In the lecture, the concept of policy binding using get-iam-policy and set-iam-policy is nicely explained along with it’s repercussions w.r.t to race conditions. Recommendation (and definitely is a best practice) is to use add-iam-policy-binding and remove-iam-policy-binding to avoid race conditions.
Google has come-up with a way to avoid this conflict/race-condition by introducing policy version (called "etag") which is included when we use get-iam-policy. Here is what Google Documents say:
To prevent collisions if multiple sources try to update policy simultaneously, the policy contains an etag value. When you call setIamPolicy(), IAM compares the etag value in the request with the existing etag, and only writes the policy if the values match.
Happy Learning!!!
1 Answers
👍 That’s definitely a good tip! I’m glad you’re going deeper than we can in the videos, and thanks for sharing!