Google Cloud Platform is gaining momentum, and it seems that Google is warming up to compete with Amazon Web Services. During the last quarter, Google has invested heavily on new services and features for both Google App Engine and Google Compute Engine. Like any other cloud computing platform, also for Google one of the key components is the Identity and Access Management (IAM). This tool is fundamental to assign the right permission to users, groups and entire departments that could use a cloud computing platform like Google Cloud Platform or AWS.
The current IAM model for Google Compute Engine
Google Cloud IAM is currently tied up with the Google account of the user.
If you want to grant access to any user (member), you need to invite the user with his Gmail ID only. As of now, you can grant only 3 high-level permissions to access the resources:
Is owner – is a Cloud Platform Administrator user, he has full control on the Projects, Permissions, and Cloud Resources
Can edit – is a Cloud Power User, he has full control only on the Cloud Resources
Can view – is a Read-Only user, he has read-only permissions on all the cloud resources
Problems with the current version of IAM in Google Compute Engine
If you want to grant any of the above permission for any user, the user will have the complete access on all the Compute Engine resources like VM Instances, Disks, Networks, Load balancing, Routes, Firewalls and etc. There is no granular level of permissions to allow/deny access to the resources. This will put the customer workloads exposed to high risks with respect to privacy, security, and availability.
If I want to create a user with some administrator privileges to allow only creation of VMs, Creation of Disks and Snapshots but deny the Firewalls access, termination/deletion of any other resources, right now I don’t have any way to do it.
How to improve IAM in Google Compute Engine
I spent the last three quarters working with Google Compute Engine and I came up with a list of features that would be great and would add a lot of value to Google Compute Engine:
- Google should remove the Google Mail ID dependency to add new members (users), this is forcing the users to have a Google account to use the GCE. And it should allow the enterprise mail accounts to add users to Google Cloud Projects.
- Add service-level permissions to allow/deny the resources access like access to only VM Instances, Disks, and Snapshots or only access to the Networks and Load balancing, etc.
- Add resource-level permissions to allow/deny the actions on resources like create, terminate, modify, stop, delete, view and etc.
- Add an option to choose the more than one permission for users to access/deny the resource permissions like launching VM Instances, Creation of Disks and Snapshots and Networks View but no terminate/delete permissions. Same way like for Networks, Firewalls, Routes and etc.
- Enable the MFA (Multi-Factor Authentication) feature on the Google Cloud Platform user management level rather than leaving it to the user choice.
All of them are improvements that Google will likely release in the next months, but in the meantime, you should consider them before moving your applications and workloads to the Google Cloud Platform.
AWS Fundamentals: Understanding Compute, Storage, Database, Networking & Security
If you are just starting out on your journey toward mastering AWS cloud computing, then your first stop should be to understand the AWS fundamentals. This will enable you to get a solid foundation to then expand your knowledge across the entire AWS service catalog. It can be both d...
Preparing for the Microsoft Azure 70-535 Exam
(Update) The Azure 70-535 exam was retired on December 31, 2018, and it was replaced by the AZ-300 and AZ-301 exams. To prepare for these exams, we recommend the Cloud Academy's AZ-300 Exam Preparation: Technologies for Microsoft Azure Architects and the AZ-301 Exam Preparation: Designi...
Which AWS Compute Service Do I Need?
With the ever increasing and expanding service catalog being developed by the engineers at AWS, it's easy to get confused when it comes to understanding which AWS Compute service you need and which service you should be using for your deployments. Which service offers me the quickest de...
Which Cloud Computing Platform? Advantages of a Multi-Cloud Strategy
The rivalry is warming up in the cloud space as vendors continue to offer innovative features and reduced pricing. In this post, we will highlight the competition between the three titans of the cloud: Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft’s Azure. Which ...
Compute Fundamentals for AWS: Updated Course
Innovation fuels cloud computing. Compute Fundamentals for AWS: Updated, Improved, and Better than Ever Cloud Academy happily announces a major update to a popular course: Compute Fundamentals for AWS. David Robinson originally built this course an introduction to AWS's cornerstone comp...
Preemptible Virtual Machines: Cheap Instances From Google Compute Engine
Could you use some serious computing power? Say hello to Google's Preemptible Virtual Machines. One of the nice things about having access to hundreds of thousands of computers is that you get to do cool stuff. Arguably, the fact that, with enough creativity, you can use that access to...
EC2 vs Google Compute Engine: Comparing the Big Players in IaaS
IaaS: EC2 vs Google Compute Engine Arguably, Infrastructure as a Service (IaaS) is the most important cloud computing vertical. Within that, in terms of services and features, AWS enjoys the top position, while Google Cloud Platform is slowly catching up. In this post, we'll discuss th...
EC2 Pricing: Understanding Compute Costs on AWS
Amazon EC2 pricing considerations (& how to save your money) After a first glance at the Amazon EC2 pricing page, you might find absorbing so much information a little intimidating. In this post, we will try to break EC2 pricing down and provide strategies to not only ease the pain...
Learn Google Compute Engine – New Course
After the launch of our first course introducing the Google Cloud Platform, David Clinton is back with a brand new course - Launching a GCE instance. We just launched it, and you can watch it on CloudAcademy. Google is one of the hottest cloud platform, probably the most interesting ...
Deploying a MEAN Stack Onto Google Compute Engine
Load Balancing in Google Compute Engine
Load balancing is an important feature of cloud infrastructure services. With the ability to rapidly launch VMs, it is important to ensure that all the VMs are evenly utilized. Amazon’s Elastic Load Balancer (ELB) is quite popular for its ability to route the traffic across a set of ins...
Overview of Replica Pools in Google Compute Engine
Cloud is all about elasticity. Cloud infrastructure running web-scale applications can shrink and grow dynamically. Batch processing on the cloud will have to deal with on-demand instantiation of the machines based on the load. Google Compute Engine is a high performance, next-genera...