Skip to main content

How Identity and Access Management Works in Google Compute Engine

Google Cloud Platform is gaining momentum, and it seems that Google is warming up to compete with Amazon Web Services. During the last quarter, Google has invested heavily on new services and features for both Google App Engine and Google Compute Engine. Like any other cloud computing platform, also for Google one of the key components is the Identity and Access Management (IAM). This tool is fundamental to assign the right permission to users, groups and entire departments that could use a cloud computing platform like Google Cloud Platform or AWS.

The current IAM model for Google Compute Engine

Google Cloud IAM is currently tied up with the Google account of the user.

If you want to grant access to any user (member), you need to invite the user with his Gmail ID only. As of now, you can grant only 3 high-level permissions to access the resources:
Is owner – is a Cloud Platform Administrator user, he has full control on the Projects, Permissions, and Cloud Resources
Can edit – is a Cloud Power User, he has full control only on the Cloud Resources
Can view – is a Read-Only user, he has read-only permissions on all the cloud resources

Problems with the current version of IAM in Google Compute Engine

If you want to grant any of the above permission for any user, the user will have the complete access on all the Compute Engine resources like VM Instances, Disks, Networks, Load balancing, Routes, Firewalls and etc. There is no granular level of permissions to allow/deny access to the resources. This will put the customer workloads exposed to high risks with respect to privacy, security, and availability.

If I want to create a user with some administrator privileges to allow only creation of VMs, Creation of Disks and Snapshots but deny the Firewalls access, termination/deletion of any other resources, right now I don’t have any way to do it.

How to improve IAM in Google Compute Engine

I spent the last three quarters working with Google Compute Engine and I came up with a list of features that would be great and would add a lot of value to Google Compute Engine:

  • Google should remove the Google Mail ID dependency to add new members (users), this is forcing the users to have a Google account to use the GCE. And it should allow the enterprise mail accounts to add users to Google Cloud Projects.
  • Add service-level permissions to allow/deny the resources access like access to only VM Instances, Disks, and Snapshots or only access to the Networks and Load balancing, etc.
  • Add resource-level permissions to allow/deny the actions on resources like create, terminate, modify, stop, delete, view and etc.
  • Add an option to choose the more than one permission for users to access/deny the resource permissions like launching VM Instances, Creation of Disks and Snapshots and Networks View but no terminate/delete permissions. Same way like for Networks, Firewalls, Routes and etc.
  • Enable the MFA (Multi-Factor Authentication) feature on the Google Cloud Platform user management level rather than leaving it to the user choice.

All of them are improvements that Google will likely release in the next months, but in the meantime, you should consider them before moving your applications and workloads to the Google Cloud Platform.

Avatar

Written by

Praveen Kumar Muppala

I have strong experience on Multiple Unix/Linux flavours, LAMP Stack, Monitoring Systems, Database, NoSQL. I love to explore the new concepts/services in Cloud Computing World. I have written 4 certifications in different flavours of Linux/Unix.

Related Posts

Albert Qian
Albert Qian
— June 19, 2018

Preparing for the Microsoft Azure 70-535 Exam

(Update) The Azure 70-535 exam was retired on December 31, 2018, and it was replaced by the AZ-300 and AZ-301 exams. To prepare for these exams, we recommend the Cloud Academy's AZ-300 Exam Preparation: Technologies for Microsoft Azure Architects and the AZ-301 Exam Preparation: Designi...

Read more
  • Azure
  • Compute
  • Database
  • Security
Avatar
Stuart Scott
— May 8, 2017

Which AWS Compute Service Do I Need?

With the ever increasing and expanding service catalog being developed by the engineers at AWS, it's easy to get confused when it comes to understanding which AWS Compute service you need and which service you should be using for your deployments. Which service offers me the quickest de...

Read more
  • AWS
  • Compute
  • Lightsail
Avatar
Sudhi Seshachala
— February 21, 2017

Which Cloud Computing Platform? Advantages of a Multi-Cloud Strategy

The rivalry is warming up in the cloud space as vendors continue to offer innovative features and reduced pricing. In this post, we will highlight the competition between the three titans of the cloud: Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft’s Azure. Which ...

Read more
  • AWS
  • Azure
  • Compute
  • Google Cloud Platform
Avatar
Paul Carlstroem
— May 5, 2016

Compute Fundamentals for AWS: Updated Course

Innovation fuels cloud computing.Compute Fundamentals for AWS: Updated, Improved, and Better than EverCloud Academy happily announces a major update to a popular course: Compute Fundamentals for AWS.David Robinson originally built this course an introduction to AWS's cornerstone comp...

Read more
  • AWS
  • Compute
Avatar
David Clinton
— May 19, 2015

Preemptible Virtual Machines: Cheap Instances From Google Compute Engine

Could you use some serious computing power? Say hello to Google's Preemptible Virtual Machines.One of the nice things about having access to hundreds of thousands of computers is that you get to do cool stuff. Arguably, the fact that, with enough creativity, you can use that access to...

Read more
  • Compute
  • Google Cloud Platform
Avatar
Sanket Dangi
— March 24, 2015

EC2 vs Google Compute Engine: Comparing the Big Players in IaaS

IaaS: EC2 vs Google Compute EngineArguably, Infrastructure as a Service (IaaS) is the most important cloud computing vertical. Within that, in terms of services and features, AWS enjoys the top position, while Google Cloud Platform is slowly catching up. In this post, we'll discuss th...

Read more
  • AWS
  • Compute
  • EC2
  • Google Cloud Platform
Igor Putilov
Igor Putilov
— February 26, 2015

EC2 Pricing: Understanding Compute Costs on AWS

Amazon EC2 pricing considerations (& how to save your money)After a first glance at the Amazon EC2 pricing page, you might find absorbing so much information a little intimidating. In this post, we will try to break EC2 pricing down and provide strategies to not only ease the pain...

Read more
  • AWS
  • Compute
  • EC2
Avatar
Andrea Colangelo
— October 23, 2014

Learn Google Compute Engine – New Course

After the launch of our first course introducing the Google Cloud Platform, David Clinton is back with a brand new course - Launching a GCE instance. We just launched it, and you can watch it on CloudAcademy.Google is one of the hottest cloud platform, probably the most interesting ...

Read more
  • Compute
  • Google Cloud Platform
Avatar
Madan Ganesh Velayudham (ActOnMagic)
— August 8, 2014

Deploying a MEAN Stack Onto Google Compute Engine

Gone are the days where a product team used to spend a considerable amount of time to build a basic web application.  Say Hi to MEAN! If you are familiar with LAMP/WAMP stacks, you could consider MEAN as a complete stack based on JavaScript. In fact, MEAN represents MongoDB,  Express, A...

Read more
  • Azure
  • Compute
Avatar
Janakiram MSV
— July 14, 2014

Load Balancing in Google Compute Engine

Load balancing is an important feature of cloud infrastructure services. With the ability to rapidly launch VMs, it is important to ensure that all the VMs are evenly utilized. Amazon’s Elastic Load Balancer (ELB) is quite popular for its ability to route the traffic across a set of ins...

Read more
  • Compute
  • Elastic Load Balancer
  • Google Cloud Platform
Avatar
Janakiram MSV
— July 4, 2014

Overview of Replica Pools in Google Compute Engine

Cloud is all about elasticity. Cloud infrastructure running web-scale applications can shrink and grow dynamically. Batch processing on the cloud will have to deal with on-demand instantiation of the machines based on the load.Google Compute Engine is a high performance, next-genera...

Read more
  • Compute
  • Google Cloud Platform
Avatar
Andrea Colangelo
— June 7, 2014

Google Compute Engine: How to Control Your Daily Usage of the Cloud

A couple days ago, Ken Sim, Product Manager at Google, announced a new feature that will probably make smile those of you who are hunger for analytics about their cloud infrastructure. News is, Google finally added a mean to programmatic access detailed Google Compute Engine usage data,...

Read more
  • Compute
  • Google Cloud Platform