Skip to content

IAM

Identities and Roles

Principals
  • 4 types of Principals:
  • Two special members:
    • allAuthenticatedUsers: everyone authenticated to GCP, not just in your Org
    • allUser: anyone on the internet, authenticated or not
Roles
  • Set of permissions grouped together, each one representing a fine grained operation
  • Types:
    • Primitive (Basic) Roles
      • Apply across all GCP services in a project
      • Managed by Google, so the set of permissions can change over time
      • Can assign ACL grants (legacy authz system for Buckets/BigQuery) to those bound to a primitive role in the Project
    • Predefined roles
      • Apply to a particular GCP service in a project
      • Provide granular access for a specific service
      • Managed by Google
    • Custom Roles
Policies
  • Each policy contains a set of roles and role members
  • Policies are inherited downwards in the hierarchy
  • Policies implemented at a higher level in the hierarchy can't take away access that's granted at a lower level
  • If a parent policy is less restrictive, it overrides a more restrictive resource policy
  • If a parent policy is more restrictive, it does not override a less restrictive resource policy

Service Accounts

General Info

Types

Type Description
User Managed
  • Manually created by users, alongside a private key
  • Keys lifecycle is your responsibility
Google Managed
  • No need to generate keys for them
  • Applications can just assume their identity
  • Example:
    • Each Project comes with a default service account that is used by Compute Engine (GCE) services
    • VMs will transparently be identified by that service account, and they are authorized to request short-lived authorization tokens from the internal metadata service
Structure of a Service Account Key
{
  "type": "service_account",
  "project_id": "project-id",
  "private_key_id": "key-id",
  "private_key": "-----BEGIN PRIVATE KEY-----\nprivate-key\n-----END PRIVATE KEY-----\n",
  "client_email": "service-account-email",
  "client_id": "client-id",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account-email"
}

Recommendations

Recommendation Description
Do not use the Default Compute Engine Service Account
  • By default, these default service accounts automatically receive the Editor role when they are created
  • Create a new Service Account and use it as the default account used by a VM
  • Disable Automatic IAM Grants for Default Service Accounts via Organizational Policies: constraints/iam.automaticIamGrantsForDefaultServiceAccounts