I am working on google cloud platform and i have faced the issue below.
(I would also like inputs from aws and azure platforms as well.)
Created a new user in gsuite admin console with no roles assigned in gsuite admin.
Added that user in gcp IAM console and gave 2 roles : compute security admin and compute network admin at organization level, meaning these permissions are inherited from organization level.
Should my user be able to create projects having only compute secuirty admin and compute network admin roles ?
No. With only those two roles assigned, your user would not be able to create Projects in GCP. You would need to assign a role with the resourcemanager.projects.create Permission. The correct role to assign according to the Principle of Least Privilege would be roles/resourcemanager.projectCreator, also known as the "Project Creator" role.
meaning these permissions are inherited from organization level.
That's not quite what this means. In GCP, resources that are below the Organization (e.g. Folders, Projects) will inherit Permissions defined at the Org level, and lower-level resources cannot further restrict permissions already granted at higher levels.
See also:
List of predefined Roles in GCP
Creating and Managing Projects
Using Resource Hierarchy for Access Control
Related
I need to fetch all the projects and associated resources details underneath an org in GCP. What is the best way to do this. Can i create a service account bound to an organization and what type of roles need to be assigned to the Service account to control all type of resources under an organization.
Can i create a service account bound to an organization?
Yes, you can bound a service account to an organization
What type of roles need to be assigned to the service account to control all type of resources under an organization.
If you need to control resources under your organization only,
"owner" role is enough. But if you need to control folder and organization itself too, "owner" + "organization administrator" role is necessary.
The service account can be granted IAM roles that let it access resources. The service account is used as the identity of the application, and the service account's roles control which resources the application can access.
You can grant users permissions using custom roles. These roles operate on the principle of least privilege, and generally provide only the minimum necessary permissions required to do a particular task.Because of their restricted permissions, however, custom roles may cause many resources in your hierarchy to be omitted when executing a list operation. When performing searches as a user that has been granted a custom role, it can be difficult to tell why certain resources are not appearing.
To get the permissions that you need to create and manage custom roles, ask your administrator to grant you the following IAM roles:
To manage roles for a project: Role Administrator (roles/iam.roleAdmin) on the project that you want to manage roles for
To manage roles for an organization: Organization Role Administrator (roles/iam.organizationRoleAdmin) on the organization that you want to manage roles for.
As mentioned there is no single role that can be given to a service account to control all types of resources. If a user needs access to a specific Google Cloud resource, you can grant the user a role for that resource. Some examples of resources are projects, Compute Engine instances, and Cloud Storage buckets.
Some services support granting IAM permissions at a granularity finer than the project level. For example, you can grant the Storage Admin role (roles/storage.admin) to a user for a particular Cloud Storage bucket, or you can grant the Compute Instance Admin role (roles/compute.instanceAdmin) to a user for a specific Compute Engine instance.
To list all the resources in the resource hierarchy, Grant a service account the list and get permissions for Organizations, Folders, and Projects on the Organization resource.
I'm pretty sure this is an actual bug with GCP at the moment. I'm the Organization Admin for the GCP organization (I've quadruple checked this, and that I'm signed in with the correct account).
But when I go to Manage Resources, And try to create a new folder, it doesn't let me select the organization as the location, because I "don't have the required resourcemanager.folders.create permission". If I try to create the folder in a project that's in the organization, I get "Unknown error".
I'm the user who created the organization and all projects in the first place, and the only G-Suite user that even exists on this domain.
If you review the permissions that Organization Administrator has, resourcemanager.folders.create is not one of them.
IAM Roles
Org Admin by itself has almost infinite power because it can set IAM policies. This means the Org Admin can grant any IAM permission to any identity.
Grant yourself the required role such as roles/resourcemanager.folderAdmin.
Note: I recommend keeping the Org Admin as a separate identity that you lock away and only use to manage the organization. Create separate identities for day-to-day operations, development, and deployment.
It seems reasonable to want to grant an administrator access to create any and all resources without being able to pull / change / delete billing info.
I seem to recall there was a role something like "project owner" that had full admin but couldn't control billing (and maybe couldn't create new projects).
Does anyone know of a role like that? It has been a while since I set up a new GCP account. I've searched around a bit and can't immediately lay hands on the information.
The documentation is not super helpful.
In Google Cloud, there is no single role that grants permissions to everything. Some roles do have enough power to support granting themselves more roles.
There are multiple admin-level roles and this evolves as Google creates and modifies services. You will need to review the services that you are using and then grant roles to that identity.
The Organization Administrator has the power to grant itself and any other identity any role. However, this role itself has few permissions.
The Owner account has the power to grant itself and any other identity in the same project any role. The Owner role has a vast number of permissions but does not have all of them. The Owner must grant itself permissions for some resource types.
Note: Only a billing account admin can grant permissions to the billing account. That privilege is separate from Google Cloud permissions. Billing accounts are not part of Google Cloud and have their own management structure.
I am looking to Restrict creation of VMs on GCP projects. Any workaround for this request.
You might want to try IAM Roles if you do a proper role segmentation within the users of your organization you can restrict all users/groups from creating VMw on your GCP project. Here is another link regarding IAM
The compute IAM role are too broad. If you want finer control, you need to create a custom role without this permission compute.instances.create
You can assign in IAM just permission to create instance. Here are some documentation what roles you can use.
With IAM, every API method in Compute Engine API requires that the identity making the API request has the appropriate permissions to use the resource. Permissions are granted by setting policies that grant roles to a member (user, group, or service account) of your project.
The following tables describe the predefined Compute Engine IAM roles, as well as the permissions contained within each role. Each role contains a set of permissions that is suitable for a specific task. For example, the Instance Admin roles grant permissions to manage instances, the network-related roles include permissions to manage network-related resources, and the security role includes permissions to manage security-related resources, like firewalls and SSL certificates.
Compute Admin role
Name Description Permissions
roles/compute.admin
Full control of all Compute Engine resources.
If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the roles/iam.serviceAccountUser role.
compute.*
resourcemanager.projects.get
resourcemanager.projects.list
serviceusage.quotas.get
serviceusage.services.get
serviceusage.services.list
click here for more documentation.
Set Quotas in GCP , Quota for VMs are based on the region.
https://cloud.google.com/compute/quotas#understanding_quotas
"The VM instances quota is a regional quota and limits the number of VM instances that can exist in a given region, regardless of whether the VM is running. This quota is visible in the Google Cloud console on the Quotas page. "
We're trying to give a google cloud platform user account permission to change its own permissions and the permissions/roles of service accounts that it creates. Currently, the user account only has the default editor permission for the project it exists on. Essentially, we want to give it every permission that the owner account has except for viewing or modifying billing information. Is this possible?
We have looked at this video but there doesn't exist a role selection dropdown on service accounts anymore. When trying to edit the service account permissions to try and give it the roles/storage.admin permission, I get this notification:
The project owner has also tried to add the storage admin role to the service account, but roles don't show as they do in the video. All that is shown on his screen are these options:
I have two questions:
How can we give my google account permission to mess around with my own roles and permissions as well as the roles for the service accounts?
What is the current process for adding roles to a service account? Neither the docs nor the video from google seem to be up to date.
Your second screenshot shows you attempting to grant roles on the service account (as a resource, i.e. who can access the service account). You're trying to give the service account the storage admin role on the project. To do that, go to the IAM page, click "add" then provide the service account's email address as the member and select the storage admin role.
I'm not certain if this completely answers #1, but Custom Roles (currently in alpha) will give you the ability to create roles with custom sets of permissions. This will allow you to copy the Owner role and remove the billing permissions.
As for #2 - The screenshot shows the policy for the service account, not the project policy. The policy for the service account determines who has permissions to use that service account, not what permissions the service account has. You can find the project policy on the 'IAM & Admin > IAM' tab (instead of the IAM & Admin > Service accounts' tab).