How to Identity and Access Management works in Google Compute Engine

Google Cloud Platform is gaining momentum, and it seems that Google is warming up to compete with Amazon Web Services. During the last quarters Google has invested heavily on new services and features for both Google App Engine and Google Compute Engine. Like any other cloud computing platform, also for Google one of the key component is the Identity and Access Management (IAM). This tool is fundamental to assign the right permission to users, groups and entire departments that could use a cloud computing platform like Google Cloud Platform or AWS.

The current IAM model for Google Compute Engine

Google Cloud IAM is currently tied up with the Google account of the user.
If you want to grant access to any user (member), you need to invite the user with his Gmail ID only. As of now, you can grant only 3 high level permissions to access the resources:
Google_Cloud_Add_Permissions
Is owner – is a Cloud Platform Administrator user, he has full control on the Projects, Permissions and Cloud Resources
Can edit – is a Cloud Power User, he has full control only on the Cloud Resources
Can view – is a Read-Only user, he has read only permissions on all the cloud resources

Problems with current version of IAM in Google Compute Engine

If you want to grant any of the above permission for any user, the user will have complete access on all the Compute Engine resources like: VM Instances, Disks, Networks, Load balancing, Routes, Firewalls and etc. There is no granular level of permissions to allow/deny access to the resources. This will put the customer workloads exposed to high risks in respect to privacy, security and availability.
If I want to create a user with some administrator privileges to allow only creation of VMs, Creation of Disks and Snapshots but deny the Firewalls access, termination/deletion of any other resources, right now I don’t have any way to do it.

How to improve IAM in Google Compute Engine

I spent the last three quarters working with Google Compute Engine and I came up with a list of features that would be great and would add a lot of value to Google Compute Engine:

  • Google should remove the Google Mail ID dependency to add new members (users), this is forcing the users to have a Google account to use the GCE. And it should allow the enterprise mail accounts to add users to Google Cloud Projects.
  • Add service level permissions to allow/deny the resources access like access to only VM Instances, Disks and Snapshots or only access to the Networks and Load balancing etc.
  • Add resource level permissions to allow/deny the actions on resources like: create, terminate, modify, stop, delete, view and etc.
  • Add an option to choose the more than one permission for users to access/deny the resource permissions like: launching VM Instances , Creation of Disks and Snapshots and Networks View but no terminate/delete permissions. Same way like for Networks, Firewalls, Routes and etc.
  • Enable the MFA (Multi-Factor Authentication) feature at the Google Cloud Platform user management level rather than leaving it to the user choice.

All of them are improvements that Google will likely release in the next months, but in the meantime you should consider them before moving your applications and workloads to the Google Cloud Platform.

Written by

I have strong experience on Multiple Unix/Linux flavours, LAMP Stack, Monitoring Systems, Database, NoSQL. I love to explore the new concepts/services in Cloud Computing World. I have written 4 certifications in different flavours of Linux/Unix.

Related Posts

Albert Qian
— June 19, 2018

Preparing for the Microsoft Azure 70-535 Exam

The credibility of Microsoft Azure continues to grow in the first quarter of 2018 with an increasing number of enterprises migrating their workloads, resulting in a jump for Azure from 10% to 13% in market share. Most organizations will find that simply “lifting and shifting” applicatio...

Read more
  • Azure
  • Compute
  • Database
  • Security
— May 8, 2017

Which AWS Compute Service Do I Need?

With the ever increasing and expanding service catalog being developed by the engineers at AWS, it's easy to get confused when it comes to understanding which AWS Compute service you need and which service you should be using for your deployments. Which service offers me the quickest de...

Read more
  • AWS
  • Compute
— February 21, 2017

Which Cloud Computing Platform? Advantages of a Multi-Cloud Strategy

The rivalry is warming up in the cloud space as vendors continue to offer innovative features and reduced pricing. In this post, we will highlight the competition between the three titans of the cloud: Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft’...

Read more
  • AWS
  • Azure
  • Compute
  • Google Cloud
— May 5, 2016

Compute Fundamentals for AWS: Updated Course

Innovation fuels cloud computing.Compute Fundamentals for AWS: Updated, Improved, and Better than EverCloud Academy happily announces a major update to a popular course: Compute Fundamentals for AWS.David Robinson originally built this course an introduction to AWS's cornerstone comp...

Read more
  • AWS
  • Compute
— May 19, 2015

Preemptible Virtual Machines: cheap instances from Google Compute Engine

Could you use some serious computing power? Say hello to Google's Preemptible Virtual Machines.One of the nice things about having access to hundreds of thousands of computers is that you get to do cool stuff. Arguably, the fact that, with enough creativity, you can use that access to...

Read more
  • Compute
  • Google Cloud
— March 24, 2015

EC2 vs Google Compute Engine: comparing the big players in IaaS

IaaS: EC2 vs Google Compute EngineArguably, Infrastructure as a Service (IaaS) is the most important cloud computing vertical. Within that, in terms of services and features, AWS enjoys the top position, while Google Cloud Platform is slowly catching up. In this post, we'll discuss maj...

Read more
  • AWS
  • Compute
  • Google Cloud
Igor Putilov
— February 26, 2015

EC2 Pricing: understanding compute costs on AWS

Amazon EC2 pricing considerations (& how to save your money)After a first glance at the pricing page for Amazon EC2, you might find absorbing so much information a little intimidating. In this post we will try to break EC2 pricing down and provide strategies to not only ease the pa...

Read more
  • AWS
  • Compute
— October 23, 2014

Learn Google Compute Engine with our new course!

After the launch of our first course introducing the Google Cloud Platform, our expert David Clinton is back with a brand new course to learn Google Compute Engine. We just launched it, and you can watch it on CloudAcademy.Google is one of the hottest cloud platform, probably the most ...

Read more
  • Compute
  • Google Cloud

Deploying a MEAN Stack Onto Google Compute Engine

Gone are the days where a product team used to spend a considerable amount of time to build a basic web application.  Say Hi to MEAN! If you are familiar with LAMP/WAMP stacks, you could consider MEAN as a complete stack based on JavaScript. In fact, MEAN represents: MongoDB, ...

Read more
  • Azure
  • Compute
— July 14, 2014

Load Balancing in Google Compute Engine

Load balancing is an important feature of cloud infrastructure services. With the ability to rapidly launch VMs, it is important to ensure that all the VMs are evenly utilized. Amazon’s Elastic Load Balancer (ELB) is quite popular for its ability to route the traffic across a set of ins...

Read more
  • Compute
— July 4, 2014

Overview of Replica Pools in Google Compute Engine

Cloud is all about elasticity. Cloud infrastructure running web-scale applications can shrink and grow dynamically. Batch processing on cloud will have to deal with on-demand instantiation of the machines based on the load.Google Compute Engine is a high performance, next generation Ia...

Read more
  • Compute
— June 7, 2014

Google Compute Engine: how to control your daily usage of the cloud!

A couple days ago, Ken Sim, Product Manager at Google, announced a new feature that will probably make smile those of you who are hunger for analytics about their cloud infrastructure. News is, Google finally added a mean to programmatic access detailed Google Compute Engine usage data,...

Read more
  • Compute