Cloud IAM Flashcards
What is Cloud IAM?
Identity and access management - allows fine-grained access control to cloud resources with users, roles and privileges
What types of roles are there?
- Primitive
- Predefined
- Custom
Key points of Cloud IAM roles?
- a role is a collection of permissions
- permissions cannot be assigned to users, only roles
- roles are assigned to users
What are primitive roles?
Three types:
- viewer - read only
- editor - viewer plus can modify an entity
- owner - editor plus can manage roles and permissions on an entity and can set up billing for a project
What are predefined roles?
- they provide granular access to GCP resources
2. they are specific to GCP products
What are custom roles?
- Allow cloud admin to create and administer their own roles
- Created using permissions defined in IAM
- Some permissions are not available in custom roles
Best practices for IAM roles?
- Assign least privilege - grant smallest set of permissions to allow someone to do their job
- Separation of duties - user would not be able to perform multiple sensitive operations that together could present a risk
How do you see a list of users assigned to a role via shell?
gcloud projects get-iam-policy [PROJECT NAME]
How do you see the fine-grained permissions are associated with a role?
gcloud iam roles describe [ROLE ID]
How do you assign a role via shell?
gcloud projects add-aim-policy-binding [RESOURCE NAME] –member user:[USER EMAIL] –role [ROLE ID]
How to create a custom IAM role via shell?
gcloud iam roles create [ROLE ID] –project [PROJECT ID] –title [ROLE NAME] –description [ROLE DESCRIPTION] –permissions [PERMISSIONS LIST] –state [LAUNCH STATE]
What is a Service Account?
An account used to provide identities independent of users. It can be granted roles and is assigned to a VM.
What is a scope?
A permission granted to a VM to perform some operation.
Key points of scopes?
- Scopes authorize the access to API methods
- To configure access controls for a VM you will need to configure both IAM roles and scopes
- A scope is specified by a URL that starts with https://www.googleapis.com/auth and is followed by permission on a resource. For example: https://www.googleapis.com/auth/bigquery.insertdata
- An instance can only perform operations allowed by both IAM roles assigned to the service and scopes defined on the instance
How do you add scopes to a service account via shell?
gcloud compute instances set-service-account [INSTANCE NAME] [–service account [SERVICE_ACCOUNT_EMAIL] ] | [–noservice-account] [–no-scopes | –scopes [SCOPES,…]]