IAM - bobbae/gcp GitHub Wiki
IAM Overview
Cloud IAM is Google Cloud Platform’s unified system for managing access to resources and assigning permissions for users and services to access those resources.
Limit Access
Limiting the use of service accounts and service account keys to situations in which they're absolutely necessary keeps user data more secure.
Access Control
Prior to Cloud IAM, you could only grant Owner, Editor, or Viewer roles to users. A wide range of services and resources now surface additional Cloud IAM roles out of the box. For example, the Pub/Sub service exposes Publisher and Subscriber roles in addition to the Owner, Editor, and Viewer roles.
How IAM works
With IAM, you manage access control by defining who (identity) has what access (role) for which resource. For example, Compute Engine virtual machine instances, Google Kubernetes Engine (GKE) clusters, and Cloud Storage buckets are all Google Cloud resources. The organizations, folders, and projects that you use to organize your resources are also resources.
IAM Model
In IAM, permission to access a resource isn't granted directly to the end user. Instead, permissions are grouped into roles, and roles are granted to authenticated members. An IAM policy defines and enforces what roles are granted to which members, and this policy is attached to a resource.
Organizational policies constraints
https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
Restricting external IP addresses to specific VMs
The constraint for controlling external IP address on VMs is:
constraints/compute.vmExternalIpAccess
Model for Access management
Member
A member can be a Google Account (for end users), a service account (for apps and virtual machines), a Google group, or a Google Workspace or Cloud Identity domain that can access a resource.
Role
A role is a collection of permissions.
https://cloud.google.com/iam/docs/understanding-roles
Custom roles
https://cloud.google.com/iam/docs/understanding-custom-roles
Policy
The IAM policy binds one or more members to a role. When you want to define who (member) has what type of access (role) on a resource, you create a policy and attach it to the resource.
Policy intelligence tools
Policy Intelligence tools help you understand and manage your policies to improve your security configuration.
Service Accounts
A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person.
https://cloud.google.com/iam/docs/service-accounts
Why IAM
https://cloud.google.com/blog/products/identity-security/identity-and-environment-in-google-cloud
Service agents
Some Google Cloud services have Google-managed service accounts that allow the services to access your resources. These service accounts are sometimes known as service agents.
https://cloud.google.com/iam/docs/service-agents
IAM Conditions
https://medium.com/@emanuelburgess_77400/iam-conditions-for-a-limited-time-only-fbf7f1881159
Granular Access
IAM lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources.
https://cloud.google.com/resource-manager/docs/access-control-proj
Resources
Cloud IAM provides a unified view into security policy across your entire organization, with built-in auditing to ease compliance processes.
https://www.youtube.com/watch?v=96HlT4f2AUU
Resource hierarchy
https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy
Delegated role grants
Delegated role grants is a feature in GCP that allows organization administrators to control which roles a user can grant or revoke even when the user has setIamPolicy permission on a resource.
Concepts related to identity
In IAM you grant access to members. Members can have the following types: Google Account, Service Account, Google Group, Google Workspace domain, Cloud Identity Domain, All authenticated users, All users.
Google Groups
Google Groups is a service from Google that provides discussion groups for people sharing common interests.
Google Groups became operational in February 2001, following Google's acquisition of Deja's Usenet archive.
Usenet is a worldwide distributed discussion system originally based on Unix-to-Unix Copy (UUCP) dial-up network architecture.
Recommender
Recommender is a service that provides usage recommendations and insights for Cloud products and services.
IAM Recommender
IAM uses Recommender to compare role grants with the permissions that each member used during the past 90 days. If you grant a role to a member, and the member does not use all of that role's permissions, then the IAM recommender is likely to recommend that you revoke the role. If necessary, the IAM recommender also recommends less permissive roles as a replacement. This suggested replacement could be a new custom role, an existing custom role, or one or more predefined roles. Except in the case of recommendations for Google-managed service accounts, the IAM recommender never suggests a change that increases a member's level of access.
https://cloud.google.com/iam/docs/recommender-overview
Managing insights
In addition to providing recommendations, Recommender uses machine learning (ML) to provide detailed insights. Insights are findings that highlight notable patterns in resource usage. For example, you can collect additional information about permission usage in your project, or identify unused service accounts. Some insights also link to recommendations, because the insights provide evidence for the recommendations.
https://cloud.google.com/iam/docs/manage-service-account-insights
Audit
Google Cloud services write audit logs to help you answer the questions, "Who did what, where, and when?" Your Cloud projects contain only the audit logs for resources that are directly within the project. Other entities, such as folders, organizations, and Cloud Billing accounts, contain the audit logs for the entity itself.
IAM Conditions
IAM Conditions allows you to define and enforce conditional, attribute-based access control for Google Cloud resources.
Conditional access
https://cloud.google.com/iam/docs/managing-conditional-role-bindings
Resource-based Conditional access
https://faun.pub/iam-for-gcp-resource-based-conditional-access-ec1016d60303
Tags and access control
A tag is a key-value pair that is attached to an organization, folder, or project. You can conditionally grant IAM roles based on whether a resource has a specific tag.
https://medium.com/@harshalrane23/introducing-resource-tags-in-gcp-e222c9b3898a
Protecting IAM
https://medium.com/decathlontechnology/your-gcp-iam-is-valuable-take-care-of-it-f6ba21b9a11a
Searching policies
https://cloud.google.com/asset-inventory/docs/searching-iam-policies
Linting policies
https://cloud.google.com/iam/docs/linting-policies
Workload Identity Federation
https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation
Troubleshooting policy and access problems on Google Cloud
https://cloud.google.com/architecture/troubleshooting-policy-and-access-problems
https://cloud.google.com/architecture/troubleshooting-policy-and-access-problems-use-cases
Securing the pipeline from your data lake to your data warehouse
Keycloak
IAM Permissions reference
https://cloud.google.com/iam/docs/permissions-reference
Examples
Cheatsheet
https://gist.github.com/bobbae/870475d3fa8c109266dac0c9c6564dd7
Qwiklabs
Configuring IAM Permissions with gcloud
https://www.cloudskillsboost.google/focuses/7678?parent=catalog