IAM
Identities and Roles¶
Principals |
|
Roles |
|
Policies |
|
Policy Evaluation¶
Service Accounts¶
General Info¶
- Identified with an email address:
- Service accounts authenticate using keys
- You can assign a predefined or custom role to a service account
Types¶
Type | Description |
---|---|
User Managed |
|
Google Managed |
|
Structure of a Service Account Key
{
"type": "service_account",
"project_id": "project-id",
"private_key_id": "key-id",
"private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
"client_email": "service-account-email",
"client_id": "client-id",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
}
Access Scopes¶
- Access scopes provide the ability to limit what permissions are allowed when using the GCE default service account
- Although is better to use a custom SA with IAM roles
- Only apply on a per-instance basis (instance must be stopped to change it)
Options
Scope | Description |
---|---|
Allow default access |
Read-only access to storage, access to Stackdriver logging and monitoring |
Allow full access |
Grant full access to all Cloud APIs |
Set access for each API |
Grant access to only the APIs required by the programs running on the VM |
Other Useful Services¶
Service | Description |
---|---|
Workload Identity federation | ![]()
|
Cloud IAM recommender |
|
IAM Policy Simulator |
|
IAM Policy Troubleshooter |
|