How to restrict users to single VPC in Google cloud platform? - google-cloud-platform

If I have 2 VPCs set up for 2 different teams on a single project in GCP and want to give the IAM users the access to one single VPC and the resources in that VPC only, how to I do that in Google cloud platform? what IAM roles has to be assigned to these users?

You can't achieve this easily and out of the box. The VPC is a resource, you can restrict access on this resource. VM (on this VPC) are also resources, and the permissions provided on the VPC aren't inherited to the resource that use this VPC.
You can to use a new feature, named asset relationship that provide you the relation between the assets. Like that you could get the asset (resources) in relation with your VPC and enforce the same restriction on all these resources. But you need to code this, it's not out of the box, and the feature still in preview.

Related

is there a way to restrict creation of specific resource in GCP irrespective of the IAM roles?

I need to restrict creation of VPCsof all the projects irrespective of the IAM roles.
I tried the organisation policies, I was not able to find any policy which restricts the creation of resources.
Is there any other way I can do restrict creation of VPCs?
It's not possible to restrict VPC creation using Organization policies but there's another approach utilizing IAM roles & permissions.
Have a look at the documentation regarding roles needed to administer all your networks.
The most powerful role is roles/compute.networkAdmin which gives you control over every aspect of networking in your project;
Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates. The network admin role allows read-only access to firewall rules, SSL certificates, and instances (to view their ephemeral IP addresses). The network admin role does not allow a user to create, start, stop, or delete instances.
If you want to limit users' permissions assign them a roles/compute.networkUser role:
Provides access to a shared VPC network
Once granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project.
And if you want some examples have a look at this document describing a IAM roles for Networking-related Job Functions.

Virtual Machines in resource group, resources need permission to access BigQuery, how to accomplish?

I'm new to GCP.
I was wondering if I have multiple Virtual Machines residing in a resource group and my resources need permission to access BigQuery.
What do I need to add to the policy to grant access?
Another question is if, for example, I had 100 VMs in a resource group, to grant them access, do I have to configure each VM one by one? I'm sure there is a way to give them all access but I don't know the method such as permissions, IAM, policies, templates.
Thanks in advance!
There's no equivalent to resource group in GCP..
The approach is to create a Service Account and grant it the permissions the resources (e g. the VMs) need. Then you create the VMs to use the Service Account as their identity.
Resources have a single identity, usually a Service Account. You should create Service Accounts for each functionally|security equivalent resource.
Identities are bound to one our more roles. Roles correspond to one our more service|API methods. Try to use predefined roles but you can create custom roles.
Service Accounts:
https://cloud.google.com/iam/docs/service-accounts
Compute Engine identities:
https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances
BigQuery IAM roles:
https://cloud.google.com/bigquery/docs/access-control
Managed Instance Groups:
https://cloud.google.com/compute/docs/instance-groups

Restrict service account to list/view only a single VPC

I have created a GCP project with multiple VPC say vpc-a, vpc-b, vpc-c.
I have created two service accounts - svc-acct-a and svc-acct-b
Requirement:
On execution of gcloud compute networks list
svc-acct-a should list only vpc-a
svc-acct-b should list vpc-a, vpc-b and vpc-c
What is the best way to achieve this? Please describe in details with the required commands or UI configurations.
I couldn't find a way to assign IAM roles at a VPC level.
You can't add permission at the VPC level but only at the subnet level. In addition, IAM Condition doesn't support VPC or Subnet resource types and it can't be an option.
Finally, the list method, if the account (service or user) has access to this API, the API content won't be filter according to the permission (valid for all the API call, not specifically for VPC/subnets): the full list will be returned.

gcp firewall settings for individual storage browser

I want to create firewall rules particular to a storage browser in Google Cloud platform. I see that we have an option to create firewall rules but, How can we have that rules to specific storage browser and not to all other storage browser buckets?
You do not have to create firewall rules to buckets. What you need is to set the permisions on the buckets Using Cloud IAM with buckets.
Open the Cloud Storage browser in the Google Cloud Platform Console.
Click the drop-down menu associated with the bucket to which you want
to grant a member a role.
The drop-down menu appears as three vertical dots to the far right of
the bucket's row.
Choose Edit bucket permissions.
In the Add members field, enter one or more identities that need
access to your bucket.
Add member dialog.
Select a role (or roles) from the Select a role drop-down menu. The
roles you select appear in the pane with a short description of the
permissions they grant.
Click Add.
You can add as members individual users, groups, domains, or even the public as a whole. Members are assigned roles, which grant members the ability to perform actions in Cloud Storage as well as GCP more generally.
You can make a Cloud Storage bucket accessible only by a certain service account link.
A service account is a special type of Google account intended to
represent a non-human user that needs to authenticate and be
authorized to access data in Google APIs link.
You can not apply firewall rules to single buckets.
Firewall rules are defined at the network level, and only apply to the
network where they are created.
Your inquiry is a known Feature Request that has not been implemented yet on Cloud Storage. It has been requested and ongoing, in order to allow IP Whitelisting in Bucket Policy, just like AWS does it with S3 buckets. You can “star” the FR, so that it gets more visibility and also add your email to the “CC” list so that you can get the updates.
As a workaround, you may request access to use VPC Service Controls. According to official documentation, with VPC Service Controls, administrators can define a security perimeter around resources of Google-managed services to control communication to and between those services.
Cloud Storage is included in the Supported products of these Google-managed services and here you can find its limitations.
You can use access levels to grant controlled access to protected Google Cloud Platform (GCP) resources in service perimeters from outside a perimeter.
Access levels define various attributes that are used to filter requests made to certain resources. Access levels can consider various criteria, such as IP address and user identity. Additionally, they are created and managed using Access Context Manager.
This example describes how to create an access level condition that allows access only from a specified range of IP addresses.
However, it needs to be considered that VPC Service controls create a “borders” around the project specifying a “virtual area”, where Access Context Manager rules can be applied. The ACM rule specifying an IP address will allow that IP address to access all Cloud Storage Objects and all other protected resources owned by that project, which is not the expected result. As stated here, you cannot apply an IP address rule to an object, only to all objects in a project.
Furthermore, here you can find a useful link for the Best Practices concerning Security and Access Control on Cloud Storage buckets. Here, you can find tips on “sharing your files” while hosting a static website.
In conclusion, another option is Firebase Hosting instead of Cloud Storage, as stated here. Firebase Hosting is a Google hosting service which provides static web content to the user in a secure, fast, free and easy way.

How can you launch instances from one AWS account into the VPC of another?

For easing billing I want to use a different AWS account for each cost center. But we want all the services to run inside the same VPC. This is both because different services may need to communicate with each other and there are a limited number of hardware VPN connections available. So the question is how can you make your VPC available to other AWS accounts that you own so they can launch instances inside of it?
The infrastructure team has an AWS Account A. The VPC is present on this account and is billed to the infrastructure team for the NAT instance and the VPN gateway.
The team on a project has an account B. The instances need to be launched and billed to this account.
I've been reading the resources here: http://docs.aws.amazon.com/IAM/latest/UserGuide/delegation-cross-acct-access.html . It seems as if I can use AssumeRole as Account B to grant access across accounts, but then as far as I can tell my identity changes to the Account A (The owner field had the number for Account A). Resource-based policies seem like what I'm thinking but they are not supported for VPCs.
I'm assuming there has to be some way to do this. Otherwise it doesn't make any sense to have an owner field with an AWS account number for EC2 instances and other resources.
If you enable programmatic access to your bills, you can select the tags you want included. This allows you to produce the report you're looking for.
As of June 2013 Amazon has confirmed that it is not possible to share a VPC with another account.: https://forums.aws.amazon.com/thread.jspa?messageID=462834&tstart=0#