Separation of duties and Identity and Access Management rolesStay organized with collectionsSave and categorize content based on your preferences.
This pages describes how to configure different projects with different
IAM roles to establishseparation of dutiesamong individuals or
teams for typical activities associated with using Binary Authorization.
Activities and associated IAM roles
In Google Cloud, separation of duties is accomplished by assigning
IAM roles to accounts in different projects. These accounts
include service accounts, used by GKE and
Binary Authorization, and user accounts, accessed by people.
By providing different organizational roles with specific IAM
roles, you can enforce theprinciple of least privilege,
ensuring that the user and service accounts in your organization have only the
roles essential to performing their intended functions.
To see the underlying permissions for each IAM role, seeUnderstanding roles.
The following table describes typical Binary Authorization activities. Separation of
duties is achieved by having separate Google Cloud project. Each project is
only granted the minimum required IAM roles to accomplish the
activity and associated tasks.
For an end-to-end tutorial describing this scenario, see:Multi-project setup.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-11-11 UTC."],[],[]]
