Cloud IAM: The One Thing You Must Get Right (And How I Messed It Up)

I gave a service account the 'Owner' role. I know. I'm ashamed. It was my first week on GCP. I wanted everything to just work. It did work. Too well. One day, I accidentally used that key in a development script. That script had a bug. It deleted a production bucket. Because the service account had Owner permissions, it just... did it. No warnings. No stops. Just deletion. I spent a weekend recovering from backups. Now I live by the principle of least privilege. Service accounts get exactly what they need. Nothing more. I use custom roles. I use conditions. I review permissions monthly. It took a disaster to teach me, but now my GCP projects are locked down properly. If you're new to GCP, learn IAM first. It's boring. It's not glamorous. But it's the difference between a secure project and a disaster waiting to happen.