Google Cloud offers IAM, which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources.
- Who -
members - What -
permissions - Which -
resource
IAM Objects.
- Organization
- Company
- Top Level
root node - Org Admin, all resource in the org.
- Project Creator role which can be then inherited by other folders.
- Folders
- Department
- Grouping mechanism.
- Can have multiple level of folders.
- Projects
- Projects in department
- Resources
- Compute Engine
- Cloud Storage
- PubSub etc
- Roles.
- Can do what on the resource.
- Basic
- Owner
- Editor
- Viewer
- Billing Admin
- Predefined
- collections of permissions
- Ex. Instance Admin role, has
compute.instance.delete,get,listetc
- Custom roles.
- Least privileged model
- Ex. Instance operator role could have - allow some users to start and stop Compute Engine virtual machines, but not reconfigure them
- Members.
- Google Accounts
- Developer
- Admin
- Any other person who interacts with GCP
- Service Accounts
- Belongs to an application instead of to an individual and user.
- When running code that is hosted on GCP, We can specify the account that the code should run as.
- We can create as many service accounts as needed to represent the different logical components of your application.
- All projects come with a built in compute engine default service account.
service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.comandPROJECT_NUMBER-compute@developer.gserviceaccount.com - Apart from the default service account.
- All projects come with the Google Cloud Platform API’s service account.
PROJECT_NUMBER@cloudservices.gserviceaccount.com - Custom service accounts provide more flexibility than the default service account.
[recommended] for better control - But they require more management.
- Service account can be used as a resource.
- Example.
- Create a service account which has permission to create a compute engine,
InstanceAdmin Role. - Now we can use the service account as a resource and assign it to a user/group usinf
ServiceAccountUser Role. - This allows those user/group to act as the service account (like a
sudopermission in linux env).
- Create a service account which has permission to create a compute engine,
- Service account authenticate with keys.
- GCP managed - These keys cannot be downloaded and are automatically rotated. And used for a maximum of two weeks.
- User managed
- User managed keys are created, downloadable.
- When you create a new key pair, you download the private key.
- Which is not retained by Google.
- With user managed keys and are responsible for security of the private key.
- And other management operations like key rotation.
- Google Groups
- Named collection of email/service accounts.
- Every group has a unique email address that is associated with the group.
- Google Groups are a convenient way to apply an access policy to a collection of users.
- G Suite domains.
- G Suite domains represent your organization’s internet domain name, such as
ahmedinc.com. - A new Google account is created for the user inside this virtual group, such as
username@ahmedinc.com.
- G Suite domains represent your organization’s internet domain name, such as
- Cloud Identity
- If we dont have GCP Suite then we use Cloud Identity.
- but you do not pay for or received G Suite’s collaboration products such as Gmail, Docs, drive and calendar.
- Google Accounts
What if you already have a different corporate directory?
- Using Google Cloud directory sync, administrators can login and manage GCP resources using the same usernames and passwords they already use.
- This tool synchronizes users and groups from your existing Active Directory, or LDAP system with the users and groups in Cloud Identity domain.
- One way only.
AD --> GCP. - SSO Configuration can be used like
ping.
Best Pratices.
- Projects to group resources.
- Check policy grants.
- Least privilege.
- Cloud Audit.
- Audit membership.
- Grant roles to groups.
- Service Accounts
- Careful in granting
serviceAccountUserrole. - Display name for its purpose.
- Naming conventions.
- Key rotation.
- Audit using
serviceAccount.keys.list()method.
- Careful in granting
REST Resource: projects.serviceAccounts.keys
ServiceAccountKeyRepresents a service account key.- A service account has two sets of key-pairs: user-managed, and system-managed.
Public keys for all service accounts are also published at the OAuth2 Service Account API.
{
"name": string,
"privateKeyType": enum (ServiceAccountPrivateKeyType),
"keyAlgorithm": enum (ServiceAccountKeyAlgorithm),
"privateKeyData": string,
"publicKeyData": string,
"validAfterTime": string,
"validBeforeTime": string,
"keyOrigin": enum (ServiceAccountKeyOrigin),
"keyType": enum (KeyType)
}
Methods.
create- Creates aServiceAccountKey.delete- Deletes aServiceAccountKey.get- Gets aServiceAccountKey.list- Lists everyServiceAccountKeyfor a service account.upload- Creates aServiceAccountKey, using a public key that you provide.
Using Cloud IAP
When to use IAP
- Use IAP when you want to enforce access control policies for applications and resources.
- IAP works with signed headers or the App Engine standard environment Users API to secure your app.
- With IAP, you can set up group-based application access:
- a resource could be accessible for employees and inaccessible for contractors, or only accessible to a specific department.
Example IAC.
App Engine (courtesy google images)
Compute Engine (courtesy google images)
Notes.
- The Cloud IAM policy hierarchy always follows the same path as the GCP resource hierarchy.
- Child policies cannot restrict access granted at the parent level.
- Start with smallest scope.
- Can not use Cloud IAM to create, or manage your users, or groups, instead, you can use Cloud Identity or G Suite to create and manage users.