Identity & Access Management
The course is part of this learning path
Security is considered to be one of the biggest challenges when comparing cloud vs. in-house infrastructure. Due to lack of trust, loss of control, and the multi-tenant nature of the cloud, security controls and mechanisms are of the utmost importance.
Google Cloud Platform offers tools with a single dashboard and simple interfaces to implement security policies. Google Cloud Identity and Access Management (IAM) provides an easy way to manage GCP users and the permissions assigned to them. Besides human users, GCP provides a way to create non-human identities (service accounts) and attach those to cloud applications and VMs. The correct configuration and usage of service accounts and IAM are critical to GCP security. GCP also provides a centralized dashboard to view audit logs, which are useful in the case of a security breach.
To help you get the most out of the security tools offered in Google Cloud, this course covers how to properly manage IAM, service accounts, and audit logs.
- Understand how cloud security differs from on-premises security
- Configure identities and access levels in Google Cloud Platform using Cloud IAM
- Create, manage, and assign service accounts to GCP VMs
- View audit logs in the GCP console
- Students preparing for GCP cloud certifications
- Cloud administrators and IT professionals
- Cloud security practitioners
- GCP developers
- Completion of Google Cloud Platform Fundamentals course on Cloud Academy or practical working experience with GCP infrastructure
- Basic proficiency with command-line tools and Linux operating system environments
Now let's take a look at how Cloud IAM works in practice. I'll show you how we can use a single interface to see all the IAM accounts for your cloud resources. So here I have a Google Cloud project. It's called Cloudacademy-security. This is a test project that I've created for this course, and this is a relatively fresh project so you will not see a lot of users in this project.
To get to the IAM dashboard, you need to go to the navigation menu and then click on IAM plus admin. On the left-hand side you'll see several menu items like IAM, Identity & Organization, and Service accounts that we'll cover a little later in the course. You'll also see Cryptographic keys and Roles.
Let's look at what IAM means here. You'll see a list of members. This is a relatively new project, as I mentioned, so you'll only see me as a member of this particular project. You also see roles. Roles are really saying what a particular user can do. For instance, when you click on Roles here, this will show a mapping of the members to the roles. So this is showing how I am an owner of the particular project that we're talking about here. You can also go to Roles by clicking on the left-side menu item and then you see all the different roles that are prebuilt into the system. So GCP provides a list of roles which you can see here.
Now let's look at how we can add more members to this project and assign roles to them. To add new members, what you need to do is click on Add here. You can put in the email addresses of the users and you can also have groups. These could be Google accounts or Google Federated accounts. For instance, here I'm using another email address which I have as a test, and then I have to assign roles to this.
For example, I might want for that other user to be just a viewer so they would only have read access to all resources. These are the prebuilt roles. I can click on Viewer and you'll see I can add other roles as well. For instance, if I want to add access specifically for another service such as Cloud Scheduler, and if I want to make myself a Cloud Scheduler Job Runner, then I can do that. And I can assign multiple roles. Then if I click save, I'm added as an additional member.
Now I'll show you how we can also add Google Groups as members and assign roles to them. This is really useful when you have a bunch of users and they all need similar permissions. I'll go to Google Groups and take a look at the groups that I have. For this course, I created a group called cloudacademy-demo, and I'm the only one in the group. So now I can take this cloudacademy-demo and add it as a user. Here's where I add it. It has to be googlegroups.com. Then I can assign different roles to this group. For instance, I can make everyone in this group a Project Editor. We'll get to exactly what these roles mean later. Now I'll save it and you can see the group is in the list and has the Editor role. Now, if I go to roles, you'll see that I have one Editor, one Owner, one Viewer and one Cloud Scheduler Job Runner.
Now I'll show you the roles that GCP provides. This table has 385 predefined roles. I'll show you some of the common roles. For instance, at the project level, you'll have the different types of roles such as a Project Editor. If you click on this, you can see the list of assigned permissions. A Project Editor has edit access to all resources, so whether it's App Engine or Compute Engine or AutoML or BigQuery or any other GCP service, a Project Editor can use that service.
If we go down further in this list, you can see the project owner role here. This role has over 2,000 permissions. This is another common role. By default, the person who creates a project becomes a Project Owner. The difference between an owner and an editor is that an owner can add additional users and change permissions whereas an editor cannot. Another common role is Project Viewer. You can think of it as read access. So the viewer can see the project, but can't run things.
Now, these are at the project level, but there are also specific roles for specific things like Bigtable user, Bigtable viewer and BigQuery user. Similarly, there are Compute Engine-related roles and so on.
Now, there could still be cases where these predefined roles are not sufficient and you want a specific set of permissions for a particular user. In that case, GCP gives you the option to create a role. Let's create one now. Let's call this role cloudsecurity-demo role. This is a custom role. Then we can add permissions to it. To make it easier to find a permission, we can filter the list. Suppose we want to add Compute Engine-related permissions. For example, if we want to add some permissions from the Compute Load Balancer Admin role, then here it is, and we can check the box.
Now with this admin role, we can select specific permissions. For instance, if we want a user to only have the compute.addresses.create permission, but not delete or get, we can give them that specific permission. Once we've created this role, you can see it in the list and you can see that it is a custom role. Now when we go back to our IAM users, we can assign this specific role. That concludes our lecture on identity and access management. Coming up, our lecture on managing service accounts.
About the Author
Abhishek Gupta has 10+ years of experience in the domain of high-performance computing, cloud, and security. Currently, he's leading an innovation team at the Schlumberger Software Technology Innovation Center and is also a visiting faculty member at Santa Clara University where he teaches a graduate course in cloud computing. Gupta has a Ph.D. in Computer Science from the University of Illinois at Urbana Champaign.