With the increase, in cyber-threat, companies, and organizations are now taking various measures to handle these security issues to make the cloud secure. And, in order to help in managing these issues, Google offers Cloud Identity and Access Management (IAM).
IAM basically allows you to grant granular access for defined Google Cloud resources and helps in preventing access to other resources. This helps you in adopting the security principle of least privilege, which states that no one should have more permissions than they actually require. In short, IAM can be considered as granulated access control and visibility for centrally managing cloud resources.
But, what makes IAM more unique is its capabilities. So, let’s understand them.
Abilities of Identity and Access Management (IAM):
1. Enterprise-grade access control
Identity and Access Management (IAM) provides administrators access for authorizing who can take action on defined resources by giving complete control and visibility for centrally managing Google Cloud resources. Further, IAM offers a unified view into security policy over your entire organization for enterprises with complex organizational structures, many workgroups, and projects. This comes with built-in auditing to ease compliance processes.
2. Simplicity
IAM is specifically designed with simplicity. That is to say, it offers a clean, universal interface that allows you to manage access control over all Google Cloud resources consistently.
3. Right roles
IAM provides tools for controlling resource permissions with less worry and high automation. In this,
- Firstly, the map job functions inside your company to groups and roles.
- Secondly, the users get access only to what they require to get the job done.
- Lastly, admins can easily grant default permissions for complete groups of users.
4. Smart access control
Permissions management can be a time taking task. So, to handle this, admins use Recommenders for eliminating unwanted access to Google Cloud resources by using machine learning so that it has smart access control recommendations. Further, security teams can automatically discover permissive access and rightsize them depending on access patterns and similar users in the organization using Recommender.
5. Granular with context-aware access
IAM allows for creating granular access control policies to resources. These basically depend on attributes like IP address, resource type, device security status, and date/time. These policies further help in ensuring that suitable security controls are there while providing access to cloud resources.
6. Easy enterprise identity
Supporting Cloud Identity, Google Cloud has managed identity for easily creating or syncing user accounts over applications and projects. However, from the Google Admin Console, it’s easy for,
- Firstly, provisioning and managing, users, and groups
- Secondly, setting up single sign-on
- Lastly, configuring two-factor authentication (2FA).
Working of IAM:
IAM is used for controlling access control by specifying who has what access to which resource. For example, Google Kubernetes Engine (GKE) clusters, Compute Engine virtual machine instances, and Cloud Storage buckets are all Google Cloud resources.
However, in IAM, permission for accessing a resource isn’t granted directly to the end-user. Rather, the permissions are grouped into roles, and roles are provided to authenticated members. Further, an IAM policy specifies what roles are given to which members, and to whom this policy is linked to a resource. And, IAM examines the resource’s policy to determine whether the action is permitted when an authenticated member attempts to access a resource.
Diagram for permission management in IAM.
There are three parts in this model for access management:
1. Member
A member can be a:
- Google Account
- Service account
- Google group
- Google Workspace
- Cloud Identity domain.
However, the identity of a member can be an email address linked with a user, service account, or Google group. Or it can be a domain name linked with Google Workspace or Cloud Identity domains.
2. Role
A role refers to a collection of permissions. In which, permissions determine what operations have access to a resource. While granting a role to a member, you grant all the permissions that the role contains.
3. Policy
The IAM policy refers to a collection of role bindings that attach one or more members to individual roles. While defining who (member) has what type of access (role) on a resource, you create a policy and link it to the resource.
What are the features of IAM?
Google Cloud IAM has unique features. Some of them are:
1. Single access control interface
For all Google Cloud services, IAM offers a simple and consistent access control interface. That is to say, you only have to learn one access control interface then, use and apply that knowledge to all Google Cloud resources.
2. Context-aware access
In IAM, you have the option of controlling access to resources. In which the resources are dependent on contextual attributes like resource type, device security status, IP address, and date/time.
3. Flexible roles
Before IAM, there was an option only to grant Owner, Editor, or Viewer roles to users. Now, a large range of services and resources can surface additional IAM roles. For example, the Pub/Sub service reveals Publisher and Subscriber roles in addition to the Owner, Editor, and Viewer roles.
4. Web, programmatic, and command-line access
In this, you can use using the Google Cloud Console, the IAM techniques, and the gcloud command-line tool for building and controlling IAM policies.
5. Built-in audit trail
In IAM, you get a full audit trail for admins without any additional effort for easing compliance processes for your organization.
6. Support for Cloud Identity
IAM supports standard Google Accounts. That is to say, using Cloud Identity, you can create IAM policies giving permission to a Google group, a Google-hosted domain, a service account, or defined Google account holders.
7. Free of charge
IAM is provided at no additional charge for all Google Cloud customers. However, you will only be charged for use of other Google Cloud services.
Getting started with Google Identity and Access Management (IAM)
1. Using the Cloud Console
In this, we will learn to give IAM roles to project members using the Google Cloud Console.
1. Granting an IAM role
Adding a project member, then granting them the Logs Viewer role (roles/logging.viewer) role.
- Firstly, go to the IAM page in the Cloud Console.
- Secondly, ensure that the name of your new project emerges in the project selector at the top of the page. The project selector is used for telling what project you are currently working on.
- In case, you don’t see the name of your new project, then click the project selector, and choose a new project.
- Thirdly, click person_add Add in the main content area.
- Then, enter the email address of a new member.
- After that, select Logging from the Select a role drop-down menu and then Logs Viewer.
- Now, click Save. And, verify that the member and the corresponding role are listed on the IAM page.
2. Observing the effects of IAM roles
Demonstrate that the member added can access the expected Cloud Console pages using the following:
- Firstly, send the below URL to the member who will be allowed the role in the prior step:
- https://console.cloud.google.com/logs?project=project-id.
- Then, demonstrate that the member is able to access and view the URL.
3. Granting other roles to the same member
Granting the existing member the Viewer basic role (roles/viewer) in addition to their Logs Viewer role. However, the Viewer role offers read-only access to all existing resources and data in your project.
- Firstly, go to the IAM page in the Cloud Console.
- Secondly, find the member to whom you want to permit another role, and click Edit edit.
- Then, in the Edit permissions pane click Add another role.
- Lastly, select Project from the Select a role drop-down menu and then Viewer. Now, click Save.
4. Revoking the roles granted to the member
Canceling the roles you granted to the member in the preceding by the following steps:
- Firstly, find the member whose role you want to revoke, then click Edit edit.
- Now, click the delete icon next to both roles in the Edit permissions pane that were previously permitted to the member.
- Lastly, click Save.
2. Grant or revoke a single role
For granting or revoking a single role for a single member we can use the Cloud Console and the gcloud tool.
1. Granting a single role
For granting a single role to a member, use the below steps:
Console
- Firstly, go to the IAM page in the Cloud Console.
- Secondly, choose a project, folder, or organization.
- Thirdly, choose a member to grant a role:
- For granting a role to an existing member, discover the row containing the member’s email address. After that, click edit member in that row, and select add another role.
- And, for granting a role to a new member, click Add, then enter the member’s email address.
- After that, from the drop-down list choose a role to grant. However, choose a role that includes only the permissions that your member requires for best security practices.
- Now, click Save. The member is granted the role of the resource.
Further, for granting a role to a member for more than one project, folder, or organization, use the below steps:
- Firstly, in the Cloud Console go to the Manage resources page.
- Secondly, choose all the resources for which you want to grant permission.
- Thirdly, click the Show info panel if the info panel is not visible. Then, click Permissions.
- Fourthly, select a member to grant a role to:
- For granting a role to an existing member, discover a row with the member’s email address. After that, click edit member in that row, and select add another role.
- And, for granting a role to a new member, click Add member, then enter the member’s email address.
- Now, choose a role to grant from the drop-down list.
- Lastly, click Save. The member is now permitted the selected role on each of the selected resources.
2. Revoking a single role
For revoking a single role from a member, use the below steps:
Console
- Firstly, go to the IAM page in the Cloud Console.
- Secondly, choose a project, folder, or organization.
- Thirdly, discover the row with the email address of the member whose access you want to revoke. Then, in that row click edit Edit member.
- Lastly, click the delete button for each role you want to revoke, and then click Save.
3. Granting or revoking multiple roles
Use the read-modify-write pattern to update the resource’s IAM policy for making large-scale access changes that involve granting and revoking multiple roles:
- Firstly, reading the current policy by calling getIamPolicy().
- Secondly, editing the returned policy using a text editor or programmatically for adding or removing any members or role bindings.
- Lastly, writing the updated policy by calling setIamPolicy().
Further, for updating the policy, you can use the gcloud tool, the REST API, or the Resource Manager client libraries.
Final Words
Above we have learned and understood the concept of Google Cloud Cloud Identity and Access Management (IAM) including its features and the steps to getting started with this service. So, if you have an interest in using this fine-grained access control and visibility for centrally managing cloud resources then, you can start with no additional cost.