Get familiar with Powerful Google Cloud Identity and Access Management

Reading Time: 3 minutes

What is Google Cloud Identity and Access Management?

Google Cloud Identity and Access Management is a web service. It gives cloud administrators the authority to decide “Who can do What on Which resources”. Individual members have the below types

Who – It defines a member who accesses the resources in Google Cloud. The accesses and permissions are given to the Member. It can be an individual or a group.

Types of Individual Members :

  1. Google Account – The user who having the Google account,
  2. Service Account – Service Account is an account for an application. It is a special type of Google account. Which need to be verified. That authorized for accessing the Google API’s.

There are three types of groups in IAM :

  1. Google Group
  2. G-Suite domain
  3. Cloud Identity Domain

What – It defines a role to be assigned to the member to access the resources.

There are three types of roles in IAM :

  • Basic/Primitive Roles : This includes the Owner, Editor and Viewer role. If we assigned this roles that are accessible within the project.
  • Predefined Roles : This provides granular access for a specific Google Cloud service. Like, Compute Admin, Storage Object Viewer, etc.
  • Custom Roles : This provides the facility to assign the different permissions as a bundle. Here, we are not assigning the permissions directly to the member. Assign the necessary permissions to the particular member.
getting-to-know-iam-flowchart9sgq.PNG
IAM policies and roles permissions.

Which – This part will include all the available Google Cloud resources.

Features for Google Cloud Identity and Access Management:

In this paragraph, we are going to see the features of GCP IAM.

  • IAM can map the job functions into groups and roles.
  • With IAM users get only the limited accesses.
  • It allows you to grant access to cloud resources from project-levels to fine-grained levels access.
  • IAM follows the below Level hierarchy –
  • Organization level – The organization resource will represent your company. IAM roles granted to this level are inherited by all the resources available under the organization.
  • Folder level – Folders contain projects/other folders/combinations of both. Roles which are granted to this level are inherited by the projects, or other folders that are contained in the parent folder.
  • Project level – Projects are the level using which the resources can be accessed. IAM roles granted to this level are inherited by all the resources within the project.
  • Resource level – This level grants certain users permission to a single resource within the project.
IAM%2Brolesr8uf.PNG
The diagram illustrates an example of a Cloud Platform resource hierarchy.

Define Google Cloud Identity and Access Management policy :

You can grant roles to users by creating a Cloud IAM policy, which is a collection of statements that define who has what type of access. Those policies consist of a set of bindings of members (who has access) to one or more IAM roles.

For example,

{
  "bindings": [
   {
     "role": "roles/owner",
     "members": [
       "user:alice@example.com",
       "group:admins@example.com",
       "domain:google.com",
       "serviceAccount:my-other-app@appspot.gserviceaccount.com"]
   },
   {
     "role": "roles/viewer",
     "members": ["user:bob@example.com"]
   }
   ]
}

For defining the groups we can use the member. Those are easily readable.

Best Practices :

Below we are going to see the Best practice rules for GCP Identity and Access Management (IAM).

References :

https://cloud.google.com/blog/products/gcp/getting-to-know-cloud-iam

knoldus

Written by 

Strong in design and integration problem-solving skills. Experience in Java/J2EE with database analysis and design. Skilled in developing business plans, requirements specifications, user documentation, and architectural systems research. Having Good Work Experience with Core Java, Advanced Java, Typescript, and Related Technologies, AWS like S3, Lambda, EC2, Elemental Live, Media Live, Tesseracts, and Textract.