Understanding GCP IAM between multiple projects - google-cloud-platform

In my organization, we work with GCP and have multiple projects there. I'm now trying to organize the IAM roles between all the projects and I'm not sure about some of the IAM settings. Are to projects act as completely separate entities with completely different IAM roles/permissions or are there any overlap between them that can lead to that a change in one project might affect another project?

Changing roles in one project will not directly change roles set on another project. But there are some things you'll want to consider.
While projects can have their own access control rules, it is possible to manage access at more than the project level. Here are the four resource points where you can manage access:
Organization level. The organization resource represents your company.
IAM roles granted at this level are inherited by all resources under
the organization.
Folder level. Folders can contain projects,
other folders, or a combination of both. Roles granted at the highest
folder level will be inherited by projects or other folders that are
contained in that parent folder.
Project level. Projects represent a
trust boundary within your company. Services within the same project
have a default level of trust. For example, App Engine instances can
access Cloud Storage buckets within the same project. IAM roles
granted at the project level are inherited by resources within that
project.
Resource level. In addition to the existing Cloud Storage and
BigQuery ACL systems, additional resources such as Genomics Datasets,
Pub/Sub topics, and Compute Engine instances support lower-level roles
so that you can grant certain users permission to a single resource
within a project.
Access can be at the individual level, through a service account, or through organization-wide and Google Group membership. That means that when you add or remove someone from the organization or a Google group, you may inadvertently add or remove them from various roles in different projects.
Also, if a member (individual or group) is assigned a role that gives the capability to change IAM roles, then anyone in that member group can modify permissions. They may change rules in ways you don't want.
When in doubt, use testPermissions to verify that roles are working as expected.

The IAM roles you set in a project won't affect other projects.
Google Cloud resources are organized hierarchically, where the organization node is the root node in the hierarchy, the projects are the children of the organization, and the other resources are descendants of projects. You can set Identity and Access Management (IAM) policies at different levels of the resource hierarchy. Resources inherit the policies of the parent resource. The effective policy for a resource is the union of the policy set at that resource and the policy inherited from its parent.
Please check the following documentation where you will find a good explanation of the resource hierarchy for access control
I think this diagram can help you to understand better how IAM works:

Related

Understanding GCP IAM policies for various resources

I want to list IAM policies or access levels for various resourses. I followed docs and I'm able to list it for projects. There are various resources and I'm somewhat confused with it.
Is all other resourses come inside the project? (Basically I'm confused with the chain)
If someone have access to project (read/write/anything else) then can they have access to resourses inside the projects?
If other resourses are independent then how to list their IAM policies? (For each individual resourse)
I'm using GCP Oauth2 API and would highly appreatiate if anyone at least answer the above questions.
Is all other resourses come inside the project?
Yes,
For a specific project, you can use search-all-resources to search all the resources across services (or APIs) and projects.
To use the number 123 to search every resource in a project:
$ gcloud asset search-all-resources --scope=projects/123
If someone has access to a project (read/write/anything else) then can they have access to resources inside the projects?
Results from the above command are the resources in that project. If you have a user who has an owner role in the project then the user can manage roles and permissions for a project and all resources within the project. If a user has a viewer role then the user has permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
Some resources also have separate permissions,a user can have permissions other than project level that is Individual permissions to the specific resource, by using them you can restrict the user to access projects but the user can access a specific resource.
Here you can find Access control for projects with IAM.
If other resources are independent then how to list their IAM policies? (For each individual resource)
Google has Predefined roles for every resource in the project you can filter out the specific resource by searching the resource in this doc, those are predefined roles which can assign a user to the specific resource.
You can find more information in this doc.
The ORG, Folder, and Project are resources. They have an API to access IAM Policy Bindings. Cloud Storage, KMS, Compute Engine, Cloud Run, Functions, etc are also resources. They have an API to access IAM Policy bindings. Look up the API for each resource type.
In Google Cloud, many resources support IAM Policy Bindings but not all.
Is all other resourses come inside the project? (Basically I'm
confused with the chain)
Google Cloud resources belong to projects in almost all cases. Billing Accounts and Payment Accounts are examples that are separate.
If someone have access to project (read/write/anything else) then can
they have access to resourses inside the projects?
If as you say "read/write/anything else", then yes. If they have the correct IAM roles at the project level, they can access the resource. Since some resources also support their own IAM Policy Bindings, a user can be granted access to a resource at the resource level without having permission at the project level.
If other resourses are independent then how to list their IAM
policies? (For each individual resource)
You must access the resource's IAM Policy Bindings. Each resource that supports IAM Policy Bindings has a corresponding API to read/modify.
Note: resources are not independent. They are owned by a project in almost all cases as I mentioned previously.

Is there a way to restrict access of users to certain GCP services if they have access at organization level?

In my GCP organization, We have several users who have access at the organization level for IAM for all the projects within it.
I have a scenario, where in I need to restrict the access of some users to one particular project's specific services.
I'm aware of the VPC service control perimeters but since the service that I want to restrict is GCP FireStore service and it is not supported by VPC SC, What other thing can be done here to restrict the access?
Please suggest me some alternate way for doing this if there is any.
Permissions are inherited. If you grant an identity a role at the ORG/Folder level, those permissions are inherited at the project level.
Google is rapidly developing Organization Policy Constraints which might invalidate this answer in the near future.
At this time, your best solution is to remove rights at the ORG/Folder level and grant rights at the project level if you need project-level IAM control.

GCP - For particular bucket make policy for access

In my GCP project, people have storage admin access. I want to restrict the person and give few members writing access in the GCP bucket. When I try to revoke the access it is saying cannot change access as it is inherited.
Any way to create custom access for a particular storage bucket in GCP. I have to make this for the AIRFLOW DAG bucket.
Custom roles cannot be recognized upwards on the resource hierarchy. For example, a role created at the project level cannot be used at the folder or organization level.
Similarily, custom roles cannot be recognized laterally. For example, a custom role created at the project level cannot be used in bindings in another project even if they are in the same folder or organization.
To use a custom role in different projects or different folders, customers have to create/define the roles at the parent organization level. Note that currently, a custom role cannot be created at the folder level.
For more information on custom roles you can check the public documentation.

Terraform GCP service_account vs project vs org

i am picking up terraform for GCP and i came across these three resources:
google_service_account_iam_member
google_project_iam_member
google_organization_iam_member
They sound very similar to each other but certainly with some key differences.
I went through their docs but their differences were not absolutely clear to me. Is there any easy way to illustrate the difference between these?
Thanks
Within GCP, there is a hierarchy: Organization, Project, Resource
The IAM policies you mentioned behaves the same; however, works on different levels based on the hierarchy.
For example, the google_project_iam_member will update the IAM policy to grant a role to a new member on the project level.
The google_organization_iam_member will do the same thing, but on the Organization level (which is a level higher than the project).
Update:
The google_service_account_iam_member will work on every level depending on what you would like the service account to do. You can either have the service account act as an identity or just have it run a certain resouce. A service account can be added on all three levels.
As described before the google_project_iam_member and google_organization_iam_member, are used to manager IAM permission in the project or organization level. You can also manage permission on the folder level.
When, IAM is granted on the org level all folders and projects inherit that permission. When granted in the folder, alll projects and sub folders under that folder will inherit that permission.
Permissions can also be managed at resource level, the google_service_account_iam_member allow to grant permission to manage the service account and use the service account in the service account level. That helpful when you want to grant more restricted permissions and grant access to a single service account instead of all service accounts from the project.
Thanks,
Eduardo Ruela

How do I restrict a Google service account?

If I create a service account in my project and give it to a third party, can that third party abuse it to create VM instances etc? Or is it only allowed to do things that I give it explicit permission to do?
In the "permissions" section of the Google developers console I can set the service account to "Can edit" or "Can view", but what do those mean?
If you give "edit" or "owner" permissions, the user can create, modify, or delete GCE VM instances (among other resources). If you only give "view" permissions, then they can't create, modify, or delete GCE VM instances.
However, you cannot give fine-grained permissions such as "user can only edit this VM instance, but not this other one".
Per Google Compute Engine docs:
Can View
Provides READ access:
Can see the state of your instances.
Can list and get any resource type.
Can Edit
Provides "Can View" access, plus:
Can modify instances.
On standard images released after March 22, 2012, can ssh into the
project's instances.
Is Owner
Provides "Can Edit" access, plus:
Can change membership of the project.
Per Google Cloud Storage docs:
Project team members are given the following permissions based on
their roles:
All Project Team Members
All project team members can list buckets
within a project.
Project Editors
All project editors can list, create, and delete buckets.
Project Owners
All project owners can list, create, and delete buckets, and can also perform administrative tasks like adding and removing team members and changing billing. The project owners group is the owner of all buckets within a project, regardless of who may be the original bucket creator.
When you create a bucket without specifying an ACL, the project-private ACL is applied to the bucket automatically. This ACL provides additional permissions to team members, as described in default bucket ACLs.
Per Google Cloud SQL docs:
Team members may be authorized to have one of three levels of access:
“can View” (called Viewer in App Engine Console) allows read-only
access.
“can Edit” (called Developer in App Engine Console) allows
modify and delete access.
This allows a developer to deploy the
application and modify or configure its resources.
“is Owner” (called
Owner in App Engine Console) allows full administrative access.
This
includes the ability to add members and set the authorization level of
team members.