I am new to GCP but I have worked on AWS to provide temporary access to AWS Resources using AWS Cognito Assume Role API and Organzation pool of accounts and creating custom URL to access AWS Console.
I am trying to create similar type of solution for GCP as well. I want to provide access to users (500 Concurrent users will be there). Can anyone suggest what could be the best approach
Acc. to my R&D, Service Accounts can be used but some project limitations are there.
IAM lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources. IAM lets you adopt the security principle of least privilege, which states that nobody should have more permissions than they actually need.
Google Cloud offers Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
To see all permissions for a specific service, search for that service's permission prefix followed by a period. For example, to see all App Engine permissions, search for appengine. . To see which permissions are included in each role, use the predefined roles reference instead of the permissions reference.
You can use IAM condition. The doc is interesting if you want to script the access. For a test, you can use the console
Start by adding or editing permission in the IAM page. Choose a role and then click on add permissions
Name your condition and choose the condition(s).
EDIT
You can use the API directly for this
You can also use the client library. There is no dedicated library for resource manager, you have to use the discovery API. Here the description of the resource manager v1
So, in Python, the code look like this
import googleapiclient.discovery
resourceManager = googleapiclient.discovery.build("cloudresourcemanager","v1")
result = resourceManager.projects().getIamPolicy(resource="<ProjectId>").execute()
print(result)
body={
'policy': {
'bindings': [
{
'role': 'roles/storage.objectViewer',
'members': [
'user:[email protected]'
],
'condition': {
'title': 'expirable access',
'expression': 'request.time < timestamp("2020-10-01T00:00:00.000Z")'
}
}
],
'version': 3
}
}
result = resourceManager.projects().setIamPolicy(resource="<ProjectId>", body=body).execute()
print(result)
Note: you have to repeat the binding bloc for each role that you want to grant
BE CAREFUL
In both case, you will set the IAM policy, it's an erase/replace of the existing policy on the project. By the way, one of the good practice is to perform a getIamPolicy (also in my example) before and to update the results before setting it.
GCP has short-lived service account credentials:
The process involves a caller which is either a Google account or a service account and who makes a request to create short-lived credentials for a second service account.
You can, for example, generate OAuth 2.0 access tokens with specific permissions, that are valid for 1 hour.
**Note that service accounts differ from regular user accounts in that they belong to specific GCP resources,like VMs, and are not part of the G suite domain. They also have no ability to login via browser.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With