Google Cloud & IAM
IAM stands for Identity and Access Management. IAM helps system administrator to regulate user privileges within a secured network. Based on the identity of the user, the system administrator can decide which organization-resource the user can access.
IAM plays a key role in securing the organization’s resources. In an organization, it is very important to keep track of privileges provided to the users.
To answer this question, let’s look into this example. An organization has several divisions and each division need a different kind of data/resources to carry out their functionality.
The member from one division should use the resources which are meant to be used by that division. If all the divisions have access to each and every piece of information, this may lead to misuse of the resources or even to a security breach which may cost the company dearly. So it is very important to manage user access to these resources properly.
In this article, we will see what these cloud resources are and how can we manage access to these resources based on user identity.
Google Cloud and IAM –
Cloud IAM is a feature of Google Cloud Platform (GCP) designed to control who gets to access which resource. It is a service that helps system administrator securely manage the access to cloud resources by defining policies.
Policies are nothing but a list of bindings which binds a member to a list of roles. A role is a set of permissions. There are some predefined roles for GCP resources. GCP also provides flexibility of defining custom roles and granting permissions to these roles. You can not provide permissions directly to the user. First, you need to create a Role and add permissions for this role and then this role can be assigned to a user. Read more about roles here.
Resource hierarchy and Role inheritance –
Have a look at this diagram from the GCP official documentation:
The diagram depicts the hierarchy in GCP resources. An organisation is the top level resource. The other resources such as folder, projects etc. extend this resource.
“IAM policies are hierarchical and propagate down the structure. The effective policy for a resource is the union of the policy set at that resource and the policy inherited from its parent.”
It is very important to understand that lower level resources inherit access privileges from higher level resources. So if a member has organisation level privileges then the member will have the same privileges over all the other resources which fall under organisation level resource. So if you want to provide the member read/write privileges to GCP storage resource then it’s better to do it on that particular storage resource rather than providing the access to the project resource.
You can find the detailed explanation of how the hierarchy works and what are the best practices here in the official documentation.
Feel free to share your thoughts in the comments section below.
About CauseCode: We are a technology company specializing in Healthtech related Web and Mobile application development. We collaborate with passionate companies looking to change health and wellness tech for good. If you are a startup, enterprise or generally interested in digital health, we would love to hear from you! Let's connect at firstname.lastname@example.org