Skip to content

Security - Identity

IAM

Cloud IAM lets you manage access control by defining who-the members- has what access, the role for what resource.
You can grant more granular access to Google Cloud resources using the security principle of least privilege.

Only grant access to resources that are necessary.

  • IAM FAQ.
  • IAM basic & predefined roles.

IAM permission have the following format: <service>.<resource>.<verb>.

Roles

A role is a collection of permissions. You cannot assign a permission to the user directly.
Instead, you grant them a role. When you grant a role to a user, you grant them all the permissions that the role contains.

There are three types of roles in Cloud IAM

They are the original roles that were available in the Cloud console, but they are broad, applied to a project.

  • Basic roles are the owner, editor and viewer roles.
  • There is also a billing administrator role to manage billing and add or remove administrators without the right to change the resources in the project.

They provide members with granular access to specific GCP resources and prevents unwanted access to other resources.

You can create custom role with a set of permissions.

Members

Members define the who part of who can do what on which resource.

There are five different types of members

It represent an individual end-user (person).

Its is an account that belongs to your application instead of to an individual end-user.

  • There is 3 types of SA: User-created, Built-in for Compute/App Engine and Google APis SA : to run internal Google processes on your behalf.
  • There are two types of service account keys: user managed keys and GCP managed keys.
    • keys cannot be downloaded and are automatically rotated, used for a maximum of two weeks.

It is a named collection of Google accounts and service accounts.
Every group has a unique e-mail address that is associated with that group.
Google Groups are a convenient way to apply an access policy to a collection of users.

It represents a virtual group of all the Google accounts that have been created.

It represents a virtual group of all members in an organization.
but doesn’t provide access to Google Workspace applications and features.

Cloud Directory Sync : can be used to sync existing AD/LDAP. The synchronization is one-way only, which means that no information in your AD/ LDAP map is modified.

IAP

Cloud IAP - identity Aware Proxy provides managed access to applications running in App Engine standard/flexible environment, Compute Engine and GKE.

  • Control access to your cloud applications running on Google Cloud.
  • Verfies a user's identity.
  • Determines whether that user should be allowed to access the application.
  • End users simply use an internet accessible URL to access IAP secured applications. No more VPN.

Applications Access

Applications and resources protected by IAP can only be accessed through the proxy by users and groups with the correct Cloud IAM role.
To ensure the security of your applications, you should take the following precautions when using IAP.

  • Configure your firewall and load balancer to protect against traffic that doesn't come from the serving infrastructure.
  • Use signed headers or the App Engine standard environment Users API.

Identity Platform Authentification

Identity Platform is a customer identity and access management platform for adding identity and access management to applications.
It can be used to support authentication methods like SAML, OpenID Connect, email and password and phone...

Identity Platform and Firebase authentication offer similar functionality.
Both allow you to easily sign users into your apps by providing backend services, SDKs, and UI libraries.

However, Identity Platform offers additional capabilities designed for enterprise customers such as Open ID Connect in SAML authentication, multi-tenancy, support, Identity-Aware Proxy integration.