Tuesday, July 19, 2022

Google Cloud - Identity and Access Management

 Google Cloud - Identity and Access Management (IAM)

  • We have resources in the cloud
    • VMs
    • Databases
  • These resources are accessed by
    • Applications
    • Services
    • People logging in via console
    • These are known as identities
  • IAM allows
    • Identities access to resources
    • Configure actions permission (e.g. start a VM, delete a VM etc)
  • There are two main parts
    • Authentication
      • Is this the right user/identity 
    • Authorization
      • Does this user/identity have correct access to a resource and
      • Does this user/identity have the correct access to perform an action on a resource.
  • In Google Cloud IAM, we create
    • ROLES which are a set of permissions
      • Basic/Primitive role - Permissions like owner, editor, viewer
        • Owner - Able to edit, manage roles/permissions and billing
        • Editor - View and Edit
        • Viewer - Read only view
        • NOT RECOMMENDED for production.
      • PreDefined Roles
        • Pre defined and managed by Google Cloud
        • Different roles for different purposes
        • Storage Object Admin, Storage Object Viewer etc
      • CUSTOM ROLES
        • Ability to create custom roles
    • POLICY to bind the role to a member/user
  • What if we want to an application to access cloud storage?
    • SERVICE ACCOUNTS
      • We can create service accounts which can be used by applications
      • These accounts do not have any password but have a public/private RSA key
      • Can't use them to login via browsers
      • Types of Service accounts?
        • Default
          • Created by default when a service is created.
          • Editor role by default
          • Not recommended since it has Editor role by default.
        • User Managed
          • Create your own service account
          • Grant it access via Role
        • Google Managed
          • These are Google's internal accounts.
Let's talk a bit about best practices.

For IAM Roles, look at the principle of least privileges, implies give the least possible privilege for a role.
e.g do not give admin access where only edit+view is sufficient. Similarly, give only view access if that suffices the role.

Don't use a common service account between different applications. Create separate service accounts with different roles assigned.





No comments:

Post a Comment