GCP – Example of IAM access on Project Level Resources
Also read – Projects in GCP
Example of IAM in a project (compute engine instances)
Select your user from IAM — and assign the following two roles (At the very least, you would assign the ‘Service Account User Role’ to the IAM user. This lets the user use built in service accounts, which are used to access GCP services).
- Add two roles — Compute Viewer Role and Service Account User Role (Role in GCP is defined as a set of permissions).
- This, as per the principle of least privilege, allows this user to view all instances. But, as we will show below, this user will be only granted access (log on access) to a single instance.
To grant access to specific instances, choose the instance (note that what we are doing now is at the RESOURCE level; what we did before was at the IAM level)
- On the instance, “Add Members”
- Assign “Compute Instance Admin” role to the user. This will allow the user SSH access onto the instance.
- However if user tries to access any other instance, their SSH access will be disallowed. They can still SEE the instance — as they have the Compute Viewer role.
- This the basically the principle of least privilege at work. The user is allowed access ONLY to what she needs and not to anything more.
- The same example above can be applied to restrict / control access to Disks, Storage Buckets, Images, Snapshots etc.
Leave a Reply