Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Temporary Access to GCP Resources

I am new to GCP but I have worked on AWS to provide temporary access to AWS Resources using AWS Cognito Assume Role API and Organzation pool of accounts and creating custom URL to access AWS Console.

I am trying to create similar type of solution for GCP as well. I want to provide access to users (500 Concurrent users will be there). Can anyone suggest what could be the best approach

Acc. to my R&D, Service Accounts can be used but some project limitations are there.

like image 447
shivaniverma6991 Avatar asked Jun 21 '20 16:06

shivaniverma6991


People also ask

Which is used by GCP to determine access rights to resources?

IAM lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources. IAM lets you adopt the security principle of least privilege, which states that nobody should have more permissions than they actually need.

Which basic permissions allows you to change access permissions on resources in GCP?

Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

What permissions do I have in GCP?

To see all permissions for a specific service, search for that service's permission prefix followed by a period. For example, to see all App Engine permissions, search for appengine. . To see which permissions are included in each role, use the predefined roles reference instead of the permissions reference.


2 Answers

You can use IAM condition. The doc is interesting if you want to script the access. For a test, you can use the console

Start by adding or editing permission in the IAM page. Choose a role and then click on add permissions enter image description here

Name your condition and choose the condition(s).

enter image description here

EDIT

You can use the API directly for this

You can also use the client library. There is no dedicated library for resource manager, you have to use the discovery API. Here the description of the resource manager v1

So, in Python, the code look like this

import googleapiclient.discovery
resourceManager = googleapiclient.discovery.build("cloudresourcemanager","v1")
result = resourceManager.projects().getIamPolicy(resource="<ProjectId>").execute()
print(result)
body={
'policy': {
  'bindings': [
    {
      'role': 'roles/storage.objectViewer',
      'members': [
        'user:[email protected]'
      ],
      'condition': {
        'title': 'expirable access',
        'expression': 'request.time < timestamp("2020-10-01T00:00:00.000Z")'
      }
    }
  ],
  'version': 3
  }
}
result = resourceManager.projects().setIamPolicy(resource="<ProjectId>", body=body).execute()
print(result)

Note: you have to repeat the binding bloc for each role that you want to grant

BE CAREFUL

In both case, you will set the IAM policy, it's an erase/replace of the existing policy on the project. By the way, one of the good practice is to perform a getIamPolicy (also in my example) before and to update the results before setting it.

like image 182
guillaume blaquiere Avatar answered Oct 09 '22 22:10

guillaume blaquiere


GCP has short-lived service account credentials:

The process involves a caller which is either a Google account or a service account and who makes a request to create short-lived credentials for a second service account.

You can, for example, generate OAuth 2.0 access tokens with specific permissions, that are valid for 1 hour.

**Note that service accounts differ from regular user accounts in that they belong to specific GCP resources,like VMs, and are not part of the G suite domain. They also have no ability to login via browser.

like image 37
Adi Dembak Avatar answered Oct 09 '22 21:10

Adi Dembak