-
Notifications
You must be signed in to change notification settings - Fork 40
IAM
Cloud IAM is Google Cloud Platform’s unified system for managing access to resources and assigning permissions for users and services to access those resources.
Limiting the use of service accounts and service account keys to situations in which they're absolutely necessary keeps user data more secure.
Prior to Cloud IAM, you could only grant Owner, Editor, or Viewer roles to users. A wide range of services and resources now surface additional Cloud IAM roles out of the box. For example, the Pub/Sub service exposes Publisher and Subscriber roles in addition to the Owner, Editor, and Viewer roles.
With IAM, you manage access control by defining who (identity) has what access (role) for which resource. For example, Compute Engine virtual machine instances, Google Kubernetes Engine (GKE) clusters, and Cloud Storage buckets are all Google Cloud resources. The organizations, folders, and projects that you use to organize your resources are also resources.
In IAM, permission to access a resource isn't granted directly to the end user. Instead, permissions are grouped into roles, and roles are granted to authenticated members. An IAM policy defines and enforces what roles are granted to which members, and this policy is attached to a resource.
https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
The constraint for controlling external IP address on VMs is:
constraints/compute.vmExternalIpAccess
A member can be a Google Account (for end users), a service account (for apps and virtual machines), a Google group, or a Google Workspace or Cloud Identity domain that can access a resource.
A role is a collection of permissions.
https://cloud.google.com/iam/docs/understanding-roles
https://cloud.google.com/iam/docs/understanding-custom-roles
The IAM policy binds one or more members to a role. When you want to define who (member) has what type of access (role) on a resource, you create a policy and attach it to the resource.
Policy Intelligence tools help you understand and manage your policies to improve your security configuration.
A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person.
https://cloud.google.com/iam/docs/service-accounts
https://cloud.google.com/blog/products/identity-security/identity-and-environment-in-google-cloud
Some Google Cloud services have Google-managed service accounts that allow the services to access your resources. These service accounts are sometimes known as service agents.
https://cloud.google.com/iam/docs/service-agents
https://medium.com/@emanuelburgess_77400/iam-conditions-for-a-limited-time-only-fbf7f1881159
IAM lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources.
https://cloud.google.com/resource-manager/docs/access-control-proj
Cloud IAM provides a unified view into security policy across your entire organization, with built-in auditing to ease compliance processes.
https://www.youtube.com/watch?v=96HlT4f2AUU
https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy
Delegated role grants is a feature in GCP that allows organization administrators to control which roles a user can grant or revoke even when the user has setIamPolicy permission on a resource.
In IAM you grant access to members. Members can have the following types: Google Account, Service Account, Google Group, Google Workspace domain, Cloud Identity Domain, All authenticated users, All users.
Google Groups is a service from Google that provides discussion groups for people sharing common interests.
Google Groups became operational in February 2001, following Google's acquisition of Deja's Usenet archive.
Usenet is a worldwide distributed discussion system originally based on Unix-to-Unix Copy (UUCP) dial-up network architecture.
Recommender is a service that provides usage recommendations and insights for Cloud products and services.
IAM uses Recommender to compare role grants with the permissions that each member used during the past 90 days. If you grant a role to a member, and the member does not use all of that role's permissions, then the IAM recommender is likely to recommend that you revoke the role. If necessary, the IAM recommender also recommends less permissive roles as a replacement. This suggested replacement could be a new custom role, an existing custom role, or one or more predefined roles. Except in the case of recommendations for Google-managed service accounts, the IAM recommender never suggests a change that increases a member's level of access.
https://cloud.google.com/iam/docs/recommender-overview
In addition to providing recommendations, Recommender uses machine learning (ML) to provide detailed insights. Insights are findings that highlight notable patterns in resource usage. For example, you can collect additional information about permission usage in your project, or identify unused service accounts. Some insights also link to recommendations, because the insights provide evidence for the recommendations.
https://cloud.google.com/iam/docs/manage-service-account-insights
Google Cloud services write audit logs to help you answer the questions, "Who did what, where, and when?" Your Cloud projects contain only the audit logs for resources that are directly within the project. Other entities, such as folders, organizations, and Cloud Billing accounts, contain the audit logs for the entity itself.
IAM Conditions allows you to define and enforce conditional, attribute-based access control for Google Cloud resources.
https://cloud.google.com/iam/docs/managing-conditional-role-bindings
https://faun.pub/iam-for-gcp-resource-based-conditional-access-ec1016d60303
A tag is a key-value pair that is attached to an organization, folder, or project. You can conditionally grant IAM roles based on whether a resource has a specific tag.
https://medium.com/@harshalrane23/introducing-resource-tags-in-gcp-e222c9b3898a
https://medium.com/decathlontechnology/your-gcp-iam-is-valuable-take-care-of-it-f6ba21b9a11a
https://cloud.google.com/asset-inventory/docs/searching-iam-policies
https://cloud.google.com/iam/docs/linting-policies
https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation
https://cloud.google.com/architecture/troubleshooting-policy-and-access-problems
https://cloud.google.com/architecture/troubleshooting-policy-and-access-problems-use-cases
https://cloud.google.com/iam/docs/permissions-reference
https://gist.github.com/bobbae/870475d3fa8c109266dac0c9c6564dd7
https://www.cloudskillsboost.google/focuses/7678?parent=catalog