How Identity and Access Management Works in Google Compute Engine

Google Cloud Platform is gaining momentum, and it seems that Google is warming up to compete with Amazon Web Services. During the last quarter, Google has invested heavily on new services and features for both Google App Engine and Google Compute Engine. Like any other cloud computing platform, also for Google one of the key components is the Identity and Access Management (IAM). This tool is fundamental to assign the right permission to users, groups and entire departments that could use a cloud computing platform like Google Cloud Platform or AWS.

The current IAM model for Google Compute Engine

Google Cloud IAM is currently tied up with the Google account of the user.

If you want to grant access to any user (member), you need to invite the user with his Gmail ID only. As of now, you can grant only 3 high-level permissions to access the resources:
Is owner – is a Cloud Platform Administrator user, he has full control on the Projects, Permissions, and Cloud Resources
Can edit – is a Cloud Power User, he has full control only on the Cloud Resources
Can view – is a Read-Only user, he has read-only permissions on all the cloud resources

Problems with the current version of IAM in Google Compute Engine

If you want to grant any of the above permission for any user, the user will have the complete access on all the Compute Engine resources like VM Instances, Disks, Networks, Load balancing, Routes, Firewalls and etc. There is no granular level of permissions to allow/deny access to the resources. This will put the customer workloads exposed to high risks with respect to privacy, security, and availability.

If I want to create a user with some administrator privileges to allow only creation of VMs, Creation of Disks and Snapshots but deny the Firewalls access, termination/deletion of any other resources, right now I don’t have any way to do it.

How to improve IAM in Google Compute Engine

I spent the last three quarters working with Google Compute Engine and I came up with a list of features that would be great and would add a lot of value to Google Compute Engine:

  • Google should remove the Google Mail ID dependency to add new members (users), this is forcing the users to have a Google account to use the GCE. And it should allow the enterprise mail accounts to add users to Google Cloud Projects.
  • Add service-level permissions to allow/deny the resources access like access to only VM Instances, Disks, and Snapshots or only access to the Networks and Load balancing, etc.
  • Add resource-level permissions to allow/deny the actions on resources like create, terminate, modify, stop, delete, view and etc.
  • Add an option to choose the more than one permission for users to access/deny the resource permissions like launching VM Instances, Creation of Disks and Snapshots and Networks View but no terminate/delete permissions. Same way like for Networks, Firewalls, Routes and etc.
  • Enable the MFA (Multi-Factor Authentication) feature on the Google Cloud Platform user management level rather than leaving it to the user choice.

All of them are improvements that Google will likely release in the next months, but in the meantime, you should consider them before moving your applications and workloads to the Google Cloud Platform.

Cloud Academy