Granting Access to Resources in GCP
Also read , Terraform and GCP Roles
Introduction - Granting access to Resources in GCP
In GCP, it is important to distinguish between 'Container Resources' and 'Individual Resources'.
When a user asks for access to a resource, you need to clarify whether they will need access to this SINGLE resource (e.g. storage bucket or compute instance) OR whether they will need access to MULTIPLE resources (e.g ALL storage buckets within a project...)
If the former (individual resources), all you do is grant them access to the resource (Storage Admin role (roles/storage.admin
) for a particular Cloud Storage bucket and (roles/compute.instanceAdmin
) for a specific Compute Engine instance).
If the latter (entire set of resources in a project), you can grant IAM permissions at the project level.
These permissions are then inherited by all resources within that project.
To grant access to all Cloud Storage buckets in a project, grant access to the project instead of each individual bucket. This will also grant access to all Compute Engine instances within the same project.
The PROJECT Resource
Projects can be confusing in GCP, as can GCP IAM.
- A Project is a resource - a resource that supports IAM Policies. What is the corresponding service that contains the 'project' resource?
- IAM Policies are supported by certain resources (Projects being among those).
- Each Resource belongs to a Service.
So what SERVICE does the PROJECT resource belong to?
It is the ResourceManager Service.
Why does this matter?
IAM policies (on a resource) are spelled out on the Service level. Hence, the IAM policy on a 'project' resource, is spelled out as follows (roles/service.rolename):
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.setIamPolicy
Summary - and Least Privilege Principle (Use Predefined, Granular Roles)
To grant a human user access at a project level, you can either use primitive roles (and make them Project Owner or Editor). To make a human user a Project OWNER, you need to use the Cloud Console (that is the only way to grant Owner access).
However, if you want to follow the least privilege principle, you want to grant them granular access, which means various roles with the ResourceManager.projects scope.
Leave a Reply