Also read - Roles, IAM in GCP

and AWS Managed Policies for On Premises Work Functions

and Base Roles for Developers in GCP

Can Anyone Create Custom Roles?

No. Only users that have the following permission assigned (any OWNER already has this permission):

iam.roles.create

Users who are not owners, including organization administrators, must be assigned either the Organization Role Administrator role (roles/iam.organizationRoleAdmin) or the IAM Role Administrator role (roles/iam.roleAdmin).

Some Recommended Custom Roles in GCP

  • Org Admins, Project Admins, Folder Admins - Map to Administrator roles on premises
  • Read Only Access to all services and resources - Maps to Managerial Roles
  • A Shared VPC Admin Role (maps to a network admin role)
  • A Compute Engine Admin Role (maps to a Sys Admin)
  • A Power User Role (A Developer Role)
  • An IAM  Security Auditor Role  - This is built in. IAM Security Reviewer role (roles/iam.securityReviewer) has the ability to view all IAM security related resources INCLUDING custom roles.
  • A Security Auditor Role - This is also built in.
  • A Break Glass Admin Role
  • KMS Specific Roles (Unlike AWS, where kms policies are per CMK and not IAM wide, GCP has predefined roles that are IAM wide). E.g. KMSAdmin Role
  • A Security Command Center Role - Is basically a Security Center Admin Role. (Initial Setup of Security Command Center requires a few more roles- Org Admin, Security Center Admin, Security Admin and Service Account Creator)

Primitive (Basic) Roles (Owner, Editor, Viewer) - What's Included?

gcloud iam roles describe  will show you which permissions are part of a role.

What is an IAM Policy Binding in GCP?

An IAM Binding connects the permissions on a (group of ) resources to a member (user or group).

It is important to note that NO INDIVIDUAL RESOURCES are being BOUND in the policy binding. Rather, the binding is for a CONTAINER (e.g a project) or an entire class of resources (e.g. buckets).

Example: Of a Container Resource - provides create permissions on a PROJECT (a container resource)
"role": "roles/resourcemanager.projectCreator

Example of a group of resources (e.g. storage buckets)

Managing Policies using gCloud

First, update gCloud and then you can start managing policies with gcloud

gcloud components update

What about DENIALS at a higher level (not resource level)?

Certain SERVICE DENIALS can be defined at a top ORGANIZATION LEVEL. These are done via Organization Policies

Some Built In Organization Level Policies (that DENY access to resources)

  • Disable Service Account Creation (at the ORG level)
  • Skip Default Network Creation
  • Disallow Shared VPC
  • Only Allow Resources in US Based Regions
  • Disallow Public IP Creation (Will DENY user from creating any VPN Tunnel or InterConnect back to On Prem)

Summary

This is meant to be a quick recap of some recommended IAM Groups and Custom Roles in GCP.



Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.