I am reading about GCP's IAM policy over here. Now consider this Resource hierarchy.
Let's say I want to give start instance permission (compute.instances.start) of "instance_a" to abc@gcp.com and start instance permission of "instance_b" to xyz@gcp.com. Clearly I cannot create a IAM policy (based on the IAM policy object example mentioned in the article) at "example-test" folder because it will not give me the granularity I am looking for.
Is it possible to achieve this level of granularity in GCP?
The permissions are inherited from the top layer (Organisation) to the lower layer (the resource, in your example the VM). So, if you grant a permission at the project level (Example-test), the permission are inherited in all the resources belonging to the project (instance_A and instance_B).
Thereby, you can't (easily) achieve what your want.
But in fact, you have the possibility to add conditions on the IAM role. You can add condition on the resource name or the resource tag for example to allow or disallow the access for a user or another one.
But use the condition wisely, it could become a nightmare to debug the IAM permission issues if you mix several level (in the hierarchy) of permission definition and different conditions. Try to keep the things homogenous and as simple as possible.
