GCP is the 'Google Cloud Platform' offered by Google.
You can create free account https://cloud.google.com here to use Google Cloud Services.
Once you logged in to above link, and create project, you will see below dashboard.
You could see so many options on Left SideBar. One of the option is IAM i.e. Identity and Access Management.
In a very Layman term, IAM basically control what users can access which resource.
Let's suppose we have 2 users - Username1 and Username2.
Now from our own GCP account, we want to give different access to Username1 and Username2
From your main account - GCP Dashboard, Go to Navigation Menu ==> Identity and Security ==> Access ==> IAM
and Click on +ADD option.
You will see below screen.
You should see Browser, Editor, Owner, and Viewer roles in Project. These four are known as primitive roles in Google Cloud. Primitive roles set project-level permissions.
Permissions
Viewer Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
Editor All viewer permissions, plus permissions for actions that modify state, such as changing existing resources.
Owner All editor permissions and permissions for the following actions:
- Manage roles and permissions for a project and all resources within the project.
- Set up billing for a project.
Browser Read access to browse the hierarchy for a project, including the folder, organization, and Cloud IAM policy. This role doesn't include permission to view resources in the project.
Now in 'new member' give Username1 and in Roles - Select project and give (Editor, Owner, Viewer access) to Username1
and Then give Username2 only Viewer access.
See last two Users in below image. One has editor,owner and viewer access and other has viewer access.
NOW, Sign Out and then logged on with Username1, you will able to see +ADD option in IAM Screen, because username1 has (Editor,Owner,Viewer access to project).
But when you logged on with Username2, +ADD option is disable. (as shown in below image) Because username2 only have viewer access of Project.
Now, Switch Back to Username1 - and Create a Storage Bucket and Upload any Sample File in that Bucket.
Navigation Menu ==> Storage ==> Browser
Give a Unique Name to Storage Bucket.
Upload any Sample File using Upload Files option.
Now Switch to Username2 and Try to view the Bucket, username2 able to view the Bucket because username2 has viewer access.
Now, Switch Back to Username1 and Delete the Viewer access of Username2 using Same IAM option.
Click on 'Pencil' edit option.
Click on 'Trash' icon to delete the Viewer Role of Username2
Now Switch to Username2 and Try again to view Storage Bucket. username2 notice he can't view Storage Bucket now, Because Viewer access is no more on user2
Now, Give Username2 a specific level of access only (Rather than Project Viewer Access) from username1 Console using Same IAM pannel and +Add option. In new member - give username2
Role ==> Cloud Storage ==> Storage Object Viewer
After giving only Storage Viewer access, we can see now username2 has just viewer access only to specific Resource i.e. Storage (not to all Resources)
Now, Logged in as Username2 and Open Console icon (It's on TOP menu Bar on Right Hand Side). Click on it, a Terminal will open.
In Username2 Console terminal, Now run below commands - This command is to list content of bucket name
Resources:
https://googlecourses.qwiklabs.com
Qwiklabs - Google Courses - GSP064
You can read more and practice the same above in Qwiklabs (if you don't want to create Google Cloud Account). Qwiklabs is cheap and lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.