Situation:
I have a GCP project (owner) that is under a organization I do not have access to, so I see it in No Organization
a user (xyz#domain.com) has created a subscription for an existing pubsub topic, I see that under activity and the audit logs
this user is not visible for me in IAM (e.g. as editor, or with some pubsub specific role)
neither can I see this user in any pub/sub related topic/subscription, with a role, specifically not in the topic he created the subscription in
Summary:
xyz#domain.com created a subs.
I don't know where he got the role from (inherited?)
Question:
Is it possible that this person has e.g. editor on the organization (or some folder above the project) but I don't see that role in my IAM section of the project?
If not, where could the role be inherited from?
Creating a Subscribtion
To subscribe to a Pub/Sub topic a user should be able to create a Subscription object. To do that, a permission pubsub.subscriptions.create on a Topic is needed. It could be assigned explicitly onto a Topic or inherited from the parent levels (Project, Folder, Org) via:
a Custom Role inherited from the Project level or above;
a Predefined Role pubsub.editor or pubsub.admin assigned at the Pub/Sub Topic level or inherited from a parent level;
a Primitive Role Editor or Owner inherited from the Project or Service Resource level or above; for example, the Compute Engine default service account freshly created VM Instances are working on behalf of has an Editor Role on the Project it is part of.
Viewing role assignments
To trace where effective rights are inherited from, one would need at list the following Permssions:
resourcemanager.organizations.getIamPolicy
resourcemanager.folders.getIamPolicy
resourcemanager.projects.getIamPolicy
IAM Predefined Roles that contain that permissions are:
resourcemanager.organizationAdmin
iam.securityAdmin
iam.securityReviewer
IAM Predefined Roles that can trace up to the Folder level are:
resourcemanager.folderAdmin
resourcemanager.folderEditor
resourcemanager.folderIamAdmin
IAM Primitive Roles:
Viewer
Editor
Owner
To obtain the comprehensive view of resulting permissions you should be granted the Roles listed above assigned as high as possible in the IAM hierarchy (ideally at the Org level) to get enough administrative scope for investigation.
You can't see bindings that are located outside of the administrative scope you've got. Therefore you can't see the level where permissions are inherited from as well as security subject the permissions are granted for.
Back to the questions
Is it possible that this person has e.g. editor on the organization (or some folder above the project) but I don't see that role in my IAM section of the project?
Yes
If not, where could the role be inherited from?
An Org level and all Folder levels (those could be nested) above your Project.
Vendor documentation
IAM Roles
Cloud Pub/Sub | Access Control | Roles
Support level for permissions in custom roles
Related
In my GCP project, people have storage admin access. I want to restrict the person and give few members writing access in the GCP bucket. When I try to revoke the access it is saying cannot change access as it is inherited.
Any way to create custom access for a particular storage bucket in GCP. I have to make this for the AIRFLOW DAG bucket.
Custom roles cannot be recognized upwards on the resource hierarchy. For example, a role created at the project level cannot be used at the folder or organization level.
Similarily, custom roles cannot be recognized laterally. For example, a custom role created at the project level cannot be used in bindings in another project even if they are in the same folder or organization.
To use a custom role in different projects or different folders, customers have to create/define the roles at the parent organization level. Note that currently, a custom role cannot be created at the folder level.
For more information on custom roles you can check the public documentation.
In my project, project A publishes a message and project B pulls it out of Google cloud. I have several B clients and want to limit them to a specific topic and subscription. I tried the IAM conditions but it does not work for pubsub and seems to be only for pubsub lite. Does anyone know how to restrict user access to a particular topic and subscription?
You can grant roles at different level:
Organization
Folder
Project
Resource
When you go to the IAM page, you grant at the project level and thus you have access to all the resources of the project.
You should be in this case where you grant a service account of the project B to pubsub role on project A. And thus the service account has access to all topics/subscriptions.
To solve this, you can only grant a service account on a topic or on a subscription (at resource level)
Go to the topic or subscription page
Tick the checkbox in front of the resource that you want
Go to the right, in the info panel, in the permission tab
Click on add member to grant a service account (or a user account) only on this resource
Alternatively, you can use the method projects.topics.setIamPolicy of the PubSub API to set permissions at the resource level.
If you don't want to call the API directly, you can also use CLI with this command
gcloud pubsub topics set-iam-policy TOPIC POLICY_FILE
i am picking up terraform for GCP and i came across these three resources:
google_service_account_iam_member
google_project_iam_member
google_organization_iam_member
They sound very similar to each other but certainly with some key differences.
I went through their docs but their differences were not absolutely clear to me. Is there any easy way to illustrate the difference between these?
Thanks
Within GCP, there is a hierarchy: Organization, Project, Resource
The IAM policies you mentioned behaves the same; however, works on different levels based on the hierarchy.
For example, the google_project_iam_member will update the IAM policy to grant a role to a new member on the project level.
The google_organization_iam_member will do the same thing, but on the Organization level (which is a level higher than the project).
Update:
The google_service_account_iam_member will work on every level depending on what you would like the service account to do. You can either have the service account act as an identity or just have it run a certain resouce. A service account can be added on all three levels.
As described before the google_project_iam_member and google_organization_iam_member, are used to manager IAM permission in the project or organization level. You can also manage permission on the folder level.
When, IAM is granted on the org level all folders and projects inherit that permission. When granted in the folder, alll projects and sub folders under that folder will inherit that permission.
Permissions can also be managed at resource level, the google_service_account_iam_member allow to grant permission to manage the service account and use the service account in the service account level. That helpful when you want to grant more restricted permissions and grant access to a single service account instead of all service accounts from the project.
Thanks,
Eduardo Ruela
I am working on google cloud platform and i have faced the issue below.
(I would also like inputs from aws and azure platforms as well.)
Created a new user in gsuite admin console with no roles assigned in gsuite admin.
Added that user in gcp IAM console and gave 2 roles : compute security admin and compute network admin at organization level, meaning these permissions are inherited from organization level.
Should my user be able to create projects having only compute secuirty admin and compute network admin roles ?
No. With only those two roles assigned, your user would not be able to create Projects in GCP. You would need to assign a role with the resourcemanager.projects.create Permission. The correct role to assign according to the Principle of Least Privilege would be roles/resourcemanager.projectCreator, also known as the "Project Creator" role.
meaning these permissions are inherited from organization level.
That's not quite what this means. In GCP, resources that are below the Organization (e.g. Folders, Projects) will inherit Permissions defined at the Org level, and lower-level resources cannot further restrict permissions already granted at higher levels.
See also:
List of predefined Roles in GCP
Creating and Managing Projects
Using Resource Hierarchy for Access Control
Situation:
I have a project which belongs to a GCP organization
User A is "Organization Administrator" and (Project) "Owner" at organization level
Problem:
As expected, the user A is listed in the IAM page of the project at hand (with both before mentioned roles, inheritance is indicated by an icon in the last column)
But: The user does not see the project nor can access it. This only works when I assign the Owner role again for the project.
Question: Is it possible to inherit the owner role to make users owner of a project by inheritance?
Seems like there were inconsistencies within GCP permission propagation, I removed all roles on organization level and added them again - now it is working.
Question: Is it possible to inherit the owner role to make users owner
of a project by inheritance?
If your Google Cloud Platform account is using Organizations, then Yes, you can add a user via IAM at the Organization level as Project owner. This role filters down thru inheritance to all projects in the organization. The same applies to Project Viewer, Project Editor, etc.
But: The user does not see the project nor can access it. This only
works when I assign the Owner role again for the project.
I have not see this problem before. Remember that changing roles and permissions is not an instant process. It takes time for GCP to sync world wide. Some articles mention up to 7 minutes. Also, with some changes, the browser caches information, so you have to refresh the page to see changes (not always).