Google Cloud - Identity and Access Management (IAM)
- We have resources in the cloud
- VMs
- Databases
- These resources are accessed by
- Applications
- Services
- People logging in via console
- These are known as identities
- IAM allows
- Identities access to resources
- Configure actions permission (e.g. start a VM, delete a VM etc)
- There are two main parts
- Authentication
- Is this the right user/identity
- Authorization
- Does this user/identity have correct access to a resource and
- Does this user/identity have the correct access to perform an action on a resource.
- In Google Cloud IAM, we create
- ROLES which are a set of permissions
- Basic/Primitive role - Permissions like owner, editor, viewer
- Owner - Able to edit, manage roles/permissions and billing
- Editor - View and Edit
- Viewer - Read only view
- NOT RECOMMENDED for production.
- PreDefined Roles
- Pre defined and managed by Google Cloud
- Different roles for different purposes
- Storage Object Admin, Storage Object Viewer etc
- CUSTOM ROLES
- Ability to create custom roles
- POLICY to bind the role to a member/user
- What if we want to an application to access cloud storage?
- SERVICE ACCOUNTS
- We can create service accounts which can be used by applications
- These accounts do not have any password but have a public/private RSA key
- Can't use them to login via browsers
- Types of Service accounts?
- Default
- Created by default when a service is created.
- Editor role by default
- Not recommended since it has Editor role by default.
- User Managed
- Create your own service account
- Grant it access via Role
- Google Managed
- These are Google's internal accounts.
Let's talk a bit about best practices.
For IAM Roles, look at the principle of least privileges, implies give the least possible privilege for a role.
e.g do not give admin access where only edit+view is sufficient. Similarly, give only view access if that suffices the role.
Don't use a common service account between different applications. Create separate service accounts with different roles assigned.
No comments:
Post a Comment