Restrict service account to list/view only a single VPC - google-cloud-platform

I have created a GCP project with multiple VPC say vpc-a, vpc-b, vpc-c.
I have created two service accounts - svc-acct-a and svc-acct-b
Requirement:
On execution of gcloud compute networks list
svc-acct-a should list only vpc-a
svc-acct-b should list vpc-a, vpc-b and vpc-c
What is the best way to achieve this? Please describe in details with the required commands or UI configurations.
I couldn't find a way to assign IAM roles at a VPC level.

You can't add permission at the VPC level but only at the subnet level. In addition, IAM Condition doesn't support VPC or Subnet resource types and it can't be an option.
Finally, the list method, if the account (service or user) has access to this API, the API content won't be filter according to the permission (valid for all the API call, not specifically for VPC/subnets): the full list will be returned.

Related

is there a way to restrict creation of specific resource in GCP irrespective of the IAM roles?

I need to restrict creation of VPCsof all the projects irrespective of the IAM roles.
I tried the organisation policies, I was not able to find any policy which restricts the creation of resources.
Is there any other way I can do restrict creation of VPCs?
It's not possible to restrict VPC creation using Organization policies but there's another approach utilizing IAM roles & permissions.
Have a look at the documentation regarding roles needed to administer all your networks.
The most powerful role is roles/compute.networkAdmin which gives you control over every aspect of networking in your project;
Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.
If you want to limit users' permissions assign them a roles/compute.networkUser role:
Provides access to a shared VPC network
Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.
And if you want some examples have a look at this document describing a IAM roles for Networking-related Job Functions.

How to restrict users to single VPC in Google cloud platform?

If I have 2 VPCs set up for 2 different teams on a single project in GCP and want to give the IAM users the access to one single VPC and the resources in that VPC only, how to I do that in Google cloud platform? what IAM roles has to be assigned to these users?
You can't achieve this easily and out of the box. The VPC is a resource, you can restrict access on this resource. VM (on this VPC) are also resources, and the permissions provided on the VPC aren't inherited to the resource that use this VPC.
You can to use a new feature, named asset relationship that provide you the relation between the assets. Like that you could get the asset (resources) in relation with your VPC and enforce the same restriction on all these resources. But you need to code this, it's not out of the box, and the feature still in preview.

How do I find all security groups that trust a list of EIPs across multiple AWS accounts?

I'm using PowerShell with AWS SDK along with cross account IAM roles. Does anyone know if there is an API available to get this?
All API calls are account-specific. There, such a script would need to loop through each account and query separately. The script would either need an IAM User credentials for each account, or it could call AssumeRole() if it has permission to access and IAM Role in each account.
Within an account, the script would need to retrieve via DescribeSecurityGroups(), look through the Inbound rules and find any instances of the Elastic IP addresses.

How VPC sharing works

I do not understand VPC sharing concept.
So I have my root account and under this account I've created two accounts:
- myVPCShare1
- myVPCShare2
Both account have full administrator rights.
VPC sharing documentation says that it allows to share vpc's between accounts.
So I've created VPC (shareVPC) with subnet (sharedSubnet) using myVPCShare1 account and I switched to myVPCShare2 and I see both shareVPC sharedSubnet without doing VPC sharing.
Moreover, using myVPCShare1 I've created EC2 instance and I also can see this instance when I switch to myVPCShare2.
So my question is:
Can someone explain me the purpose/usage of VPC sharing ?
Here'e the basis of your misunderstanding:
So I have my root account and under this account I've created two accounts
No, you haven't. You've created two users in the same AWS account.
Those two users, the root user, and any other users of yours are all owned by the same AWS account, and thus see all the account's resources (such as the EC2 instance described above) as long as they have permission to do so.
VPC Sharing applies across account boundaries -- not within the same account.

How can you launch instances from one AWS account into the VPC of another?

For easing billing I want to use a different AWS account for each cost center. But we want all the services to run inside the same VPC. This is both because different services may need to communicate with each other and there are a limited number of hardware VPN connections available. So the question is how can you make your VPC available to other AWS accounts that you own so they can launch instances inside of it?
The infrastructure team has an AWS Account A. The VPC is present on this account and is billed to the infrastructure team for the NAT instance and the VPN gateway.
The team on a project has an account B. The instances need to be launched and billed to this account.
I've been reading the resources here: http://docs.aws.amazon.com/IAM/latest/UserGuide/delegation-cross-acct-access.html . It seems as if I can use AssumeRole as Account B to grant access across accounts, but then as far as I can tell my identity changes to the Account A (The owner field had the number for Account A). Resource-based policies seem like what I'm thinking but they are not supported for VPCs.
I'm assuming there has to be some way to do this. Otherwise it doesn't make any sense to have an owner field with an AWS account number for EC2 instances and other resources.
If you enable programmatic access to your bills, you can select the tags you want included. This allows you to produce the report you're looking for.
As of June 2013 Amazon has confirmed that it is not possible to share a VPC with another account.: https://forums.aws.amazon.com/thread.jspa?messageID=462834&tstart=0#