Members

00:00

Let’s talk more about members, which define the “who” part of “who can do what on

00:05

which resource.”

00:06

There are five different types of members: Google Accounts, Service Accounts, Google

00:12

Groups, Google Workspace domains, and Cloud Identity domains.

00:16

A Google account represents a developer, an administrator, or any other person who interacts

00:21

with Google Cloud.

00:23

Any email address that is associated with a Google account can be an identity, including

00:28

gmail.com or other domains.

00:31

New users can sign up for a Google account by going to the Google account signup page,

00:36

without receiving mail through Gmail.

00:38

A service account is an account that belongs to your application instead of to an individual

00:43

end user.

00:44

When you run code that is hosted on Google Cloud, you specify the account that the code

00:49

should run as.

00:51

You can create as many service accounts as needed to represent the different logical

00:55

components of your application.

00:57

A Google group is a named collection of Google accounts and service accounts.

01:02

Every group has a unique email address that is associated with the group.

01:06

Google groups are a convenient way to apply an access policy to a collection of users.

01:12

You can grant and change access controls for a whole group at once instead of granting

01:16

or changing access controls one-at-a-time for individual users or service accounts.

01:21

A Workspace domain represents a virtual group of all the Google accounts that have been

01:26

created in an organization's Workspace account.

01:29

Workspace domains represent your organization's internet domain name, such as example.com,

01:36

and when you add a user to your Workspace domain, a new Google account is created for

01:40

the user inside this virtual group, such as [email protected].

01:46

Google Cloud customers who are not Workspace customers can get these same capabilities

01:50

through Cloud Identity.

01:52

Cloud Identity lets you manage users and groups using the Google Admin Console, but you do

01:58

not pay for or receive Workspace’s collaboration products such as Gmail, Docs, Drive, and Calendar.

02:04

Now it’s important to note that you cannot use IAM to create or manage your users or

02:09

groups.

02:10

Instead, you can use Cloud Identity or Workspace to create and manage users.

02:14

A policy consists of a list of bindings.

02:16

A binding binds a list of members to a role, where the members can be user accounts, Google

02:22

groups, Google domains, and service accounts.

02:26

A role is a named list of permissions defined by IAM.

02:30

Let’s revisit the IAM resource hierarchy.

02:33

A policy is a collection of access statements attached to a resource.

02:37

Each policy contains a set of roles and role members, with resources inheriting policies

02:42

from their parent.

02:44

Think of it like this: resource policies are a union of parent and resource, where a less

02:50

restrictive parent policy will always override a more restrictive resource policy.

02:55

The IAM policy hierarchy always follows the same path as the Google Cloud resource hierarchy,

03:02

which means that if you change the resource hierarchy, the policy hierarchy also changes.

03:08

For example, moving a project into a different organization will update the project's IAM

03:14

policy to inherit from the new organization's IAM policy.

03:18

Also, child policies cannot restrict access granted at the parent level.

03:24

For example, if we grant you the Editor role for Department X, and we grant you the Viewer

03:29

role at the bookshelf project level, you still have the Editor role for that project.

03:34

Therefore, it is a best practice is to follow the principle of least privilege.

03:40

The principle applies to identities, roles, and resources.

03:44

Always select the smallest scope that’s necessary for the task in order to reduce

03:48

your exposure to risk.

03:50

You can also use a recommender for role recommendations to identify and remove excess permissions

03:55

from your principals, improving your resources’ security configurations.

04:00

Each role recommendation suggests that you remove or replace a role that gives your principals

04:05

excess permissions.

04:06

At scale, these recommendations help you enforce the principle of least privilege by ensuring

04:11

that principals have only the permissions that they actually need.

04:16

Recommender identifies excess permissions using policy insights.

04:20

Policy insights are ML-based findings about permission usage in your project, folder,

04:25

or organization.

04:27

You can grant access to Google Cloud resources by using allow policies, also known as IAM

04:33

policies, which are attached to resources.

04:35

The allow policy controls access to the resource itself and any descendants of that resource

04:42

that inherit the allow policy.

04:44

An allow policy associates, or binds, one or more principals (also known as a member

04:49

or identity) with a single IAM role and any context-specific conditions that change how

04:55

and when the role is granted.

04:57

In the example on this slide, Jie ([email protected]) is granted the Organization Admin predefined

05:03

role (roles/resourcemanager.organizationAdmin) in the first role binding.

05:12

This role contains permissions for organizations, folders, and limited projects operations.

05:18

In the second role binding, both Jie and Raha ([email protected]) are granted the ability

05:24

to create projects via the Project Creator role (roles/resourcemanager.projectCreator).

05:31

Together, these role bindings grant fine-grained access to both Jie and Raha, and Jie is granted

05:40

more access than Raha.

05:43

IAM deny policies let you set guardrails on access to Google Cloud resources.

05:49

With deny policies, you can define deny rules that prevent certain principals from using

05:55

certain permissions, regardless of the roles they're granted.

06:00

Deny policies are made up of deny rules.

06:03

Each deny rule specifies a set of principals that are denied permissions, and the permissions

06:10

that the principals are denied, or unable to use.

06:14

Optionally, you can define the condition that must be true for the permission to be denied.

06:20

When a principal is denied a permission, they can't do anything that requires that permission,

06:26

regardless of the IAM roles they've been granted.

06:30

This is because IAM always checks relevant deny policies before checking relevant allow

06:36

policies.

06:38

IAM Conditions allow you to define and enforce conditional, attribute-based access control

06:44

for Google Cloud resources.

06:45

With IAM Conditions, you can choose to grant resource access to identities (members) only

06:52

if configured conditions are met.

06:55

For example, this could be done to configure temporary access for users in the event of

07:00

a production issue or to limit access to resources only for employees making requests from your

07:05

corporate office.

07:07

Conditions are specified in the role bindings of a resource's IAM policy.

07:11

When a condition exists, the access request is only granted if the condition expression

07:16

evaluates to true.

07:18

Each condition expression is defined as a set of logic statements allowing you to specify

07:23

one or more attributes to check.

07:26

An organization policy is a configuration of restrictions,

07:30

defined by configuring a constraint with the desired restrictions for that organization.

07:35

An organization policy can be applied to the organization node, and all of its folders

07:41

or projects within that node.

07:44

Descendants of the targeted resource hierarchy inherit the organization policy that has been

07:49

applied to their parents.

07:52

Exceptions to these policies can be made, but only by a user who has the organization

07:57

policy admin role.

07:59

What if you already have a different corporate directory?

08:02

How can you get your users and groups into Google Cloud?

08:07

Using Google Cloud Directory Sync, your administrators can log in and manage Google Cloud resources

08:12

using the same usernames and passwords they already use.

08:17

This tool synchronizes users and groups from your existing Active Directory or LDAP system

08:22

with the users and groups in your Cloud Identity domain.

08:26

The synchronization is one-way only; which means that no information in your Active Directory

08:30

or LDAP map is modified.

08:33

Google Cloud Directory Sync is designed to run scheduled synchronizations without supervision,

08:38

after its synchronization rules are set up.

08:40

Google Cloud also provides single sign-on authentication.

08:44

If you have your identity system, you can continue using your own system and processes

08:49

with SSO configured.

08:51

When user authentication is required, Google will redirect to your system.

08:55

If the user is authenticated in your system, access to Google Cloud is given; otherwise,

09:00

the user is prompted to sign in.

09:03

This allows you to also revoke access to Google Cloud.

09:06

If your existing authentication system supports SAML2, SSO configuration is as simple as 3

09:12

links and a certificate, as shown on this slide.

09:16

Otherwise, you can use a third-party solution, like ADFS, Ping, or Okta.

09:20

Also, if you want to use a Google account but are not interested in receiving mail through

09:25

Gmail, you can still create an account without Gmail.