Admin vs. User roles in GCP
Read these posts first
- An overview of Roles in GCP and how to quickly view assigned roles
- Custom Roles in GCP
- Developer Roles in GCP
Separate Security and Network admins
The tables below explain the IAM roles that need to be granted to the security and admin team and the development team, as well as the resource level at which the roles are granted.
Network Admin, Security Admin and VPC Admin - are granted at the ORG level
| Resource: | Organization | |
|---|---|---|
| Roles: | Shared VPC Admin Network Admin |
|
| Member: | Network Admin team |
| Resource: | Organization | |
|---|---|---|
| Roles: | Security Admin Organization Admin |
|
| Member: | Security team |
Network User and Compute Instance Admin are granted at the Project level (host project and service projects)
| Resource: | Host Project | This role grants permission to use subnets that the shared VPC has shared. |
|---|---|---|
| Role: | Network user | |
| Member: | Developers |
| Resource: | Service project | Note this role allows the permission to use External IP addresses. See the note below for guidance on how to prevent this action. |
|---|---|---|
| Role: | compute.instanceAdmin | |
| Member: | Developers |
Summary
This post illustrates key differences between roles required for GCP networking administration and GCP Network usage (i.e. being able to create / destroy / modify GCP networking resources).
Set up a free, 1 on 1 appointment with Anuj to assist with your GCP cloud journey.
Leave a Reply