How do I set up explicit deny permissions for a specific resource in GCP? For example, I have 2 GKE clusters in my project, say "dev-gke" and "qa-gke". How do I ensure that folks in the team are denied permission to update/delete the "qa-gke" cluster while they can continue to do so on the "ts-dev" cluster.
I contemplated setting up a deny policy as explained here using denialCondition and resource.matchTag referencing a tag for "ts-qa" cluster.
"denialCondition": {
"title": "QA Setup",
"expression": "resource.matchTag('12345678/env', 'ts-qa')"
But as explained here tags are defined at an organization level and not at a resource level. And, I couldn't find out an equivalent of resource.matchTag for labels.
With not having any suitable way to address this from IAM permissions itself, I ended up creating ClusterRole and ClusterRoleBinding for the clusters individually with respective users who should be allowed to have access.
Reference: https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
see this doc https://cloud.google.com/iam/docs/deny-access.
And probably you may use IAM tag to attach tag to your clusters, also see this https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing#gcloud_8.
Related
After discovering that a user (principal) needs an additional permission to perform a task, I would like to know what standard roles include that permission so I can add the role to the user. I would also like to know what other permissions each of those roles provide so I can select the one with permissions that match the user's needs. I am not able to use custom roles, and I am avoiding the basic roles as they are too wide.
At present, I am using https://cloud.google.com/iam/docs/understanding-roles#support-roles.
I search for the permission, then scroll up to the see the role name and all the other permissions in that role.
It works but is slow for what must be a common task.
Is there a better web page or a gcloud api command that would work better.
The GCP documentation offers a (huge) page that allows you to identify the different roles that grant them.
In addition to the page you cited you can later, using the gcloud CLI, describe a role and see the different permissions it grants. For example:
gcloud iam roles describe roles/iam.roleViewer
The command will output:
description: Read access to all custom roles in the project.
etag: AA==
includedPermissions:
- iam.roles.get
- iam.roles.list
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
name: roles/iam.roleViewer
stage: GA
title: Role Viewer
AFAIK, the gcloud CLI doesn't give you the opportunity to, given a certain permission, get the roles that grant it.
Based on GCP documentation one can check the pre-defined roles given a permission
GCP IAM: In IAM, permission to access a resource isn't granted directly to the end-user. Instead, permissions are grouped into roles, and roles are granted to authenticated members. An IAM policy defines and enforces what roles are granted to which members, and this policy is attached to a resource
Ref: https://cloud.google.com/iam/docs/overview
So basically, Access control for Google Cloud resources is managed by IAM policies. An IAM policy is attached to a resource.
With Cloud resource manager API we can retrieve Policy and check the permissions assigned to user, but it's resource-centric. Policy for Organization, folder, projects, etc can be retrieved.
Example: https://cloud.google.com/resource-manager/reference/rest/v1/organizations/getIamPolicy
Cloud asset inventory: Has an API to search all iam polcies. With the Query Parameter it has a filter for user but it supports sub set of resources on which iam polciy can be assigned
API:
https://cloud.google.com/asset-inventory/docs/reference/rest/v1/TopLevel/searchAllIamPolicies
Reference:
https://cloud.google.com/asset-inventory/docs/supported-asset-types
https://cloud.google.com/iam/docs/resource-types-with-policies
Question:
Is there any way to fetch all the permissions granted to identity across all GCP resources instead of checking IAM Policy of each and every resource?
Basically looking for a consolidated view of all the permissions granted to an Identity in GCP. The problem is for understanding permissions assigned to a user on a single resource, with API, We have to fetch all the resource policies and check their bindings
As of now there is not a gcloud or API call that can be used to check the permissions granted to a particular resource (such as user, service account, etc.) easily as per explained on your question. As you are already aware you could use the relevant gcloud command to search for the specific roles assigned at each distinct resource, e.g.:
gcloud asset search-all-iam-policies --scope='projects/[YOUR-PROJECT-ID]' --query='policy:[YOUR-USERNAME]#[YOUR-DOMAIN]'
Resulting in e.g.:
---
policy:
bindings:
- members:
- projectOwner:[PROJECT-ID]
- user:[YOUR-USERNAME]#[YOUR-DOMAIN]
role: roles/bigquery.dataOwner
project: projects/[PROJECT-NUMBER]
resource: //bigquery.googleapis.com/projects/[PROJECT-ID]/datasets/[DATASET-NAME]
---
policy:
bindings:
- members:
- user:[YOUR-USERNAME]#[YOUR-DOMAIN]
role: projects/[PROJECT-ID]/roles/[CUSTOM-ROLE-NAME]
- members:
- user:[ANOTHER-USERNAME]#[YOUR-DOMAIN]
- user:[YOUR-USERNAME]#[YOUR-DOMAIN]
role: roles/owner
project: projects/[PROJECT-NUMBER]
And from these response parse the fields corresponding to the role: assigned at each resource to see which permissions are assigned to that specific role using the relevant gcloud command:
gcloud iam roles describe [CHANGE-FOR-ROLE-(e.g. roles/owner)] --project=[PR0JECT-ID]
and check the output corresponding to the includedPermissions: fields.
I will therefore recommend you to star and follow this Feature Request on GCP's Public Issue Tracker to check the feasibility (or not) of this issue to be implemented in the future.
I am trying to find in the official GCP documentation the exact permission (not Role) that corresponds to the ability to invoke this command
gcloud container clusters resize
The list does not include such a permission.
Any suggestion about the least privilege that needs to be granted for such an operation?
gcloud container clusters resize operation probably needs the caller to have container.clusters.update permission. You can find this permission in the following predefined roles :
Kubernetes Engine Admin (roles/container.admin)
Kubernetes Engine Cluster Admin (roles/container.clusterAdmin)
See Kubernetes Engine roles. I have not listed other roles containing this permission because they are too broad (roles/owner, roles/editor) or not appropriate (roles/composer.worker).
Based on the principle of least privilege and if you want to keep things simple using predefined roles, your user only needs to be granted roles/container.clusterAdmin because roles/container.clusterAdmin role contains a subset of roles/container.admin permissions.
Additionally, if you want/need to be more restrictive, you could also create a custom role with only the permission you need.
The aws-auth configmap in AWS EKS performs a mapping between IAM users/roles to kubernetes RBAC roles. However, the documentation does not specify anything on adding IAM groups to the configmap.
We use multiple namespaces, each namespace managed by a different team. I created a set of kubernetes RBAC roles, limited to the different namespaces. Now I want to give everbody in the teams IAM group that specific role.
Is it possible to add IAM groups in the aws-auth configmap? If not, what would the proposed solution be? Create a IAM role per team and allow only members of the IAM group the permission to assume that role?
You can take a look here.
TLDR
1. Create a role that allows full API access
2. Create a RoleBinding for that role to your target namespace with a named apiGroup as the subjects.
3. Add an entry for your IAM user in the aws-auth ConfigMap to add the mapUser to the named aforementioned apiGroup.
Hope this helps!
I have an IAM group called "devops" to which I want to apply a policy that will grant members of that group full access to EC2 instances tagged "Class=devops", and no access to any other EC2 instances. I found this great knowledge center article by Amazon which put me on the right path: https://aws.amazon.com/premiumsupport/knowledge-center/iam-ec2-resource-tags/.
The problem as I see it stems from the "Note" about halfway down that page:
"Full control" extends to all actions within the EC2 namespace with the exception of those Amazon EC2 API actions that currently do not support resource-level permissions. For more information, see Unsupported Resource-Level Permissions in the Amazon EC2 API Reference.
If you follow the link in the note to the list of unsupported resource-level permissions, you'll find that it's dozens of items long. You'll also find this statement:
All Amazon EC2 actions can be used in an IAM policy to either grant or deny users permission to use that action. However, not all Amazon EC2 actions support resource-level permissions, which enable you to specify the resources on which an action can be performed. The following Amazon EC2 API actions currently do not support resource-level permissions; therefore, to use these actions in an IAM policy, you must grant users permission to use all resources for the action by using a * wildcard for the Resource element in your statement.
In order to grant "allow" permissions to all of these.
If I wanted to grant permissions in this policy to all of those actions which don't support resource-level permissions, my policy would be hundreds of lines long! Is there a better and more concise way to do this?
There is one simple shortcut. A lot of the actions start with the same word such as "Describe". You can cover this list with a wildcard. Example, "Action" : "ec2:Describe*".
Just be careful with actions that will then override your other policy sections that DENY actions for specific resources.