Google Cloud Platform
GCP Identity and Access Management (IAM)
Overview
WHO can do WHAT to which RESOURCE
WHO: - Can be a service account: PROJECT_ID@appspot.gserviceaccount.com
WHAT (roles): - Primitive (owner, editor, viewer) (also billing administrator). Broadest roles. - Predefined - apply to specific services (eg BigQuery). - Custom. Note - cannot be used at a folder level - only Org. or Proj. Finest Grain roles.