To integrate Google Cloud API Gateway with Google Cloud IAM to authenticate and

authorize users and roles, you need to follow several steps. Here’s a comprehensive
guide:

### Step 1: Set Up Google Cloud API Gateway

1. **Create an API Config:**

First, define your API and its configuration in an OpenAPI specification

(Swagger). Save this as `openapi.yaml`.

```yaml
openapi: 3.0.0
info:
title: My API
description: My API description
version: 1.0.0
paths:
/my-endpoint:
get:
description: My endpoint description
operationId: getMyEndpoint
responses:
'200':
description: A successful response
```

2. **Deploy the API Config:**

```bash
gcloud api-gateway api-configs create my-config \
--api=my-api --openapi-spec=openapi.yaml --project=my-project
```

3. **Create the API Gateway:**

```bash
gcloud api-gateway gateways create my-gateway \
--api=my-api --api-config=my-config --location=us-central1 --project=my-
project
```

### Step 2: Enable IAM Roles for API Gateway

1. **Create a Service Account:**

```bash
gcloud iam service-accounts create my-api-gateway-sa \
--display-name="API Gateway Service Account"
```

2. **Assign Roles to the Service Account:**

Grant necessary IAM roles to the service account.

```bash
gcloud projects add-iam-policy-binding my-project \
--member="serviceAccount:my-api-gateway-sa@my-
project.iam.gserviceaccount.com" \
 --role="roles/cloudfunctions.invoker" \
--role="roles/run.invoker"
```

### Step 3: Configure IAM Authentication in API Gateway

1. **Update your OpenAPI Specification:**

Update your `openapi.yaml` to include security definitions for using IAM for
authentication.

```yaml
openapi: 3.0.0
info:
title: My API
description: My API description
version: 1.0.0
paths:
/my-endpoint:
get:
description: My endpoint description
operationId: getMyEndpoint
responses:
'200':
description: A successful response
security:
- google_id_token: []
components:
securitySchemes:
google_id_token:
type: http
scheme: bearer
bearerFormat: JWT
x-google-issuer: "https://securetoken.google.com/my-project"
x-google-jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"
x-google-audiences: "my-client-id"
```

Replace `my-project` with your project ID and `my-client-id` with your OAuth
client ID.

2. **Deploy the Updated API Config:**

```bash
gcloud api-gateway api-configs create my-config-v2 \
--api=my-api --openapi-spec=openapi.yaml --project=my-project
```

```bash
gcloud api-gateway gateways update my-gateway \
--api=my-api --api-config=my-config-v2 --location=us-central1 --project=my-
project
```

### Step 4: Implement Authorization Logic

Your backend services (e.g., Cloud Functions, Cloud Run) should verify the incoming
JWT token and enforce role-based access control (RBAC). Here’s an example using
Cloud Functions in Java:
1. **Create a Cloud Function:**

```bash
gcloud functions deploy my-function \
--runtime java11 --trigger-http --allow-unauthenticated --entry-
point=com.example.MyFunction --project=my-project
```

2. **Verify the JWT Token:**

Implement token verification logic in your function.

```java
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.jackson2.JacksonFactory;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Collections;
import java.util.logging.Logger;

public class MyFunction implements HttpFunction {

private static final Logger logger =
Logger.getLogger(MyFunction.class.getName());
private static final String CLIENT_ID = "my-client-id";

@Override
public void service(HttpRequest request, HttpResponse response) throws
IOException {
String idTokenString =
request.getFirstHeader("Authorization").orElse("").replace("Bearer ", "");

GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(new

NetHttpTransport(), new JacksonFactory())
.setAudience(Collections.singletonList(CLIENT_ID))
.build();

GoogleIdToken idToken;
try {
idToken = verifier.verify(idTokenString);
} catch (GeneralSecurityException e) {
response.setStatusCode(HttpURLConnection.HTTP_UNAUTHORIZED);
return;
}

if (idToken != null) {
GoogleIdToken.Payload payload = idToken.getPayload();
String userId = payload.getSubject();

// Implement your role-based access control logic here

boolean isAuthorized = checkUserRole(userId);
if (isAuthorized) {
response.setStatusCode(HttpURLConnection.HTTP_OK);
response.getWriter().write("Access granted");
} else {
response.setStatusCode(HttpURLConnection.HTTP_FORBIDDEN);
 response.getWriter().write("Access denied");
}
} else {
response.setStatusCode(HttpURLConnection.HTTP_UNAUTHORIZED);
}
}

private boolean checkUserRole(String userId) {

// Implement your logic to check the user's role
// For example, query your database to get the user's roles
return true; // Assuming the user is authorized for simplicity
}
}
```

### Step 5: Testing

1. **Get a Google ID Token:**

To test, you can manually generate an ID token using `gcloud`:

```bash
gcloud auth print-identity-token
```

2. **Make an Authorized Request:**

Use a tool like `curl` to make a request to your API Gateway endpoint with the
token:

```bash
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
https://my-gateway-url/my-endpoint
```

This setup ensures that your API Gateway is integrated with Google Cloud IAM for
authentication and authorization, providing secure access to your backend services.

===============================================================================

To modify the `checkUserRole` method to check for multiple available roles, you can
use a list or set of roles that the user must have to access the resource. Below is
the updated version of the Java function, where the user's roles are checked
against a list of required roles.

1. **Define a Set of Required Roles:**

Define a set of roles that are allowed to access the endpoint. You might fetch
these from a configuration file or database in a real-world scenario.

2. **Modify `checkUserRole` to Check Against Multiple Roles:**

Here's the updated code:

```java
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.jackson2.JacksonFactory;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.security.GeneralSecurityException;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.HashSet;
import java.util.logging.Logger;

public class MyFunction implements HttpFunction {

private static final Logger logger =
Logger.getLogger(MyFunction.class.getName());
private static final String CLIENT_ID = "my-client-id";

private static final Set<String> REQUIRED_ROLES = new

HashSet<>(List.of("admin", "editor", "viewer"));

@Override
public void service(HttpRequest request, HttpResponse response) throws
IOException {
String idTokenString =
request.getFirstHeader("Authorization").orElse("").replace("Bearer ", "");

GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(new

NetHttpTransport(), new JacksonFactory())
.setAudience(Collections.singletonList(CLIENT_ID))
.build();

GoogleIdToken idToken;
try {
idToken = verifier.verify(idTokenString);
} catch (GeneralSecurityException e) {
response.setStatusCode(HttpURLConnection.HTTP_UNAUTHORIZED);
return;
}

if (idToken != null) {
GoogleIdToken.Payload payload = idToken.getPayload();
String userId = payload.getSubject();

// Assuming roles are stored as a list in the payload

List<String> userRoles = (List<String>) payload.get("roles");

boolean isAuthorized = checkUserRole(userRoles);

if (isAuthorized) {
response.setStatusCode(HttpURLConnection.HTTP_OK);
response.getWriter().write("Access granted");
} else {
response.setStatusCode(HttpURLConnection.HTTP_FORBIDDEN);
response.getWriter().write("Access denied");
}
} else {
response.setStatusCode(HttpURLConnection.HTTP_UNAUTHORIZED);
}
}

private boolean checkUserRole(List<String> userRoles) {

// Check if the user's roles contain any of the required roles
 for (String role : userRoles) {
if (REQUIRED_ROLES.contains(role)) {
return true;
}
}
return false;
}
}
```

### Explanation

1. **`REQUIRED_ROLES`:** This set contains the roles that are allowed to access the
endpoint. You can modify this set as per your requirements.

2. **`checkUserRole`:** This method now takes a list of roles (`userRoles`) that

the user has and checks if any of these roles match the required roles. If there is
a match, the user is authorized.

3. **Fetching User Roles:** In this example, it's assumed that the roles are stored
as a list in the token's payload. Modify this part according to how roles are
actually stored and retrieved in your application.

This setup ensures that your API checks for multiple roles and grants access if the
user has at least one of the required roles.

==============================================================================

To implement the authorization logic without using Cloud Functions, you can apply
the same principles to a Java web application using a framework like Spring Boot.
Here, I'll guide you through the process of setting up a Spring Boot application to
integrate with Google Cloud IAM and perform role-based access control for various
endpoints.

### Step-by-Step Implementation

1. **Set Up a Spring Boot Project:**

You can use Spring Initializr to generate a Spring Boot project with the
necessary dependencies.

```xml
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>com.google.api-client</groupId>
<artifactId>google-api-client</artifactId>
<version>1.34.0</version>
</dependency>
<dependency>
<groupId>com.google.auth</groupId>
<artifactId>google-auth-library-oauth2-http</artifactId>
 <version>1.9.0</version>
</dependency>
</dependencies>
```

2. **Define the RBAC Configuration:**

Create a configuration class to map endpoints to required roles.

```java
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;

public class RBACConfig {

public static final Map<String, Set<String>> ENDPOINTS_ROLES = new
HashMap<>();

static {
Set<String> adminRoles = new HashSet<>();
adminRoles.add("admin");

Set<String> editorRoles = new HashSet<>();

editorRoles.add("admin");
editorRoles.add("editor");

Set<String> viewerRoles = new HashSet<>();

viewerRoles.add("admin");
viewerRoles.add("editor");
viewerRoles.add("viewer");

ENDPOINTS_ROLES.put("/my-endpoint", viewerRoles);
ENDPOINTS_ROLES.put("/admin-endpoint", adminRoles);
ENDPOINTS_ROLES.put("/editor-endpoint", editorRoles);
}
}
```

3. **Implement a Filter for JWT Token Verification:**

Create a filter to intercept incoming requests, verify the JWT token, and check
user roles against the requested endpoint.

```java
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.jackson2.JacksonFactory;
import org.springframework.stereotype.Component;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Collections;
 import java.util.List;
import java.util.Set;

@Component
public class JwtAuthenticationFilter extends HttpFilter {
private static final String CLIENT_ID = "your-client-id";

@Override
protected void doFilter(HttpServletRequest request, HttpServletResponse
response, FilterChain chain)
throws IOException, ServletException {
String idTokenString = request.getHeader("Authorization");
if (idTokenString != null && idTokenString.startsWith("Bearer ")) {
idTokenString = idTokenString.replace("Bearer ", "");

GoogleIdTokenVerifier verifier = new

GoogleIdTokenVerifier.Builder(new NetHttpTransport(), new JacksonFactory())
.setAudience(Collections.singletonList(CLIENT_ID))
.build();

try {
GoogleIdToken idToken = verifier.verify(idTokenString);
if (idToken != null) {
GoogleIdToken.Payload payload = idToken.getPayload();
List<String> userRoles = (List<String>)
payload.get("roles");
String requestedEndpoint = request.getRequestURI();

if (checkUserRole(userRoles, requestedEndpoint)) {
chain.doFilter(request, response);
return;
} else {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
}
} catch (GeneralSecurityException e) {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
return;
}
}
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}

private boolean checkUserRole(List<String> userRoles, String endpoint) {

Set<String> requiredRoles = RBACConfig.ENDPOINTS_ROLES.get(endpoint);
if (requiredRoles == null) {
return false;
}

for (String role : userRoles) {

if (requiredRoles.contains(role)) {
return true;
}
}
return false;
}
}
```
4. **Register the Filter in the Application:**

Ensure the filter is registered in the Spring Boot application.

```java
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;

@SpringBootApplication
public class MyApplication {

public static void main(String[] args) {

SpringApplication.run(MyApplication.class, args);
}

@Bean
public FilterRegistrationBean<JwtAuthenticationFilter>
jwtAuthenticationFilter() {
FilterRegistrationBean<JwtAuthenticationFilter> registrationBean = new
FilterRegistrationBean<>();
registrationBean.setFilter(new JwtAuthenticationFilter());
registrationBean.addUrlPatterns("/*");
return registrationBean;
}
}
```

5. **Create Controller Endpoints:**

Define your endpoints in a controller.

```java
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class MyController {

@GetMapping("/my-endpoint")
public String myEndpoint() {
return "Access granted to my-endpoint";
}

@GetMapping("/admin-endpoint")
public String adminEndpoint() {
return "Access granted to admin-endpoint";
}

@GetMapping("/editor-endpoint")
public String editorEndpoint() {
return "Access granted to editor-endpoint";
}
}
```

### Summary
By following these steps, you integrate Google Cloud IAM with a Spring Boot
application to authenticate and authorize users based on their roles and the
requested endpoint. The `JwtAuthenticationFilter` intercepts HTTP requests,
verifies the JWT token, checks user roles against the RBAC configuration, and
grants or denies access accordingly.

=============================================================================

To integrate GCP API Gateway with GCP IAM for authentication and authorization
using JDK 21, you can follow these steps:

1. **Set up GCP API Gateway**:

- Create an API Gateway.
- Configure routes and deploy your API.

2. **Configure IAM**:
- Create service accounts and assign roles.
- Set up IAM policies for your API.

3. **Generate Identity Tokens**:

- Use Google OAuth 2.0 for obtaining identity tokens.
- Configure the JDK 21 application to request tokens.

4. **Validate Tokens in API Gateway**:

- Configure API Gateway to validate incoming tokens.

### Step-by-Step Implementation

#### 1. Set Up GCP API Gateway

1. **Create API Gateway**:

- Go to the GCP Console.
- Navigate to API Gateway.
- Create a new gateway.

2. **Configure Routes and Deploy API**:

- Define your OpenAPI specification.
- Deploy your API.

#### 2. Configure IAM

1. **Create Service Accounts and Assign Roles**:

- Go to the IAM & Admin section in the GCP Console.
- Create service accounts for your users/applications.
- Assign necessary roles (e.g., `roles/viewer`, `roles/editor`).

2. **Set Up IAM Policies for API**:

- Go to API Gateway.
- Edit the API configuration to attach IAM policies.

#### 3. Generate Identity Tokens

1. **Use Google OAuth 2.0 for Obtaining Tokens**:

- Configure OAuth 2.0 credentials in the GCP Console.
- Use the credentials to request identity tokens.

2. **Configure JDK 21 Application**:

- Add dependencies for OAuth 2.0 and JWT handling in your `pom.xml` or
`build.gradle`.

```xml
<!-- For Maven -->
<dependency>
<groupId>com.google.auth</groupId>
<artifactId>google-auth-library-oauth2-http</artifactId>
<version>1.11.0</version>
</dependency>
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>4.0.0</version>
</dependency>
```

3. **Code to Obtain Tokens**:

```java
import com.google.auth.oauth2.GoogleCredentials;
import com.google.auth.oauth2.IdTokenProvider;

import java.io.IOException;
import java.util.Collections;

public class AuthService {

public String getIdToken() throws IOException {
GoogleCredentials credentials = GoogleCredentials.getApplicationDefault()

.createScoped(Collections.singletonList("https://www.googleapis.com/auth/cloud-
platform"))
.createDelegated("your-service-account@your-
project.iam.gserviceaccount.com");

if (credentials instanceof IdTokenProvider) {

IdTokenProvider idTokenProvider = (IdTokenProvider) credentials;
IdTokenProvider.IdToken idToken = idTokenProvider.idTokenWithAudience(
"https://your-api-gateway-url", null);

return idToken.getTokenValue();
}

throw new IOException("Unable to obtain ID token.");

}
}
```

#### 4. Validate Tokens in API Gateway

1. **Configure API Gateway to Validate Incoming Tokens**:

- Edit your OpenAPI specification to include security definitions.

```yaml
securityDefinitions:
google_id_token:
authorizationUrl: ""
flow: "implicit"
type: "oauth2"
x-google-issuer: "https://accounts.google.com"
 x-google-jwks_uri: "https://www.googleapis.com/oauth2/v3/certs"
x-google-audiences: "your-api-client-id"

security:
- google_id_token: []
```

2. **Deploy Updated API Configuration**:

- Redeploy your API on API Gateway with the updated OpenAPI spec.

### Example JDK 21 Application Code

Here’s an example of a simple JDK 21 application that requests an identity token

and uses it to make an authenticated request to your API Gateway:

```java
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;

public class ApiClient {

public static void main(String[] args) {
try {
AuthService authService = new AuthService();
String idToken = authService.getIdToken();

URL url = new URL("https://your-api-gateway-url/your-endpoint");

HttpURLConnection connection = (HttpURLConnection)
url.openConnection();
connection.setRequestMethod("GET");
connection.setRequestProperty("Authorization", "Bearer " + idToken);

int responseCode = connection.getResponseCode();

if (responseCode == HttpURLConnection.HTTP_OK) {
System.out.println("Request successful.");
} else {
System.out.println("Request failed. Response code: " +
responseCode);
}
} catch (IOException e) {
e.printStackTrace();
}
}
}
```

This setup ensures that your API is securely authenticated and authorized using GCP
API Gateway and IAM, leveraging JDK 21 capabilities.

=============================================================================

To create users and assign roles through GCP IAM, you can follow these steps:

### Step-by-Step Guide

#### 1. Create Users (Service Accounts)

1. **Go to the IAM & Admin Section**:

- Open the [GCP Console](https://console.cloud.google.com/).
 - Navigate to "IAM & Admin".

2. **Create a Service Account**:

- In the IAM & Admin section, select "Service accounts" from the left-hand menu.
- Click the "Create Service Account" button at the top.
- Provide a name and description for the service account.
- Click "Create and Continue".

3. **Grant the Service Account Access to the Project**:

- Select the roles you want to assign to the service account. For example, if
you want this service account to have read-only access to the project, you might
assign the "Viewer" role.
- Click "Continue".

4. **Create the Key for the Service Account**:

- On the next screen, you can create a key for the service account. This key
will be used by your applications to authenticate as this service account.
- Click "Create Key" and select "JSON". This will download a JSON file
containing the key.

5. **Finish and Close**:

- Click "Done" to finish creating the service account.

#### 2. Assign Roles to Users

1. **Go to the IAM & Admin Section**:

- Open the [GCP Console](https://console.cloud.google.com/).
- Navigate to "IAM & Admin".

2. **Add Members and Assign Roles**:

- In the IAM & Admin section, select "IAM" from the left-hand menu.
- Click the "Add" button at the top.
- In the "New members" field, enter the email address of the user or service
account you want to add.
- In the "Select a role" dropdown, choose the appropriate role(s) you want to
assign to the user. You can assign multiple roles if needed.


3. **Save Changes**:
- Click "Save" to apply the changes.

### Example: Creating and Assigning Roles Using gcloud CLI

For automation or scripting, you can use the `gcloud` CLI to create service
accounts and assign roles.

1. **Create a Service Account**:

```bash
gcloud iam service-accounts create my-service-account \
--description="My Service Account" \
--display-name="My Service Account"
```

2. **Assign Roles to the Service Account**:

```bash
gcloud projects add-iam-policy-binding your-project-id \
 --member="serviceAccount:my-service-account@your-project-
id.iam.gserviceaccount.com" \
--role="roles/viewer"
```

3. **Create a Key for the Service Account**:

```bash
gcloud iam service-accounts keys create ~/key.json \
--iam-account=my-service-account@your-project-id.iam.gserviceaccount.com
```

### Example: Creating and Assigning Roles Using Terraform

You can also use Terraform for managing IAM users and roles:

1. **Create a Service Account in Terraform**:

```hcl
resource "google_service_account" "my_service_account" {
account_id = "my-service-account"
display_name = "My Service Account"
}
```

2. **Assign Roles to the Service Account in Terraform**:

```hcl
resource "google_project_iam_member" "viewer" {
project = "your-project-id"
member = "serviceAccount:${google_service_account.my_service_account.email}"
role = "roles/viewer"
}
```

3. **Create a Key for the Service Account in Terraform**:

```hcl
resource "google_service_account_key" "my_service_account_key" {
service_account_id = google_service_account.my_service_account.name
key_algorithm = "KEY_ALG_RSA_2048"
}
```

By following these steps, you can create users and assign roles through GCP IAM
both via the console and programmatically using the `gcloud` CLI or Terraform.

============================================================================

GCP IAM is used primarily for managing roles and permissions for resources within
Google Cloud. It doesn't handle user authentication directly. Instead, user
authentication is managed through Google Cloud Identity, which is part of the
broader Google Workspace offering.

### Steps for a User to Log In Using Google Cloud Identity

1. **Set Up Google Cloud Identity (Admin Task)**:

- **Admin**: Create a Google Cloud Identity account if not already set up.
- **Admin**: Add users to the organization.
2. **User Login Steps**:
- **User**: Navigate to the GCP Console or any other Google service.
- **User**: Log in using their Google Cloud Identity account credentials.

### Detailed Steps

#### 1. Set Up Google Cloud Identity (Admin Task)

1. **Create a Google Cloud Identity Account**:

- Go to the [Google Cloud Identity](https://cloud.google.com/identity) page.
- Follow the instructions to set up an account.

2. **Add Users to the Organization**:

- Go to the Google Admin console: [admin.google.com](https://admin.google.com/).
- In the Admin console, go to `Users`.
- Click `Add new user`.
- Enter the user's details (e.g., first name, last name, email address).
- Click `Add`.

#### 2. User Login Steps

1. **Navigate to the GCP Console**:

- Open your web browser and go to the [GCP
Console](https://console.cloud.google.com/).

2. **Log In Using Google Cloud Identity Account**:

- On the login page, enter your Google Cloud Identity email address.
- Enter your password.
- Complete any additional authentication steps (e.g., 2-Step Verification).

### Example: Logging In to GCP Console

1. **Go to the GCP Console**:

- Open your browser and navigate to [https://console.cloud.google.com/]
(https://console.cloud.google.com/).

2. **Enter Your Email Address**:

- Type in your Google Cloud Identity email address.
- Click `Next`.

3. **Enter Your Password**:

- Type in your password.
- Click `Next`.

4. **Complete Additional Authentication**:

- If 2-Step Verification is enabled, complete the required steps (e.g., enter
the code sent to your phone).

### Using gcloud CLI for Authentication

Users can also log in using the `gcloud` CLI, which is useful for managing GCP
resources from the command line.

1. **Install gcloud CLI**:

- Follow the installation instructions for your operating system: [Installing
gcloud CLI](https://cloud.google.com/sdk/docs/install).

2. **Authenticate Using gcloud CLI**:

```bash
gcloud auth login
```

- This command opens a web browser where you can log in using your Google Cloud
Identity credentials.

### Accessing Resources After Login

Once authenticated, users can access the GCP Console and manage resources based on
the roles and permissions assigned to their Google Cloud Identity account through
IAM.

### Summary

- **Admin** sets up Google Cloud Identity and adds users.

- **Users** log in using their Google Cloud Identity credentials to access GCP
resources.
- Use the `gcloud` CLI for command-line access and authentication.

This process ensures that users are authenticated via Google Cloud Identity and
authorized to access specific resources and perform actions based on the roles and
permissions set in IAM.