I am looking to Restrict creation of VMs on GCP projects. Any workaround for this request.
You might want to try IAM Roles if you do a proper role segmentation within the users of your organization you can restrict all users/groups from creating VMw on your GCP project. Here is another link regarding IAM
The compute IAM role are too broad. If you want finer control, you need to create a custom role without this permission compute.instances.create
You can assign in IAM just permission to create instance. Here are some documentation what roles you can use.
With IAM, every API method in Compute Engine API requires that the identity making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a member (user, group, or service account) of your project.
The following tables describe the predefined Compute Engine IAM roles, as well as the permissions contained within each role. Each role contains a set of permissions that is suitable for a specific task. For example, the Instance Admin roles grant permissions to manage instances, the network-related roles include permissions to manage network-related resources, and the security role includes permissions to manage security-related resources, like firewalls and SSL certificates.
Compute Admin role
Name Description Permissions
roles/compute.admin
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.
compute.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
click here for more documentation.
Set Quotas in GCP , Quota for VMs are based on the region.
https://cloud.google.com/compute/quotas#understanding_quotas
"The VM instances quota is a regional quota and limits the number of VM instances that can exist in a given region, regardless of whether the VM is running. This quota is visible in the Google Cloud console on the Quotas page. "
Related
I have one organization with multiple sub accounts. I would like to create IAM Policies that grant users full administrator access to any resources in specific sub account (or sub accounts). How can this be achieved?
From an AWS Organization perspective, you have control over the accounts and resources via Service Control policies (SCPs).
"However, an SCP never grants permissions. Instead, SCPs are JSON policies that specify the maximum permissions for the affected accounts."
With that in mind, you can't grant users full administrator access to any resources in a specific subaccount(s) using AWS Organization and AWS IAM Policies only.
This leads us to (roughly) 3 paths:
By default, if you create a member account as part of your organization, AWS automatically creates a role in the account that grants administrator permissions to IAM users in the management account who can assume the role.
The IAM Role in question is OrganizationAccountAccessRole. You can customize its name and use it to grant your users full administrator access across all the resources inside the AWS account.
See: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html
Observations: Since this IAM Role is created in every account. You would need to intervene and limit the IAM Cross-Account access manually in each sub-account.
You can use AWS CloudFormation StackSets to deploy across multiple AWS accounts a list of IAM Roles your users could use for admin purposes (eg RoleFullAdmin, RoleReadOnly, RoleDevOps), and AWS Organizations enables you to create stack sets with service-managed permissions, using a service-linked role that has the relevant permission in each member account.
From your AWS Organizations management account (or delegated administrator account) you can deploy Stack Sets to current accounts and they are automatically deployed to every new account your create, keeping your resources in sync.
You can target accounts via account ID or organizational units (OUs).
See: https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-cloudformation.html
Observations: Similar to 1, since you are using IAM Role Cross-Account access, you need to manually intervene in the policy trust relationship.
Add AWS IAM Identity Center (successor to AWS Single Sign-On) to your AWS Organizations
What you are looking for can be achieved by Permission Sets in the AWS IAM Identity Center.
You can customize the access per user and have a many-to-many relationship between User <-> Accounts <-> Roles. You can define one or more IAM Policies in the Permission Set.
AWS provides predefined permissions that you can use too.
See: https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetsconcept.html and https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetpredefined.html
Observations: You need to add an extra resource to your AWS Organization and configure the identity source of your users. This also requires a change in the process of "how to login to our aws account". Now you need to use the AWS SSO etc.
A policy can be attached to a user or group. This controls what the users are able to do in AWS.
Policy can be attached to an AWS service? What is the relation between policy and AWS service?
And where does the concept of Role fit in all this?
In Amazon Web Services (AWS), a user is a person or system that interacts with the AWS platform. Users can have different levels of access to AWS services and resources, depending on their permissions.
A group is a collection of users that share the same permissions. Groups can be used to manage the permissions of multiple users at once, making it easier to manage and control access to AWS services and resources.
A role is a set of permissions that can be assumed by a user or system. Roles are used to grant users and systems access to AWS services and resources, without having to share or manage long-term credentials. Roles can be temporary or permanent, and can be assumed by users, applications, or services.
A policy is a document that defines the permissions for a user, group, or role. Policies are written in the AWS Identity and Access Management (IAM) policy language, and specify the actions and resources that a user, group, or role is allowed to access.
AWS services are the core components of the AWS platform, and include a wide range of cloud-based services for computing, storage, networking, analytics, machine learning, and more. AWS services can be accessed by users, groups, and roles, depending on the permissions granted by policies.
In summary, the relation between user, group, role, policy, and AWS services is as follows:
A user is a person or system that interacts with AWS services.
A group is a collection of users that share the same permissions.
A role is a set of permissions that can be assumed by a user or system.
A policy is a document that defines the permissions for a user, group, or role.
AWS services are the core components of the AWS platform, and can be accessed by users, groups, and roles with the appropriate permissions.
Think of role like a container holder for permissions which can be used to delegate access to users, applications, or services that don't normally have access to your AWS resources.
From docs
An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.
A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied
I need to fetch all the projects and associated resources details underneath an org in GCP. What is the best way to do this. Can i create a service account bound to an organization and what type of roles need to be assigned to the Service account to control all type of resources under an organization.
Can i create a service account bound to an organization?
Yes, you can bound a service account to an organization
What type of roles need to be assigned to the service account to control all type of resources under an organization.
If you need to control resources under your organization only,
"owner" role is enough. But if you need to control folder and organization itself too, "owner" + "organization administrator" role is necessary.
The service account can be granted IAM roles that let it access resources. The service account is used as the identity of the application, and the service account's roles control which resources the application can access.
You can grant users permissions using custom roles. These roles operate on the principle of least privilege, and generally provide only the minimum necessary permissions required to do a particular task.Because of their restricted permissions, however, custom roles may cause many resources in your hierarchy to be omitted when executing a list operation. When performing searches as a user that has been granted a custom role, it can be difficult to tell why certain resources are not appearing.
To get the permissions that you need to create and manage custom roles, ask your administrator to grant you the following IAM roles:
To manage roles for a project: Role Administrator (roles/iam.roleAdmin) on the project that you want to manage roles for
To manage roles for an organization: Organization Role Administrator (roles/iam.organizationRoleAdmin) on the organization that you want to manage roles for.
As mentioned there is no single role that can be given to a service account to control all types of resources. If a user needs access to a specific Google Cloud resource, you can grant the user a role for that resource. Some examples of resources are projects, Compute Engine instances, and Cloud Storage buckets.
Some services support granting IAM permissions at a granularity finer than the project level. For example, you can grant the Storage Admin role (roles/storage.admin) to a user for a particular Cloud Storage bucket, or you can grant the Compute Instance Admin role (roles/compute.instanceAdmin) to a user for a specific Compute Engine instance.
To list all the resources in the resource hierarchy, Grant a service account the list and get permissions for Organizations, Folders, and Projects on the Organization resource.
I have given Compute Instance Admin(v1) Role with Type
1 compute.googleapis.com/Disk and
2 compute.googleapis.com/Instance
If the above roles are given then the user is not able to create anything, If I remove both conditions then the user is able to create everything like machine image, snapshot. I want to restrict to only instance and disk.
There's no such a role to fulfill your requirements right away, but you can go ahead and create a Custom IAM Role. I'd also recommend checking the IAM roles and permissions docs for Compute Engine itself.
Then, while there's no such a role for you, you can start by creating a custom role based on e.g. Compute Viewer role. You'll have to add IAM permissions related to compute.disks and compute.instances in order to allow using and creating VMs and disks.
There's no easy way to determine which permissions are required, but you can start creating VMs in the Web UI and check the audit logs for missing permissions. Here's ones that are definitely required (if your role is based on the Compute Viewer):
compute.disks.create
compute.disks.resize
compute.disks.use
compute.instances.reset
compute.instances.resume
compute.instances.setMetadata
compute.instances.start
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.use
compute.instances.setServiceAccount
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.networks.use
compute.networks.useExternalIp
Also, you'd need to give your user the Service Account User role, cause the VMs are created with a particular service account (the Compute Engine default service account is used by default).
We have large number of IAM users ( in hundreds, can increase more then 1000 in future ).
All the IAM users have access to create EC2 instances. Simultaneously around 30-40 users will be working and creating EC2 instances.
In AWS Management Console, an IAM user can see all the instances created by other IAM users as well.Is it possible to visibly make him see only those EC2 instances which he created and hide all the other instances created by other IAM users?
I do agree that IAM users can give names and tags to recognise their instances. However i am looking for visibly hiding those resources which he has not created.
If IAM policies allowed specifying a required filter, this would be possible. But you can't specify it, so it's not possible.
What you want is called Organizations - You can give each group their own AWS account, so they can see their own billing, etc.
Reserved Instances can flow from the master account to sub account
Bills flow from the sub accounts to the master account
All your users can remain in the master account, you just give them AssumeRole capabilities to view their account.
You can apply Service Control Policies that prevent sub-accounts from doing things.
You may think management is "easier" with one account - but the opposite is true. Just like you should treat servers as "Cattle not Pets" (i.e. they are disposable), you should think of AWS accounts as disposable. Some organizations give each developer their own AWS account, and only a build server can modify the Staging/Prod accounts via TerraForm or CloudFormation.
What you would typically use for this is resource level permissions. What resources / what you can control varies from API call to API call in AWS. In particular, what you would want is a resource-level permission on the DescribeInstances API call. Unfortunately, AWS does not currently support resource-level permissions on this API Call.