Google Account Types
- Personal
- G Suite Domain
- Cloud Identity Domain
- Google Group
- allAuthenticatedUsers
- AllUsers (i.e. “public”)
Where are Members set up?
Members are not set up in GCP. Create, edit, delete Google accounts in admin.google.com (outside GPC). Give GCP access to Google accounts in GCP IAM.
What are Service accounts?
Belong to an application/server.
Not associated with a person.
Carry out application/server interactions.
Also identified by email address.
How does Cloud Identity work?
Cloud Identity: Sync with Active Directory. Cloud Identity maps (federates) AD accounts to Cloud
Identity accounts. AD is the single source of truth (one-way sync from AD to Cloud Identity)
What are the mechanisms to use Cloud Identity? (to sync AD with IAM)
Tools:
- Google Cloud Directory Sync (GCDS) (Google provided)
- Active Directory Federation Services (ADFS) (MS provided)
What are the types of “Members” (Who)?
- Google person Members
- Service Accounts
Role types
- Primitive
- Predefined
- Custom
Primitive Roles
- Broad, original roles available on GCP (before current IAM environment)
- Applied across the entire project
Types of Primitive Roles
- Owner: Modify all resources and manage IAM and billing
- Editor: Modify all resources, no access to manage IAM and billing
- Viewer: View resources, cannot make changes.
Predefined Roles
- More granular, specific, not across the entire project.
- Applied to single service.
- Example; compute.instanceAdmin allows access to modify instances but does not affect any other services.
Custom Roles
Even more granular than Predefined Roles. Combine individual permissions when predefined roles are not specific enough.
IAM policies
Grant Members (users, groups, organizations, service accounts) various Roles (primitive -broad-, predefined/custom -granular-) in a hierarchical format (parent overrules child) to GCP resources (all layers of GCP)
Example: john@acme.com is granted Owner role to project ‘Dev Environment’
CLI to get IAM Policy for Project
gcloud projects get-iam-policy
YAML output
CLI to update IAM Policy for Project (from file)
gcloud projects set-iam-policy .yaml
CLI to add single binding to IAM Policy for Project
gcloud projects add-iam-policy-binding –member user: –role roles/viewer
What’s the permission format?
[service].[resource].[verb] (example: compute.instances.delete)
Can you apply permissions directly to members?
No
What is a Role?
A bundle of Permissions that can be assigned to a Member.
What IAM Roles do I need to assign a user to be able to create a Project in a specific Organisation?
- Resource Manager -> Organisation Viewer
- Resource Manager -> Project Creator
- Billing -> Billing Account User (to be able to associate a Billing Account with the project, otherwise no resources can be created)
What is a Service Account
A special type of Google account, not attached to a user but to authenticate between application/servers and GCP services. Also represented by an email address.
Types of Services Accounts
- Google-managed
- User-managed
Google-managed Service Accounts
- Represent different Google services and are automatically granted IAM roles. [PROJECT_NUMBER]@cloudservices.gserviceaccount.com. Generally invisible to the user.
User-managed Service Accounts
Created for/by you, based on enabled APIs in project. [PROJECT-NUMBER]-compute@developer.gserviceaccount.com, [PROJECT-ID]@appspot.gserviceaccount.com. Both automatically created and user-created.
Why can it be said that Service Accounts are both a Member (who) and a Resource?
- Service accounts are granted permissions to a resource (as a “who”)
- Users (person) are granted the serviceAccountUser role to a Service Account.
