Base roles needed for GCP Developers
There's always a separation of concerns within an organization. The operational team is typically separate from the development team, as is the security team.
How does one (in GCP) assign different roles (permissions) that can assist each team in their daily tasks?
GCP Developer Role versus Infrastructure (Operational) Roles
Often, the infrastructure teams and the development teams are separate entities. The infrastructure team owns the cloud infrastructure and will provide a GCP Developer (or a team) with a blank project (read up on the project boundary and service accounts in GCP).
This blank development project may or may not have a VPC built out for development.
If an existing project with a standalone (or Shared) VPC is in place, the Roles needed for DEVELOPERS include:
1. Project Editor on the Project containing the standalone VPC (Owner preferred, but often owner may not be granted).
2. Compute Engine Admin and Compute Engine Network Admin - To create and manage compute instances. The network admin also allows building and managing VPCs, Subnets and Firewall rules, in case that responsibility is delegated to the development team as well.
3. To create and use Service Accounts for use from Terraform - roles/iam.serviceAccountUser, roles/iam.serviceAccountAdmin
If new projects may need to be created by the DEVELOPMENT team (as is often the case), they will also need, in addition to the above:
- Project Creator Role at the Organization Level - roles/
resourcemanager. projectCreator -
Folder Admin Role (roles/
resourcemanager. folderAdmin) to create their own Folders to contain the project
Summary
Most organizations have a separate infrastructure team (which typically owns the cloud infrastructure) and separate development teams, which will build and own the applications hosted on the cloud infrastructure. To quickly ramp up human users (Cloud Identity Users), there are a set of roles (GCP Permissions) that are helpful. This post provides a quick recap of developer friendly roles needed for GCP development.
Set up a 1 on 1 appointment with Anuj to assist with your GCP cloud journey.
Leave a Reply