Hello, In this post you will learn about GCP's IAM control and features.
From the bird's eye, IAM (aka Identity and Acess Management) is a Authorization Management System provided by google cloud so that you can add and control what users who are associated with your account can interact with.
For example, suppose you are a devops engineer and you are being deployed in a team where you have to give the access to both developers and accountants. They both will have different and limited need and showing them all the sensitive data and giving the full access to cloud is not a good approach. So what you need here is IAM control manager to add a user or group of users that share same set of permissions. This is known as least-privilege principle.
Ok, I know you won't be finding it interesting unless I tell you this, once working in a project, I had removed a production instance because the devops engineer had given me root permission of the account š.
An IAM policy has a "who" part, a "can do what" part, and an "on which resource" part. The "who" part can be defined either by a Google account, a Google group, a Service account, an entire G Suite, or a Cloud Identity domain. The "can do what" part is defined by an IAM role (collection of permissions). Lastly, "on which resource" part allows you to grant the access on a particular GCP resource only.
Note Service accounts are used only by gcp applications to make authorized api calls internally.
IAM provides you with a set of primitive roles which offer fixed privileges as listed below
- Owner
- Invite / Remove Members
- Delete Projects
- Deploy Applications
- Modify Code
- Configure Services
- View Resources
- Setup / Control Billing
- Editor
- Deploy Applications
- Modify Code
- Configure Services
- Viewer
- View Resources Only
- Billing Administrator
- Add / Remove Administrators
- Manage Billing
Note A project can have
Not only this, IAM allows you to create custom roles and assign it to a user or a group of users. For example, you have a team to whom you want to give only 2 kind of access (list and modify) of resource and forbid other access (like modify, delete or create) of the resource.
Note Custom roles can only be implemented at project or an organisation level. Using them on folder level is not currently supported by GCP.
Resources
- What is Service Account? How it's different from normal google account?
- Understanding IAM Roles
- Understanding and Defining Custom Roles
- Enforcing Least Privilege with Recommendations
From next posts you will start learning how to interact with GCP using web-console or the gcloud sdk
If you have any questions regarding this series, you can either comment down your problems (recommended) or you can reach me out personally at following platforms
- Email: tbhaxor@gmail.com
- Twitter: @tbhaxor
- LinkedIn: @gurkirat--singh
- Instagram: @_tbhaxor_
Top comments (0)