Skip to main content

Cloud IAM Policies and permissions in GCP

What is Cloud IAM?

Google Cloud IAM or Identity and Access Management is the centralized system of Google Cloud platform for governing identities’ permissions to access the resources and services of the Google Cloud Platform. It is useful for organizations with many individual projects and participants as it allows to have all the resources in one place and manage users’ access to them.

IAM lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources. IAM lets you adopt the security principle of least privilege, which states that nobody should have more permissions than they actually need.

IAM Policies and Permissions
IAM Policies and Permissions

The Three Components of IAM

IAM is based on three main components: Identity, Role, and Resource.

  • Identity: Determines the authorities of users and groups and who is allowed to use which resources. This can be any Google account holder, whose account may be a regular Google account, a Google service account or even a Google Group.
  • Role: Describes the access that a user is allowed in relation to the organizational resources. From the right point of view, roles wrap up a set of logically related authorizations and can be incorporated into a policy.
  • Resource: Ethical dilemmas which are part of specific elements of Google Cloud Platform the subject of access. This include projects such as cloud platform, cloud storage, and cloud compute.

How IAM Works

A policy is made of roles when the roles are made of permissions, and these permissions are associated with the resources. The idea is based on the fact that members (users or groups) are assigned to a policy meaning that they are allowed to particular resources. Policies are these plans that originated from the organizational level, passing through project level and results in resources.

IAM Basic Roles
IAM Basic Roles

With IAM, you manage access control by defining who (identity) has what access (role) for which resource. For example, Compute Engine virtual machine instances, Google Kubernetes Engine (GKE) clusters, and Cloud Storage buckets are all Google Cloud resources. The organizations, folders, and projects that you use to organize your resources are also resources.

In IAM, permission to access a resource isn’t granted directly to the end user. Instead, permissions are grouped into roles, and roles are granted to authenticated principals. (In the past, IAM often referred to principals as members. Some APIs still use this term.)

An allow policy, also known as an IAM policy, defines and enforces what roles are granted to which principals. Each allow policy is attached to a resource. When an authenticated principal attempts to access a resource, IAM checks the resource’s allow policy to determine whether the action is permitted.

Benefits of IAM

With IAM, you can:

  • Assign organization-wide policies that apply to all projects and resources
  • Augment policies at the project level
  • Assign access to individual resources
  • Be as permissive or locked down as you like

Primitive Roles

If you’re a long-time Google Cloud Platform user, you’re familiar with Primitive Roles: Owner, Editor and Viewer. These roles work just like their original roles that we have seen them do, but may lead to being permissive more than required.

Access Management Model

IAM Access Management Model
IAM Access Management Model

This model for access management has three main parts:

1- Principals

In IAM, you grant access to principals, which represent an identity that can access a resource. In the context of access management, principals can be one of the following types:

  • Google Accounts
  • Service accounts
  • Google groups
  • Google Workspace accounts
  • Cloud Identity domains
  • allAuthenticatedUsers
  • allUsers
  • One or more federated identities in a workforce identity pool
  • One or more federated identities in a workload identity pool
  • A set of Google Kubernetes Engine Pods

2- Role

A role is a collection of permissions. You cannot grant a permission to the user directly. Instead, you grant them a role. When you grant a role to a user, you grant them all the permissions that the role contains.

IAM Role
IAM Role

There are several kinds of roles in IAM:

  • Basic roles: Roles historically available in the Google Cloud console. These roles are Owner, Editor, and Viewer.
  • Predefined roles: Roles that give finer-grained access control than the basic roles. For example, the predefined role Pub/Sub Publisher (roles/pubsub.publisher) provides access to only publish messages to a Pub/Sub topic.
  • Custom roles: Roles that you create to tailor permissions to the needs of your organization when predefined roles don’t meet your needs.

3- Allow Policy

The allow policy is a collection of role bindings that bind one or more principals to individual roles. When you want to define who (principal) has what type of access (role) on a resource, you create an allow policy and attach it to the resource.

When an authenticated principal attempts to access a resource, IAM checks the resource’s allow policy to determine whether the action is allowed.

You can grant roles to users by creating an allow policy, which is a collection of statements that define who has what type of access. An allow policy is attached to a resource and is used to enforce access control whenever that resource is accessed.

IAM Allow Policy
IAM Allow Policy
0
    0
    Your Cart
    Your cart is emptyReturn to Courses