Google Cloud Identity and Access Management Concepts: Difference between revisions
(Created page with "=Internal= * https://kb.novaordis.com/index.php/Google_Cloud_Identity_and_Access_Management#Subjects|Google Cloud Identity and Access Management}}") |
|||
(71 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=External= | |||
* https://cloud.google.com/iam/docs/overview | |||
=Internal= | =Internal= | ||
* [[https:// | * [[Google_Cloud_Identity_and_Access_Management#Subjects|Google Cloud Identity and Access Management]] | ||
* [[Google Cloud Authentication for Programmatic Access]] | |||
=Overview= | |||
IAM allows granting granular access to [[#Resource|Google Cloud resources]]. It supports the security principle of least privilege, which states that nobody should have more permission that they actually need. IAM manages control by defining who (the [[#Identity_Concepts|identity]]) has what access (the [[#Role|role]]) for which [[#Resource|resource]]. Permissions to access resources are not granted directed to end users, but to [[#Role|roles]]. [[#Role|Roles]] are granted to [[#Authenticated_Member|authenticated members]]. The association between what roles are granted to which members is defined in an [[#IAM_Policy|IAM Policy]]. IAM policies are attached to resources. When an authenticated member attempts to access a resource, IAM checks the resource's policy to determine whether the action is permitted. | |||
=Identity Concepts= | |||
==Member== | |||
A member can be a [[#Google_Account|Google account]], a [[#Service_Account|service account]], a [[#Google_Group|Google group]], a [[#Google_Workspace|Google Workspace]] or a [[#Cloud_Identity_Domain|Cloud Identity domain]]. | |||
===Google Account=== | |||
A Google Account represents a developer, an administrator, or any other person who interacts with Google Cloud. The identity of the member in this case is the email address that's associated with a Google account. | |||
===Service Account=== | |||
{{External|https://cloud.google.com/iam/docs/service-accounts}} | |||
A service account is an account for an application. Code running in Google Cloud runs as a "service account". The identity of the member in this case is the email address that's associated with the service account. | |||
====Service Account Credentials==== | |||
=====Account===== | |||
Same as [[#Client_Email|Client Email]]. | |||
=====Client ID===== | |||
A digit-only string that uniquely identifies the [[#Service_Account|service account]]. Optional. | |||
=====Client Email===== | |||
Required. Client email address of the service account. Also exposed as [[#Account|Account]]. | |||
=====Private Key ID===== | |||
Hexadecimal string private key ID. | |||
=====Private Key===== | |||
Required. Service account private key in PKCS8 PEM base64-encoded format. | |||
=====Scopes===== | |||
=====Default Scopes===== | |||
=====TokenServerUri===== | |||
=====Project ID===== | |||
=====Quota Project ID===== | |||
=====Service Account User===== | |||
====Service Account Key File==== | |||
A key file contains the private key a [[Google Cloud Programmatic Access|programmatic client]] that assumes the identity of a [[#Service_Account|service account]] uses to authenticate to Google Cloud services. The service account key file can be generated with <code>[[Google_Cloud_Identity_and_Access_Management_Operations#Generate_a_Key_File_for_Service_Account|gcloud iam service-accounts key create]]</code>. | |||
<syntaxhighlight lang='json'> | |||
{ | |||
"type": "service_account", | |||
"project_id": "cellular-syntax-333333", | |||
"private_key_id": "2222222222222222222222222222222222222222", | |||
"private_key": "-----BEGIN PRIVATE KEY-----\nM...A=\n-----END PRIVATE KEY-----\n", | |||
"client_email": "test-sa@cellular-syntax-333333.iam.gserviceaccount.com", | |||
"client_id": "111111111111111111111", | |||
"auth_uri": "https://accounts.google.com/o/oauth2/auth", | |||
"token_uri": "https://oauth2.googleapis.com/token", | |||
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", | |||
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test-sa%40cellular-syntax-333333.iam.gserviceaccount.com" | |||
} | |||
</syntaxhighlight> | |||
====Service Account Operations==== | |||
* [[Google_Cloud_Identity_and_Access_Management_Operations#Create_Service_Account|Create a service account]] | |||
* [[Google_Cloud_Identity_and_Access_Management_Operations#Give_Service_Account_Permissions_on_a_Project|Give a service account permissions to a project]] | |||
* [[Google_Cloud_Identity_and_Access_Management_Operations#Generate_a_Key_File_for_Service_Account|Generate a key file for service account]] | |||
===Google Group=== | |||
A Google group is a named collection of [[#Google_Account|Google accounts]] and [[#Service_Account|service accounts]]. Every Google group has a unique email address that's associated with the group. The identity of the member in this case is the email address that's associated with the Google group. Google groups are used to appy an access policy to a group of users. Google Groups don't have login credentials. Google Groups cannot be used to establish identity to make a request to access a resource. | |||
===<span id='Google_Workspace'></span>Google Workspace domain=== | |||
<font color=darkgray>TODO: https://cloud.google.com/iam/docs/overview#g-suite-domain</font>. The identity of the member in this case is the domain name that's associated with the Google Workspace. | |||
===Cloud Identity Domain=== | |||
<font color=darkgray>TODO: https://cloud.google.com/iam/docs/overview#cloud-identity-domain</font>. The identity of the member in this case is the domain name that's associated with the Cloud Identity domain. | |||
===All Authenticated Users=== | |||
The value <code>allAuthenticatedUsers</code> is a special identifier that represents all service accounts and all users on the internet who have authenticated with a Google Account. This identifier includes accounts that aren't connected to a Google Workspace or Cloud Identity domain, such as personal Gmail accounts. Users who aren't authenticated, such as anonymous visitors, aren't included. Some resource types do not support this member type. | |||
===All Users=== | |||
The value <code>allUsers</code> is a special identifier that represents anyone who is on the internet, including authenticated and unauthenticated users. Some resource types do not support this member type. | |||
===Authenticated Member=== | |||
====Google Cloud Authentication for Programmatic Access==== | |||
{{Internal|Google Cloud Authentication for Programmatic Access|Google Cloud Authentication for Programmatic Access}} | |||
=Access Management Concepts= | |||
==Resource== | |||
{{Internal|Google_Cloud_Platform_Concepts#Resource|Google Cloud Platform Concepts | Resources}} | |||
<font color=darkgray>TODO: https://cloud.google.com/iam/docs/overview#resource</font> | |||
<font color=darkgray>TODO Resource Hierarchy https://cloud.google.com/iam/docs/overview#resource-hierarchy</font> | |||
==Role== | |||
<font color=darkgray>TODO: | |||
* https://cloud.google.com/iam/docs/overview#roles | |||
* https://cloud.google.com/iam/docs/understanding-roles | |||
</font> | |||
A role is a collection of permissions. When a role is granted to a member, all the permissions that the role contains are granted to the member. | |||
===Permission=== | |||
<font color=darkgray>TODO: https://cloud.google.com/iam/docs/overview#permissions</font> | |||
A permission determines what operations are allowed on a [[#Resource|resource]]. | |||
===Role Binding=== | |||
A role binding is the association between a [[#Member|member]] and a [[#Role|role]]. Role bindings are listed in [[#IAM_Policy|IAM policies]]. | |||
===Basic Roles=== | |||
In production environments, do not grant the [[#Owner|Owner]], [[#Editor|Editor]], or [[#Viewer|Viewer]] roles. | |||
====Owner==== | |||
====Editor==== | |||
====Viewer==== | |||
===Predefined Roles=== | |||
<font color=darkgray>TODO</font> | |||
===Custom Roles=== | |||
<font color=darkgray>TODO</font> | |||
==IAM Policy== | |||
<font color=darkgray>TODO: https://cloud.google.com/iam/docs/overview#cloud-iam-policy</font> | |||
An IAM policy is a collection of [[#Role_Binding|role bindings]]. An IAM Policy is attached to a [[#Resource|resource]]. When an [[#Authenticated_Member|authenticated member]] attempts to access a resource, IAM checks the resource's policy to determine whether the action is permitted. | |||
For example, a [[#Service_Account|service account]] (as [[#Member|member]]) can be given permissions to a project (a [[#Resource|resource]], by binding the service account to a [[#Role|role]], via a [[#Role_Binding|role binding]] that is added to the project's IAM policy: | |||
<syntaxhighlight lang='bash'> | |||
gcloud projects add-iam-policy-binding my-project-id \ | |||
--member="serviceAccount:my-service-account@my-project-id.iam.gserviceaccount.com" \ | |||
--role="roles/owner" | |||
</syntaxhighlight> | |||
=IAM Support for Google Cloud services= | |||
<font color=darkgray>TODO: https://cloud.google.com/iam/docs/overview#cloud_iam_support_for_gcp_services</font> | |||
=Consistency model for the IAM API= | |||
<font color=darkgray>TODO: https://cloud.google.com/iam/docs/overview#consistency</font> |
Latest revision as of 05:16, 2 September 2021
External
Internal
Overview
IAM allows granting granular access to Google Cloud resources. It supports the security principle of least privilege, which states that nobody should have more permission that they actually need. IAM manages control by defining who (the identity) has what access (the role) for which resource. Permissions to access resources are not granted directed to end users, but to roles. Roles are granted to authenticated members. The association between what roles are granted to which members is defined in an IAM Policy. IAM policies are attached to resources. When an authenticated member attempts to access a resource, IAM checks the resource's policy to determine whether the action is permitted.
Identity Concepts
Member
A member can be a Google account, a service account, a Google group, a Google Workspace or a Cloud Identity domain.
Google Account
A Google Account represents a developer, an administrator, or any other person who interacts with Google Cloud. The identity of the member in this case is the email address that's associated with a Google account.
Service Account
A service account is an account for an application. Code running in Google Cloud runs as a "service account". The identity of the member in this case is the email address that's associated with the service account.
Service Account Credentials
Account
Same as Client Email.
Client ID
A digit-only string that uniquely identifies the service account. Optional.
Client Email
Required. Client email address of the service account. Also exposed as Account.
Private Key ID
Hexadecimal string private key ID.
Private Key
Required. Service account private key in PKCS8 PEM base64-encoded format.
Scopes
Default Scopes
TokenServerUri
Project ID
Quota Project ID
Service Account User
Service Account Key File
A key file contains the private key a programmatic client that assumes the identity of a service account uses to authenticate to Google Cloud services. The service account key file can be generated with gcloud iam service-accounts key create
.
{
"type": "service_account",
"project_id": "cellular-syntax-333333",
"private_key_id": "2222222222222222222222222222222222222222",
"private_key": "-----BEGIN PRIVATE KEY-----\nM...A=\n-----END PRIVATE KEY-----\n",
"client_email": "test-sa@cellular-syntax-333333.iam.gserviceaccount.com",
"client_id": "111111111111111111111",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test-sa%40cellular-syntax-333333.iam.gserviceaccount.com"
}
Service Account Operations
- Create a service account
- Give a service account permissions to a project
- Generate a key file for service account
Google Group
A Google group is a named collection of Google accounts and service accounts. Every Google group has a unique email address that's associated with the group. The identity of the member in this case is the email address that's associated with the Google group. Google groups are used to appy an access policy to a group of users. Google Groups don't have login credentials. Google Groups cannot be used to establish identity to make a request to access a resource.
Google Workspace domain
TODO: https://cloud.google.com/iam/docs/overview#g-suite-domain. The identity of the member in this case is the domain name that's associated with the Google Workspace.
Cloud Identity Domain
TODO: https://cloud.google.com/iam/docs/overview#cloud-identity-domain. The identity of the member in this case is the domain name that's associated with the Cloud Identity domain.
All Authenticated Users
The value allAuthenticatedUsers
is a special identifier that represents all service accounts and all users on the internet who have authenticated with a Google Account. This identifier includes accounts that aren't connected to a Google Workspace or Cloud Identity domain, such as personal Gmail accounts. Users who aren't authenticated, such as anonymous visitors, aren't included. Some resource types do not support this member type.
All Users
The value allUsers
is a special identifier that represents anyone who is on the internet, including authenticated and unauthenticated users. Some resource types do not support this member type.
Authenticated Member
Google Cloud Authentication for Programmatic Access
Access Management Concepts
Resource
TODO: https://cloud.google.com/iam/docs/overview#resource
TODO Resource Hierarchy https://cloud.google.com/iam/docs/overview#resource-hierarchy
Role
TODO:
- https://cloud.google.com/iam/docs/overview#roles
- https://cloud.google.com/iam/docs/understanding-roles
A role is a collection of permissions. When a role is granted to a member, all the permissions that the role contains are granted to the member.
Permission
TODO: https://cloud.google.com/iam/docs/overview#permissions
A permission determines what operations are allowed on a resource.
Role Binding
A role binding is the association between a member and a role. Role bindings are listed in IAM policies.
Basic Roles
In production environments, do not grant the Owner, Editor, or Viewer roles.
Owner
Editor
Viewer
Predefined Roles
TODO
Custom Roles
TODO
IAM Policy
TODO: https://cloud.google.com/iam/docs/overview#cloud-iam-policy
An IAM policy is a collection of role bindings. An IAM Policy is attached to a resource. When an authenticated member attempts to access a resource, IAM checks the resource's policy to determine whether the action is permitted.
For example, a service account (as member) can be given permissions to a project (a resource, by binding the service account to a role, via a role binding that is added to the project's IAM policy:
gcloud projects add-iam-policy-binding my-project-id \
--member="serviceAccount:my-service-account@my-project-id.iam.gserviceaccount.com" \
--role="roles/owner"
IAM Support for Google Cloud services
TODO: https://cloud.google.com/iam/docs/overview#cloud_iam_support_for_gcp_services
Consistency model for the IAM API
TODO: https://cloud.google.com/iam/docs/overview#consistency