Cloud IAM (Identity & Access Management) controls who can do what on which resource. A resource can be a virtual machine, a database instance, a user, and so on. It is important to notice that permissions are not directly assigned to users. Instead, they are bundled into roles, which are assigned to members. A policy is a collection of one or more bindings of a set of members to a role.