Google Cloud Identity and Access Management Concepts

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

External

Internal

Overview

IAM allows granting granular access to Google Cloud resources. It supports the security principle of least privilege, which states that nobody should have more permission that they actually need. IAM manages control by defining who (the identity) has what access (the role) for which resource. Permissions to access resources are not granted directed to end users, but to roles. Roles are granted to authenticated members. The association between what roles are granted to which members is defined in an IAM Policy. IAM policies are attached to resources. When an authenticated member attempts to access a resource, IAM checks the resource's policy to determine whether the action is permitted.

Identity Concepts

Member

A member can be a Google account, a service account, a Google group, a Google Workspace or a Cloud Identity domain.

Google Account

A Google Account represents a developer, an administrator, or any other person who interacts with Google Cloud. The identity of the member in this case is the email address that's associated with a Google account.

Service Account

A service account is an account for an application. Code running in Google Cloud runs as a "service account". The identity of the member in this case is the email address that's associated with the service account.

Google Group

A Google group is a named collection of Google accounts and service accounts. Every Google group has a unique email address that's associated with the group. The identity of the member in this case is the email address that's associated with the Google group. Google groups are used to appy an access policy to a group of users. Google Groups don't have login credentials. Google Groups cannot be used to establish identity to make a request to access a resource.

Google Workspace domain

TODO: https://cloud.google.com/iam/docs/overview#g-suite-domain. The identity of the member in this case is the domain name that's associated with the Google Workspace.

Cloud Identity Domain

TODO: https://cloud.google.com/iam/docs/overview#cloud-identity-domain. The identity of the member in this case is the domain name that's associated with the Cloud Identity domain.

All Authenticated Users

The value allAuthenticatedUsers is a special identifier that represents all service accounts and all users on the internet who have authenticated with a Google Account. This identifier includes accounts that aren't connected to a Google Workspace or Cloud Identity domain, such as personal Gmail accounts. Users who aren't authenticated, such as anonymous visitors, aren't included. Some resource types do not support this member type.

All Users

Authenticated Member

Access Management Concepts

Resource

Google Cloud Platform Concepts | Resources

Role

A role is a collection of permissions. When a role is granted to a member, all the permissions that the role contains are granted to the member.

Permission

A permission determines what operations are allowed on a resource.

Role Binding

A role binding is the association between a member and a role. Role bindings are listed in IAM policies.

IAM Policy

An IAM policy is a collection of role bindings. An IAM Policy is attached to a resource. When an authenticated member attempts to access a resource, IAM checks the resource's policy to determine whether the action is permitted.

Retrieved from "https://kb.novaordis.com/index.php?title=Google_Cloud_Identity_and_Access_Management_Concepts&oldid=80527"