will map to the "owner" role in GCP. For projects handling high-risk data, the default group will have the Editor role, which limits some IAM permissions. Please refer to the GCP documentation about basic roles for more information.
When the account is first provisioned, the account Owner, Technical Contact, Financial Contact & Security Contact provided when you requested your account will all be in that google group as Owners or Editors(GCP - Requesting a GCP Project ). For users who should not have complete access to the account, we recommend setting up additional groups, following "least privilege" security best practices.
Please contact the UW-Cloud Team with any Identity and Access Management questions, we'd be happy to help!
If you have any questions, feedback or ideas please Contact Us
Commonly Referenced Docs:
UW Madison Public Cloud Team Events Online Learning Classes for Cloud Vendors What Data Elements are allowed in the Public Cloud