Narrowing down the thing or person who will be accessing resources is the first move in awarding IAM permissions.
FREMONT, CA: Google Cloud IAM (Identity and Access Management) is the backbone of the Google Cloud security system. One should strive toward making the infrastructure only available to those who need it by following the least privilege methodology principle. The thought of holding the IAM permissions right while the company expands may seem overwhelming, so here is a checklist of everything one should do until changing permissions. This will also assist businesses with enforcing access management.
Who? (The Identity)
Narrowing down the thing or person who will be accessing resources is the first move in awarding IAM permissions. This could be one of several possibilities, such as:
• A service account (usually used by a script/tool)
• A Google account (usually used by a human)
• A G-Suite domain
• A Google group
The most important thing to remember for this move is restricting it to a few names as possible. While a larger community can require permissions, it is better to start with a smaller subset and add permissions as needed over time. Consider whether the access is being used by an automatic process or by a person, so service accounts with distinct uses are easier to monitor and restrict.
What Access? (The Role)
Permissions in Google Cloud are often linked to various Google Cloud REST API methods. Thespecific resource, GCP service, and the verb that is permitted are all used to call these permissions. To allot a start command to Google Compute Engine instances, ParkMyCloud, for example, includes the permission "compute.instances.start." These permits are used in a role that is assigned to the identity one has selected, rather than being given explicitly.
Which Item? (The Resource)
One will need to grant those permissions to a resource using a Cloud IAM policy until they have agreed on the identity and permissions. A resource may be very specific or very general and may include items such as:
• GCP Projects.
• Single Compute Engine instances.
• Cloud Storage buckets