I want to restrict GCP resources via a custom policy.
1- specific VM types,
2- Storage size restrictions only 10GB allowed size selection.
Is this possible in GCP that we restrict users to create specific types of resources?
I have created a custom role, that only allowed create, update, delete and list operations on GCP resources.
I cannot restrict user that specific type of VM Instance creation allowed.
Related
In Google Cloud Platform for all services as common, Is it possible to provide Admin Access but without deleting access to any resources? So user or service-account can perform read, create, update operations but delete alone will be restricted.
The quick answer is no.
For some resources create and update are delete operations. You must consider the resource and the data contained by the resource. For example, updating a Cloud Storage object with zero-length content effectively deletes the content of the object.
For most resources, you can create a custom role with specific permissions. However, not all permissions can be assigned to custom roles, which means you must use a predefined role.
Some resources support delete inhibit (Compute Engine, Cloud Storage), but not all do.
Some resources cannot be deleted (KMS key ring, resources, and versions).
You will need to analyze your requirements resource by resource.
I'm new to GCP.
I was wondering if I have multiple Virtual Machines residing in a resource group and my resources need permission to access BigQuery.
What do I need to add to the policy to grant access?
Another question is if, for example, I had 100 VMs in a resource group, to grant them access, do I have to configure each VM one by one? I'm sure there is a way to give them all access but I don't know the method such as permissions, IAM, policies, templates.
Thanks in advance!
There's no equivalent to resource group in GCP..
The approach is to create a Service Account and grant it the permissions the resources (e g. the VMs) need. Then you create the VMs to use the Service Account as their identity.
Resources have a single identity, usually a Service Account. You should create Service Accounts for each functionally|security equivalent resource.
Identities are bound to one our more roles. Roles correspond to one our more service|API methods. Try to use predefined roles but you can create custom roles.
Service Accounts:
https://cloud.google.com/iam/docs/service-accounts
Compute Engine identities:
https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances
BigQuery IAM roles:
https://cloud.google.com/bigquery/docs/access-control
Managed Instance Groups:
https://cloud.google.com/compute/docs/instance-groups
If I have 2 VPCs set up for 2 different teams on a single project in GCP and want to give the IAM users the access to one single VPC and the resources in that VPC only, how to I do that in Google cloud platform? what IAM roles has to be assigned to these users?
You can't achieve this easily and out of the box. The VPC is a resource, you can restrict access on this resource. VM (on this VPC) are also resources, and the permissions provided on the VPC aren't inherited to the resource that use this VPC.
You can to use a new feature, named asset relationship that provide you the relation between the assets. Like that you could get the asset (resources) in relation with your VPC and enforce the same restriction on all these resources. But you need to code this, it's not out of the box, and the feature still in preview.
I have given Compute Instance Admin(v1) Role with Type
1 compute.googleapis.com/Disk and
2 compute.googleapis.com/Instance
If the above roles are given then the user is not able to create anything, If I remove both conditions then the user is able to create everything like machine image, snapshot. I want to restrict to only instance and disk.
There's no such a role to fulfill your requirements right away, but you can go ahead and create a Custom IAM Role. I'd also recommend checking the IAM roles and permissions docs for Compute Engine itself.
Then, while there's no such a role for you, you can start by creating a custom role based on e.g. Compute Viewer role. You'll have to add IAM permissions related to compute.disks and compute.instances in order to allow using and creating VMs and disks.
There's no easy way to determine which permissions are required, but you can start creating VMs in the Web UI and check the audit logs for missing permissions. Here's ones that are definitely required (if your role is based on the Compute Viewer):
compute.disks.create
compute.disks.resize
compute.disks.use
compute.instances.reset
compute.instances.resume
compute.instances.setMetadata
compute.instances.start
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.use
compute.instances.setServiceAccount
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.networks.use
compute.networks.useExternalIp
Also, you'd need to give your user the Service Account User role, cause the VMs are created with a particular service account (the Compute Engine default service account is used by default).
I want to create firewall rules particular to a storage browser in Google Cloud platform. I see that we have an option to create firewall rules but, How can we have that rules to specific storage browser and not to all other storage browser buckets?
You do not have to create firewall rules to buckets. What you need is to set the permisions on the buckets Using Cloud IAM with buckets.
Open the Cloud Storage browser in the Google Cloud Platform Console.
Click the drop-down menu associated with the bucket to which you want
to grant a member a role.
The drop-down menu appears as three vertical dots to the far right of
the bucket's row.
Choose Edit bucket permissions.
In the Add members field, enter one or more identities that need
access to your bucket.
Add member dialog.
Select a role (or roles) from the Select a role drop-down menu. The
roles you select appear in the pane with a short description of the
permissions they grant.
Click Add.
You can add as members individual users, groups, domains, or even the public as a whole. Members are assigned roles, which grant members the ability to perform actions in Cloud Storage as well as GCP more generally.
You can make a Cloud Storage bucket accessible only by a certain service account link.
A service account is a special type of Google account intended to
represent a non-human user that needs to authenticate and be
authorized to access data in Google APIs link.
You can not apply firewall rules to single buckets.
Firewall rules are defined at the network level, and only apply to the
network where they are created.
Your inquiry is a known Feature Request that has not been implemented yet on Cloud Storage. It has been requested and ongoing, in order to allow IP Whitelisting in Bucket Policy, just like AWS does it with S3 buckets. You can “star” the FR, so that it gets more visibility and also add your email to the “CC” list so that you can get the updates.
As a workaround, you may request access to use VPC Service Controls. According to official documentation, with VPC Service Controls, administrators can define a security perimeter around resources of Google-managed services to control communication to and between those services.
Cloud Storage is included in the Supported products of these Google-managed services and here you can find its limitations.
You can use access levels to grant controlled access to protected Google Cloud Platform (GCP) resources in service perimeters from outside a perimeter.
Access levels define various attributes that are used to filter requests made to certain resources. Access levels can consider various criteria, such as IP address and user identity. Additionally, they are created and managed using Access Context Manager.
This example describes how to create an access level condition that allows access only from a specified range of IP addresses.
However, it needs to be considered that VPC Service controls create a “borders” around the project specifying a “virtual area”, where Access Context Manager rules can be applied. The ACM rule specifying an IP address will allow that IP address to access all Cloud Storage Objects and all other protected resources owned by that project, which is not the expected result. As stated here, you cannot apply an IP address rule to an object, only to all objects in a project.
Furthermore, here you can find a useful link for the Best Practices concerning Security and Access Control on Cloud Storage buckets. Here, you can find tips on “sharing your files” while hosting a static website.
In conclusion, another option is Firebase Hosting instead of Cloud Storage, as stated here. Firebase Hosting is a Google hosting service which provides static web content to the user in a secure, fast, free and easy way.