🖊️
Notes
  • Notes
  • aws
    • CloudWatch
    • EKS
    • IAM
    • Key Management Service (KMS)
    • security
      • Attacks against AWS infrastructure
    • vpc
      • AWS Transit Gateway
  • azure
    • Azure AD
    • Azure CDN
    • DNS in Azure
    • Hub-spoke network topology
    • Identity and access management
    • Azure Landing zones
    • Storage
  • certifications
    • aws-sa-pro
    • Certified Kubernetes Administrator
  • containers
    • Examples
    • Linux Container Primitives
  • databases
    • Relational databases
  • gcp
    • IAM
  • git
    • Git
  • golang
    • Building Go projects
    • Concurrency
    • Project structure
  • infosec
    • SSH
    • SSL
  • Kubernetes
    • Admission Controllers
    • Autoscaling
    • Debugging
    • Multi-tenancy
    • Network Policies
    • Pod Priority
    • Pod Security Policies
    • Secrets
    • StatefulSet
    • additional-services
      • Debugging ArgoCD RBAC
      • open-policy-agent
  • misc
    • FFmpeg
    • PDFs
  • programming
    • Learning resources
    • concepts
      • Serialization
  • rabbitmq
    • Clustering and HA
    • Shovel plugin
  • shells
    • Bash
  • terraform
    • Moving resources between remote states
  • vim
    • Fzf (plugin)
    • Registers
    • Spell Check
  • linux
    • arch
      • Arch Linux installation
Powered by GitBook
On this page
  • Main concepts
  • Permissions
  • Roles
  • Bindings
  • Policies
  • Resource hierarchy
  • Service accounts
  • Best practices
  • Resources
  1. gcp

IAM

Main concepts

Permissions

  • Permissions are fine-grained permission model defined by GCP services

    • structure: ..

    • example: storage.buckets.create

Roles

  • Roles are abstractions to group permissions together

  • Primitive roles

    • broad access

    • spans services

    • three roles

      • owner

      • editor

      • viewer

    • Not recommended for production usage

  • Predefined roles

    • narrower access

    • permissions to a single service

    • for example

      • service admin

      • service viewer

  • Custom roles

    • create from scratch or from predefined roles

    • can be used to combine roles

    • or remove or add permissions to role

Bindings

  • Bind roles to users, groups (can be nested) or service-accounts

Policies

  • Policies connect the resource, roles and members via bindings

Resource hierarchy

  • Groups resources according to organization structure

  • Bindings are inherited down and apply to all nodes under the layer they are applied

  • Project provides trust boundary and resource isolation

  • The higher up, the more powerful (organization level)

  • The lowest level is attaching to certain resource

Service accounts

  • Identity of a service

  • They are principal (identity) and resource themselves

Best practices

  • Grant roles to groups, not users. Provides scalability for the future

  • Grant least privilege

  • Avoid powerful operations, like:

    • Set IAM policy

    • Act as a service account

  • Retain audit logs

  • Forward events for centralized logging (Stackdriver logging event)

Resources

PreviousgcpNextgit

Last updated 4 years ago

Better Practices for Cloud IAM (Cloud Next '18)') -

https://www.youtube.com/watch?v=ZMC8Ng3E3LQ