IAM is an acronym for Identity and Access Management, and, as you'd imagine, it has to do with who can do what. More on this in the chapter on IAM, but for now, just know that:

• All GCP services have both identities (who is this?) and roles (what can they do?)
• Cloud storage is an exception because we can also use Access Control Lists (ACLs, pronounced ackles) to directly specify who can do what:

As the figure suggests, roles and permissions can be given at an organizational level (the organization that you have registered for your GCP project), storage bucket level, or at an individual object level. Of course, public access options will remain everywhere.

First of all, let's clear out the most obvious option, Public Access. The public URL for any object can be generated from the options menu and it will consist of strings such as storage.googleapis.com and our bucket name as well. Apart from that, in GCP, we can now provide roles to users at bucket level as well as object level. These roles determine the permissions of users:

All the files in a folder or bucket will attain the same permission as its parent object. For this case, we have three images uploaded in our previously created bucket and now we will play with permission. Since, in this case, command line provides no advantage over console, we will explore the console part.