Using GCP's IAM to manage users and roles in a webapp - google-cloud-platform

We're designing a complex web application what will be deployed on Google Cloud Platform.
As often happens, this web application needs to identify its users and render some dedicated sections of the GUI only to users with predefined roles. I.e. user "John" with roles "seller,sales" can access the web page listing the cars sold last month.
The question is, do you think I can use GCP's IAM to manage the webapp users and roles? Maybe adding new roles in GCP? (I don't know if that's feasible).
Our current idea is to deploy a Keycloack instance to manage users and roles, but if GCP's IAM can replace it... why not?
[EDIT] A possible duplicate of this question: How can Google IAM be used to manage authentication and authorization for a Spring Boot application

Related

Google Cloud Project Service Accounts

I am using a Google Cloud Project to automate the creation of some users inside of our organization. I have been using some API's that are hosted using the Google Cloud and have had no problem authenticating and using the API's, however I am not sure if I should be using a service account for this. I am currently using the Google Drive API, the Google Admin SDK(Directory API), the Sheets API, and the Docs API to create some accounts and manage an error log.
What I am asking is, should I be creating a service account to use the API's or is my own personal Google Workspace account okay for creating these? Is there a site/video/something that can guide me in the right direction if I do need to create a service account. I personally would rather have all of the automation using a service account for authentication, but the only videos and tutorials I found on using the service accounts are trying to use resources pertaining to Cloud Computing and service accounts that are impersonating other service accounts.
Using a Service Account is the best course of action for security reasons when you are the one giving authorization and authentication to your organization.
It is identical to granting access to any other identity to allow a service account access to a resource. For instance, suppose you only want an application that runs on Compute Engine to be able to generate items in Cloud Storage.
As a result, instead of managing each and every one of your users, you may limit and manage service accounts, assign certain roles to specific users or groups, and keep track of them because several service accounts can be created in a project.
Since you use Google Workspaces, I also advise you to read the shared documentation posted in the comments by #John Hanley.

Service account functionality in GCP

My organization is using GCP, and we have service accounts created for me and my co-workers. We need to use BigQuery storage transfer service, Cloud Dataflow and other Google Cloud resources.
1)So, what will be the recommended way of creating the scheduling job or creating the resources. Shall we create it via our service accounts or create another service account for the project and use that to schedule and use resources?
2)If it is done via my organization provided service account, what happens when I leave the organization and my service account is deleted. Does the jobs and pipelines continue to run under that project, or the resources are stopped?
NOTE Stackoverflow is focused on programming questions and this is not a programming question but more a question for help with architecture (guidance).
Service Accounts are non-user identities supported by Google.
Service Accounts are intended to be used by software|processes.
Service Accounts are Google resources that are "owned" by Google Projects (not Organizations nor users).
Service Accounts are deleted by Project members (users or indeed other Service Accounts that may inherit Project-specific roles from an Organization).
If a user (i.e. you) were to leave the organization, your org admins would likely delete your user account. This would not delete any Service Accounts. However, if your user identity had unique roles in the organization (represented by IAM permissions in the Google Organization and/or Project(s)), access to resources including Service Accounts could become inaccessible. For this reason, good org hygiene recommends that admin-like roles be assigned to groups rather than individual users.
I think it's good practice to create Service Accounts for software|processes on a per function basis. Some job should have its own Service Account.
This approach results in more Service Accounts but, it enables each Service Account to be exquisitely suited (IAM roles|permissions) to its job.

Grant users from CloudSQL instance IAM permissions to Cloud Storage objects

I have a question about GCP and this Django app I am making. I am using Google cloud storage to hold documents that I need to provide access permissions for to my users, but I can't think of how to link users from my app (being saved to CloudSQL-PostgresSQL) to my Google Cloud project.
This feels like it should be an easy case to handle, but i'm used to services like Cognito handling this for me.
Should I make a service account for every user?

GCP service accounts use case

I am just starting to use GCP and I have some questions about the service accounts.
Say there is a team of like 4 remotely located developers and we all want to use the python API to access GCP to launch instances and run stuff on them. My question is should every user get their own service account and keys or should one service account be shared by all? What is the intended use case here?
Google Cloud Service Accounts provide both identity and authorization to Google Cloud.
They are similar to user accounts. If you would like to do auditing or logging of actions with service accounts, you will want to use separate service accounts per user.
Service accounts are typically used for software applications to authorize their actions with the Google Cloud APIs. Service Accounts are using to issue OAuth 2.0 Access Tokens and optionally OIDC Identity Tokens. These tokens are what provides your application with authorization in Google Cloud.
My question is should every user get their own service account and
keys or should one service account be shared by all?
Yes, you should issue separate service account JSON key files to each developer. In the same way that you would not share usernames and passwords for computer systems, you would not share service accounts.
I have written a bunch of articles on Google Cloud Service Accounts that might help you understand how to configure and use them:
Google Cloud Service Accounts

AWS: To Role or not to Role?

From AWS docs:
When to Create an IAM User (Instead of a Role)
...
You want to use the command-line interface (CLI) to work with AWS.
When to Create an IAM Role (Instead of a User)
- You're creating an application that runs on an Amazon Elastic Compute Cloud (Amazon EC2) instance and that application makes requests to AWS.
- You're creating an app that runs on a mobile phone and that makes requests to AWS.
- Users in your company are authenticated in your corporate network and want to be able to use AWS without having to sign in again—that is, you want to allow users to federate into AWS.
But it seems like companies heavily use roles for everything:
Role for groups by creating roles with specific policies and creating custom policies to apply to groups.
Assume role to use the CLI.
Switch role to use different accounts.
Is that excessive or real work based solution?
Is that excessive or real work based solution?
Based on my own experience with AWS, heavily using roles is a real work based solution because, in my company, we use only roles to give access to users (yes, we have 0 users registered in your AWS environments). I'll list the reasons why we chose this way:
We are using AWS Control Tower.
This service enables AWS Organizations with at least 3 AWS accounts to manage your organization. It'd be a mess with we had to create a user for each AWS account. Also, AWS Control Tower enables AWS Single Sign-On.
We're using AWS Single Sign-On.
This service correlates multiples AWS accounts with multiples roles with multiples users. Description:
AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications. With just a few clicks, you can enable a highly available SSO service without the upfront investment and on-going maintenance costs of operating your own SSO infrastructure. With AWS SSO, you can easily manage SSO access and user permissions to all of your accounts in AWS Organizations centrally. AWS SSO also includes built-in SAML integrations to many business applications, such as Salesforce, Box, and Office 365. Further, by using the AWS SSO application configuration wizard, you can create Security Assertion Markup Language (SAML) 2.0 integrations and extend SSO access to any of your SAML-enabled applications. Your users simply sign in to a user portal with credentials they configure in AWS SSO or using their existing corporate credentials to access all their assigned accounts and applications from one place.
Please, check out some features offered by this service. There are a lot of benefits using roles instead of users. In my point of view, with AWS SSO, AWS itself facilitates the use of roles.
The only disadvantage I found is that every time I need to use AWS CLI, I need to access AWS SSO portal, copy the credentials and paste in my terminal because credentials expires after some time. But in the end, this disadvantage is small compared to the security that this process offers - if my computer is stolen, AWS CLI couldn't be accessed because of credentials expiration.