Is it possible to restrict access to cloud.google.com to specific IPs?
When I create a principal I'm giving it a specific role, but I would like to give access for that user/s only if it log in from specific IP.
[EDIT] To clarify, access should be restricted to the whole project. F.e. I limit access to only IP1. User "A" logs in to cloud.google.com, chooses project and if he logged from IP2, he won't see anything ("you don't have access .." message, same as the role based restrictions if you go when you shouldn't).
If he connects from IP2 he should have access to everything he's role gives him.
Only limits I can find in documentation (also the IAP pointed by Arden) are restrictions TO something (app, resource, etc.) not FROM something.
So the question is, is it even possible to do something like that.
You need implement Identity-Aware Proxy (IAP) : Authenticate users with Google Accounts
When to use IAP
Use IAP when you want to enforce access control policies for applications and resources. IAP works with signed headers or the App Engine standard environment Users API to secure your app. With IAP, you can set up group-based application access: a resource could be accessible for employees and inaccessible for contractors, or only accessible to a specific department.
Related
IAP allows you to protect apps on AppEngine by defining which principal has access using roles/iap.httpsResourceAccessor. If I have a group in IAM called participants and I add external people (personal gmail accounts & contractors) to that group, will these people have access to my application?
Or do I have to submit the application for verification even though I want to limit the access to our employees and a few dozen customers taking part in a workshop?
So in other words, does IAP define "people in your organisation" as people who have a #myorg.com email address only or as people who are part of a group that has IAM permission?
"People in your organization" are users who have been granted permission in your Google Cloud Project or Organization. This includes #gmail.com accounts, which can have roles granted and can be added to groups.
For an internal application you do not need to verify the app, but you will need an internal OAuth page.
You can find more information in this documentation.
I have a use case where I have 2 apps:
React SPA frontend, running on web.myportal.example
Node Express backend, exposing a REST api on api.myportal.example
Both apps are deployed into GCP Compute Engine and are accessible from the Internet. I was able to configure IAP to prevent unauthorized access. I can specify a list of email accounts that are allowed to use the UI and API.
What I need is autorization capability from GCP IAP. Does it have one?
Simple example - some of the API endpoints should only be accessible to folks with a specific group/role membership. How can I extract that from IAP? The only thing IAP leaves me is a GCP_IAAP_AUTH_TOKEN cookie, which I cant even use due to it's definition.
You may try to put an LB in front of each service (one for API, another for an APP) and configure IAP to use them and grant access accordingly.
When an application or resource is protected by IAP, it can only be
accessed through the proxy by members, also known as users, who have
the correct Identity and Access Management (IAM) role. When you grant
a user access to an application or resource by IAP, they're subject to
the fine-grained access controls implemented by the product in use
without requiring a VPN. When a user tries to access a IAP-secured
resource, IAP performs authentication and authorization checks.
But it's not possible to configure IAP to grant different access-level to an API methods based on who logged in. It doesn't look like at allows such fine-grained authorisation management - only you get access or no;
After authentication, IAP applies the relevant IAM policy to check if
the user is authorized to access the requested resource. If the user
has the IAP-secured Web App User role on the Cloud Console project
where the resource exists, they're authorized to access the
application.
Disclaimer: https://console.cloud.google.com/support/community leads here. Google's documentation is horrific so giving this a whirl on the off chance that I don't get downvoted to the depths of dev/null
Out of impending necessity I am migrating a private application that monitors our Gmail accts to OAuth 2, and as part of this process it was necessary to create an OAuth consent screen. Since this application will only be used internally it makes the most sense to choose "Internal" for Application Type - which is described as follows:
Only users with a Google Account in your organization can grant access to the scopes requested by this app.
The users on this Project consist of two "owners" — myself using my personal Gmail acct, and
another employee who is part of the company G Suite account.
My question is who qualifies as a "user in my organization"? Is this based on the project owners? Does my non-G-Suite account (which is an owner of the project) qualify? Does the inclusion of one member in a G Suite account automatically associated the other employee accounts? Is the anywhere to actually see these users or manage them directly?
I'd actually like to add another couple accounts to the mix but still keep the application private, but I'm confused about how Google determines which gmail accounts will be able to authorize the app.
UPDATE: To clarify, when I visit the consent page while logged in as a member of our G Suite on the same domain as the project owner, everything is fine. However, we have other members managed in the same G Suite account who are under a different domain and for these I get the message:
Error 403: org_internal
This client is restricted to users within its organization.
Furthermore, I am not even able to grant access using my own email which is the creator and owner of the application. I'd like to know how I can add myself and the other G Suite members to be able to grant access to the application without making it public. It was suggested below that I add them (or their domain) to Google Cloud IAM but I'm unclear about how to get this working. My own email does already exist in IAM with role of "owner" and apparently that doesn't satisfy the requirement.
In order for internal apps to be used for OAuth, the project must belong to the organization associated with the same GSuite customer as all the users.
non-GSuite accounts cannot be used by internal apps. There's more information about this here: https://support.google.com/cloud/answer/6158849#public-and-internal.
Who is a member of my organization?
Anyone that you have added to Google Cloud IAM for a project, folder or at the organization level. This can include Google Accounts (Gmail email addresses), G Suite and Google Identity. The last two use a domain name (example.com) and anyone with an identity in that domain (someone#example.com).
Google's goal is to tighten up security for Google Cloud Platform. In the past anyone with a Google Accounts email address could use your projects OAuth to request access. The level of access is controlled by OAuth Scopes. Today, granting that access results in a Consent Screen with an unverified application warning. To get beyond (remove) that warning often requires a security audit of your application with a cost estimated at $75,000 USD.
How do I manage members?
Through Google Cloud IAM. You can add and remove members; assign and remove IAM roles attached to member IDs. Through G Suite or Google Identity by adding or removing member accounts. Don't forget that members can be part of a Google Group and part of a Domain each of which are also an identity in Google Cloud Platform.
For GSuite Users:
Cloud IAM only deals with authorisation you would need to handle authentication elsewhere. By default GSuite integrates with CloudIAM as a default authentication provider.
For Non-GSuite Users:
You can use cloud identity free edition but users will have to manage separate set of credentials.
Single Sign On without GSuite
If you want Single Sign On Option you can also use Google Cloud Directory Sync to sync with your on-premise Active Directory or LDAP server for authentication. So users can keep their login details.
That's how authentication works on GCP. As for authorisation you have CloudIAM where you can manage access through Predefined Roles, Primitive Roles and Custom Roles.
Cloud IAM and Authorisation
Typically you assign access using google groups and resource hierarchy to make it easier for you to manage user access. But bear in mind that if you grant an access to something through a ascenstor folder in resource hierarchy then you can't deny access downstream. So you need to plan access hierarchy accordingly.
To answer your question who qualifies as a "user in my organization"?, everyone can login but by default they cannot access any projects, it's resources or apis unless they are given access to either individually or through a group.
Hope this clarifies things for you a little.
I want to create firewall rules particular to a storage browser in Google Cloud platform. I see that we have an option to create firewall rules but, How can we have that rules to specific storage browser and not to all other storage browser buckets?
You do not have to create firewall rules to buckets. What you need is to set the permisions on the buckets Using Cloud IAM with buckets.
Open the Cloud Storage browser in the Google Cloud Platform Console.
Click the drop-down menu associated with the bucket to which you want
to grant a member a role.
The drop-down menu appears as three vertical dots to the far right of
the bucket's row.
Choose Edit bucket permissions.
In the Add members field, enter one or more identities that need
access to your bucket.
Add member dialog.
Select a role (or roles) from the Select a role drop-down menu. The
roles you select appear in the pane with a short description of the
permissions they grant.
Click Add.
You can add as members individual users, groups, domains, or even the public as a whole. Members are assigned roles, which grant members the ability to perform actions in Cloud Storage as well as GCP more generally.
You can make a Cloud Storage bucket accessible only by a certain service account link.
A service account is a special type of Google account intended to
represent a non-human user that needs to authenticate and be
authorized to access data in Google APIs link.
You can not apply firewall rules to single buckets.
Firewall rules are defined at the network level, and only apply to the
network where they are created.
Your inquiry is a known Feature Request that has not been implemented yet on Cloud Storage. It has been requested and ongoing, in order to allow IP Whitelisting in Bucket Policy, just like AWS does it with S3 buckets. You can “star” the FR, so that it gets more visibility and also add your email to the “CC” list so that you can get the updates.
As a workaround, you may request access to use VPC Service Controls. According to official documentation, with VPC Service Controls, administrators can define a security perimeter around resources of Google-managed services to control communication to and between those services.
Cloud Storage is included in the Supported products of these Google-managed services and here you can find its limitations.
You can use access levels to grant controlled access to protected Google Cloud Platform (GCP) resources in service perimeters from outside a perimeter.
Access levels define various attributes that are used to filter requests made to certain resources. Access levels can consider various criteria, such as IP address and user identity. Additionally, they are created and managed using Access Context Manager.
This example describes how to create an access level condition that allows access only from a specified range of IP addresses.
However, it needs to be considered that VPC Service controls create a “borders” around the project specifying a “virtual area”, where Access Context Manager rules can be applied. The ACM rule specifying an IP address will allow that IP address to access all Cloud Storage Objects and all other protected resources owned by that project, which is not the expected result. As stated here, you cannot apply an IP address rule to an object, only to all objects in a project.
Furthermore, here you can find a useful link for the Best Practices concerning Security and Access Control on Cloud Storage buckets. Here, you can find tips on “sharing your files” while hosting a static website.
In conclusion, another option is Firebase Hosting instead of Cloud Storage, as stated here. Firebase Hosting is a Google hosting service which provides static web content to the user in a secure, fast, free and easy way.
Prior to Google's restructuring of Cloud API access, I had a gmail account that had access to a bunch of Google Analytics accounts, through which I established API access via OAuth credentials for a large number of sites. They changed their policies and began requiring domains to be verified before they could access credentials. This was the case for "public" applications, but if you switched it to "private" the domain verification no longer mattered. I had to do this because making the project public was a violation of the TOS. However, this coincided with the introduction of GCP's IAM permissions setup that forced me to create an "organization" and a "project" - and also forced me to create a Google Cloud Identity.
The stipulation of a private project was that you can only grant access to accounts under your organization. I added my gmail account to the organization and gave it administrative permissions.
So, I'm here: I set up new OAuth credentials for a new site, then try to access the API through those credentials. During the initial authorization screen, it asks me to select the appropriate Google account, and then is SUPPOSED to ask me to allow access. Instead, I get this error:
Authorization Error
Error 403: org_internal
This client is restricted to users within its organization.
BUT, the account I selected has been established as an administrator of the organization under which the API project resides! I have tried a billion different things, and the only way I seem to be able to grant access to ANYTHING is if I create the credentials under a different project and the log in with the GCI account. HOWEVER, that's not the account that has access to the Google Analytics, so it doesn't help me one bit.
To top it all off, Google has absolutely no support for this. They send me here, to Stack Overflow, to get support. Can anyone help?
The accepted answer didn't help. What helped were the following steps:
Go to Google Developer console (https://console.cloud.google.com/apis/credentials/consent?project=XXX)
Change User Type to External
Note: This does not make your site publicly accessible. It makes it so users outside your organization can be granted the normal way via IAM.
Linking an external email address does NOT make that identity part of the organization. Create a new identity based inside the organization. If your organization is example.com, create an identity such as john#example.com and use that identity. Your other option is to remove the restriction.