Cloud Google (GCP) - Cloud IAM Basics | identity & access management

Google Cloud Platform (GCP) - Cloud IAM Basics | identity & access management

So, friends, Identity and Access Management has three major parts. Who can do what on which resources. This is self explanatory. But before we go into the details of it, let's take a real life example. Suppose you go for a walk in interview in any company.

So the first thing which you get in that particular company is a visitor ID card. That visitor ID card only allows you to have access to certain areas of the office, like the reception, the formal lobby, maybe a couple of open meeting rooms, and of course, the cafeteria. Then suppose you get selected in that particular company and you join as a new joiner in that particular company. Then you will get an employee ID card. Now, with employee ID card, you will have certain elevated access compared to what you had as a visitor.

Now you would have access to library, the facilities, more cafeterias, maybe, which are on the other floors, and then some other sections of the offices which were not accessible by the visitor. But still, you do not have access to any specific project or any specific area where the projects are running. That will happen once you get allocated or assigned to a particular project. Then you get access to that particular area where in the project development team sets, you can enter into that particular project area or that particular floor where your specific project area is residing.

But even after having that level of access, you still do not have all the access.

Suppose, for example, you cannot enter the server room of your office. You cannot enter the admin facility of your office without a special approval. So what we are trying to understand here is that you being an identity, your access level varies based on the role you have. So first you were a visitor, then you went as a new journey. Then you became a project member.

And then based on the roles which you were getting, your access were getting elevated. Exactly that happens in IAM, Identity and Access Management. You first have an identity based on that identity, you are assigned a role. Now that particular role which you get decides what set of permissions you will have on certain resources on Google Cloud. Now when we talk about identity, there are various kinds of identities which can be used on Google Cloud.

The first and the very common is Google account. Suppose you are creating a free tier access on Google Cloud platform. What you do it to your Gmail account. So your Gmail, it can be your Google account ID which you can use. Secondly, you can have service accounts.

Now, service accounts are not used by the people. These service accounts are used by the resources. Suppose your compute engine. Suppose that is a server which you have deployed on your Google Cloud and that that particular server needs to talk to another resource indirectly under the hood. Then what will happen?

It cannot happen through your user ID. For that you need service accounts so that service account will have special privileges. For example, if there is a service account with which a compute instance is running and this particular compute instance needs to read something from the cloud storage, maybe a file or something, then this particular service account will get a specific role which will let this particular service account to read something from that particular specific bucket. So what we are trying to see here is that these are different types of identities with which you can access various resources with the roles you get.

So there are also Google groups.

Suppose you want to assign roles to multiple people at one time. So what you will do, you will create a group and in that particular group will be given a certain rules. Now, it might also happen that you do not have any ID at all in Google. So for that you have cloud identity. So cloud identity is a service which is provided by Google Cloud with which you can get an identity within Google Cloud even without having a Google account.

So that is for the identity part. Now coming to the rules. What are the rules? As I said, when you entered the company as a visitor, you were given a role of a visitor, and that decided that you will have certain amount of access in that office in a similar way. There are majorly three types of roles which you get.

And by the way, roles are nothing but set of permissions. Because there are thousands of permissions. It's practically impossible to give permissions to specific users. Right? Because there are so many permissions.

So what Google did, they created a bucket, and in that bucket they put various permissions based on the rule. So there are majorly three different categories of the role which you have. First, one is the primitive. Now primitive roles were there in picture when there was no Im on Google Cloud. So there were mainly three types of rule, owner, editor, and viewer.

Any user who comes on Google Cloud used to get either of these three type of rules. But now these rules were very, very broad in nature. It used to open up Pandora box. It used to give so much so much at one time that it used to violate the basic principle of security, which is PLP. And what is PLP means principle of least privileges.

Okay, so what does that mean? Is that any given point of time, you should only give the minimum amount of access required to anybody. So when we used to assign an editor role, that editor role used to span across multiple resources. So suppose if I am getting an editor role, I can edit a compute engine. Maybe I can edit and do something on the cloud storage and things like that.

I can do multiple things as an editor or as an owner. Right. But then gave the predefined roles. Now, what predefined rules meant was that we narrowed down on the set of commissions you could have. So what it did, it help us give very, very predefined set of rose, very specific set of roses, very specific set of permissions to any user.

For example, suppose there's a user Scott at the gmail dot com that's his identity gets compute instance admin. Now compute instance admin by the name suggests that this particular user will have access as an admin access within compute area only. So it can go. This user cannot go and do something on cloud storage, or this user cannot go and do something on BigQuery. So that what was meant by coming up with predefined rules.

But even with predefined rules, that category is quite broad. So now if you get Admin role, you can maybe start the machine, stop the machine, and maybe you can do anything under the admin role. But what if you do not even want to do that? You want even further narrowed down score, then you can have custom. Now, for custom, you have to create custom roles because primitive and predefined comes automatically on Google Cloud.

But custom role you have to create on your own. So now suppose there is a support representative who's there to monitor a compute instance. Okay. And he is only allowed to restart a machine only when he sees that the machine has been shut down abruptly. Or maybe like that.

So for that, even under Admin, you will narrow it down and give only the restart permission that this particular support representative can only restart a shutdown machine. Or maybe a machine which has crashed. But it cannot spin up a new virtual machine. It cannot do anything apart from that. So that is custom, narrowing it down to the minimal level, which is, you know, which should suffice the requirement.

Now, this is about identity and the role now coming on the resources now for understanding the resources part. Understand that when I talk about resources, this is your library, this is your cafe area. This is your office area. So based on what roles you are getting assigned, you are getting more and more access. Right?