Granting access to resources in GCP at the Organization Level
Organizations - Do you always get an Org?
No. As part of your account setup, you can set up an account with just a simple gmail / google workspace account. You do not need an Org to be defined.
Intro to IAM Policies
Most of the confusion arises from interchangeably using Service and Resource. For example, Storage is a service, but a bucket is the actual resource.
Hierarchical Policies -
- Child Policies cannot override Parent Level Policies
- Best Practice - DENY from the top down. ALLOW from bottom up.
Why is this important?
When you define policies, you get to pick a SERVICE to work with. And within that service, you get to pick a RESOURCE (or multiple resources).
For example, ResourceManager is the SERVICE. And Organization is the Resource.
Use Case - DENY Access to a Cloud Storage Bucket, to an entire group of users
Grant roles to the gcp-network-admins
group at the organization level
Group
[email protected]
Resource
XYZ.com
Roles
- Compute Engine > Compute Network Admin. This grants permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates.
- Compute Engine > Compute Shared VPC Admin. This grants permissions to administer Shared VPC host projects.
- Compute Engine > Compute Security Admin. This grants permissions to create, modify, and delete firewall rules and SSL certificates.
- Resource Manager > Folder Viewer. This grants permissions to view for
There are no members that have matching roles
Grant roles to the gcp-security-admins
group at the organization level
Group
[email protected]
Resource
XYZ.com
Roles
- Organization Policy > Organization Policy Admin. This grants permissions to set organization-level Cloud IAM policies.
- Organization Policy > Organization Policy Viewer. This grants permissions to view the Cloud IAM policies that apply to the organization.
- IAM > Security Reviewer. This grants permissions to view all resources for the organization, and to view the Cloud IAM policies that apply to them.
- Roles > Organization Role Viewer. This grants permissions to view all custom Cloud IAM roles in the organization, and to view the projects that they apply to.
- Security Center > Security Center Admin. This grants administrator access to the security command center.
- Resource Manager > Folder IAM Admin. This grants permissions to set folder-level Cloud IAM policies.
- Logging > Private Logs Viewer. This grants read-only access to Cloud Logging features, including the ability to read private logs.
- Logging > Logs Configuration Writer. This grants permissions to create logs-based metrics and export sinks.
- Kubernetes Engine > Kubernetes Engine Viewer. This grants read-only access to Kubernetes Engine resources.
- Compute Engine > Compute Viewer. This grants read-only access to Compute Engine resources.
- BigQuery > BigQuery Data Viewer. This grants permissions for BigQuery datasets.
Leave a Reply