As businesses continue to shift towards cloud computing, one of the most critical aspects to consider is security. Within Google Cloud Platform (GCP), a robust solution to managing security is provided by Google Cloud Identity and Access Management (IAM). This service allows administrators to authorize who can take action on specific resources, providing full control and visibility to manage cloud resources centrally.

In this blog post, we’re going to delve into the intricacies of IAM on GCP, explaining what it is, how it works, and the best practices for managing access control. You can continue reading this blog post or watch my video below.

What is Google Cloud IAM?

1. IAM is a feature of Google Cloud that allows you to manage access control by defining who (identity) has what access (role) for which resource.

   • Identity: An identity can be a Google account, a service account, or a Google group. It represents a user, a service, or a group of users.
   • Role: A role is a collection of permissions. Permissions determine what operations are allowed on a resource.
   • Resource: A resource is an individual entity within a service. Examples include a Compute Engine VM, a Pub/Sub topic, or a Cloud Storage bucket.

How Does Google Cloud IAM Work?

IAM allows for granular control of GCP resources. Instead of providing blanket permissions across a project, you can assign permissions at various levels. The IAM hierarchy follows the structure of Organization -> Folder -> Project -> Resource.

• Organization: This is the broadest scope and includes all resources belonging to an organization.
• Folder: Folders are a mechanism for organizing resources under an organization. They allow for the delegation of administrative rights without hierarchy constraints.
• Project: A project organizes all your Google Cloud resources. The project is the base level organizing entity.
• Resource: This is the most granular level of the hierarchy. Individual resources reside in a project – e.g., Compute Engine instances, Pub/Sub topics, Cloud Storage buckets.

IAM policies are set at each of these levels, and the permissions are inherited down the hierarchy. For example, a policy applied at the organization level will apply to all the resources in the organization.

Watch my youtube video where I have explained the resource hierarchy in Google Cloud Platform.

Key Features of Google Cloud IAM

1. Roles-Based Access Control (RBAC): IAM uses roles, which are a collection of permissions that users can have within a project. There are three types of roles in IAM: primitive roles, predefined roles, and custom roles.

2. IAM Conditions: IAM conditions allow you to define and manage fine-grained access control for GCP resources, based on attributes of the resource or the request.

3. Service Accounts: Service accounts represent non-human users of your application or service. They provide a flexible identity for services to authenticate and authorize intra-GCP service communication.

4. Audit Logging: IAM integrates with Cloud Audit Logs to provide logs of each action that modifies the configuration or metadata of a resource.

5. Identity Federation: This allows you to use external identities, from platforms like G Suite, Cloud Identity, or third-party OIDC identity providers, to access GCP resources.

Types of IAM Roles

We have three types of IAM roles present. Basic IAM Role, Pre-defined IAM Role, Custom IAM Role.

Basic IAM Role

• Quite Broad in scope.
• When applied to a Google Cloud Project, it affects all the resources in that project.
• This role includes owner, editor, and viewer.

Important:

• Do not grant a basic IAM role in Production unless it is thoroughly reviewed and there is no alternative.
• Always grant the most limited predefined or custom roles based on the need.

Pre-defined IAM Role

• Specific Google Cloud resources define their own roles and also define at what level these roles can be applied.
• When you will go to IAM -> Roles in your Google Cloud Console, you can see all the pre-defined IAM roles by putting the filter shown below.

Custom IAM Role

• When predefined roles are not helpful, you create custom IAM roles. But least privilege is the best practice that should be followed always.
• Custom IAM roles can only be applied at the project or organization level. They are not allowed to be applied at the folder level.
• Defined and Managed by users.
• You need the below permissions to create custom IAM roles at respective levels like –
  • Organization Level – Organization Role Administrator.
  • Project Level – Role Administrator.
• You can create max 300 custom roles per organization and another 300 custom roles per project. These are hard limits and cannot be extended.

Best Practices for Managing IAM

Here are a few best practices for managing IAM effectively:

• Principle of Least Privilege: Always follow the principle of least privilege, i.e., grant only the necessary permissions to a user that they need to perform their job.

• Use Predefined Roles: Whenever possible, use predefined roles. They offer a balance between granularity and simplicity.

• Regularly Audit IAM Roles and Permissions: Regularly review and audit IAM policies and service accounts. Unnecessary permissions should be promptly revoked.

• Avoid Basic Roles: Basic roles affect all resources in a project. Instead, use predefined or custom roles which allow for finer-grained access control.

• Use Service Accounts for Applications: Instead of individual users, service accounts should be used for application-to-application authentication.

Conclusion

Google Cloud IAM is a powerful tool for managing access control to your GCP resources. It provides the ability to authorize who can take what action on which resources in a fine-grained manner. Following the best practices of IAM policy management is critical in maintaining secure and manageable access to your GCP resources.

Remember, cloud security is a shared responsibility. While Google ensures the security of the cloud, it is the user’s responsibility to secure their data within the cloud. Leveraging Google Cloud IAM effectively is a crucial part of fulfilling this responsibility.

Disclaimer

This article is not endorsed by Salesforce, Google, or any other company in any way. I shared my knowledge on this topic in this blog post. Please always refer to Official Documentation for the latest information.