Cloud Identity and Access Management (IAM) Flashcards
Google Cloud Identity and Access Management defines…
WHO
Can do WHAT
on WHICH resource
What are 4 types of principals (The WHO part) that IAM policies can apply to?
Google account or Cloud Identity user
test@gmail.com test@example.com
Service account
test@project_id.iam.gserviceaccount.com
Google group
test@googlegroups.com
Cloud Identity or G Suite domain
example.com
What are IAM Roles?
A collection or related permissions
The “can do what” part is defined by an IAM role.
An IAM role is a collection of permissions. Most of the time, to do any meaningful operations, you need more than 1 permission.
For example, to manage instances in a project, you need to create,
delete, start, stop and change an instance. So the permissions are grouped together
into a role to make them easier to manage.
What can you say about the “On What Resource” part of IAM
Users get roles on specific items in the hierarchy.
When you give a user, group, or service account a role on a specific element of the
resource hierarchy, the resulting policy applies to the element you chose, as well as
to elements below it in the hierarchy.
What are the 3 types of IAM roles?
Primitive
Predefined
Custom
Discuss Primitive IAM roles
IAM primitive roles apply across all GCP services in a project.
Primitive roles are broad. You apply them to a GCP project, and they affect all
resources in that project.
IAM primitive roles offer fixed, coarse-grained levels of access.
If you have several people working together on a project that contains
sensitive data, primitive roles are probably too coarse a tool.
What are the (4) Primitive IAM roles?
A project can have multiple owners, editors, viewers, and billing administrators.
If you’re a viewer on a given resource,
you can examine it but not change its state. If you’re an editor, you can do everything
a viewer can do plus change its state. And if you’re an owner, you can do everything
an editor can do plus manage roles and permissions on the resource. The owner role
on a project lets you do one more thing too: you can set up billing. Often companies
want someone to be able to control the billing for a project without the right to change
the resources in the project, and that’s why you can grant someone the billing
administrator role.
Discuss IAM Predefined roles
IAM predefined roles apply to a particular GCP service in a project
IAM predefined roles offer more fine-grained permissions on
particular services
Discuss IAM Custom roles
IAM custom roles let you define a precise set of permissions.
A
lot of companies use a “least-privilege” model, in which each person in your
organization the minimal amount of privilege needed to do his or her job. So, for
example, maybe I want to define an “instanceOperator” role, to allow some users to
stop and start Compute Engine virtual machines but not reconfigure them.
if you decide to use custom roles,
you’ll need to manage the permissions that make them up. Some companies decide
they’d rather stick with the predefined roles. Second, custom roles can only be used
at the project or organization levels. They can’t be used at the folder level.
What are “Service Accounts” used for?
Service Accounts control server-to-server interactions
● Provide an identity for carrying out server-to-server interactions in a project
● Used to authenticate from one service to another
● Used to control privileges used by resources
○ So that applications can perform actions on behalf of authenticated end
users
● Identified with an email address:
PROJECT_NUMBER-compute@developer.gserviceaccount.com
PROJECT_ID@appspot.gserviceaccount.com
