GCP Essential Series 02
Welcome everyone to next documentation series of GCP Essential. We will be discussing about below topics:
1. Organizations and Projects
2. Identity and Access Management(IAM)
1. Organization and Projects:
Organization (in general)
An organization is an entity comprising multiple people, such as an institution or an association, that has a collective goal and is linked to an external environment.
GCP infrastructure get implemented in Cloud Infrastructure Hierarchy model.
A hierarchy is an organizational structure in which items are ranked according to levels of importance.
In hierarchy, organization entity get represent in parent and child relationship.
In GCP, hierarchy defined in three important layer:
The Organization resource represents an organization (for example, a company) and is the root node in the GCP resource hierarchy. The Organization resource is the hierarchical ancestor of project resources and Folders. The IAM access control policies applied on the Organization resource apply throughout the hierarchy on all resources in the organization.
Projects are core organizational component of GCP.
Projects used to control access to resources.
Creating, enabling and using all cloud platform services.
- Per project basis
Projects have three identification attributes:
- Project Name : (Friendly Name)
- Project ID : Unique ID get associated with the project
- Project Number : Used in various places for identifying resources that belong to specific projects.
Resources are the services which will associated with the projects for use in GCP.
2. Identity and Access Management(IAM)
Google Cloud Platform offers Cloud Identity and Access Management (IAM), which lets you give more granular access to specific Google Cloud Platform resources and prevents unwanted access to other resources. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
How IAM is important for GCP?
Google Cloud Platform (GCP) offers Cloud IAM, which lets you manage access control by defining who (identity) has what access (role) for which resource.
IAM helps you to implement policy to your organization to secure access to resources. You can deploy the policy based on the roles.
In Cloud IAM, you grant access to members. Member can be of following types:
2.a.1) Google account
2.b.2) Service account
2.c.3) Google group
2.d.4) G Suite domain
2.e.5) Cloud Identity domain
2.a.1) Google account:
A Google account represents a developer, an administrator, or any other person who interacts with GCP. Any email address that is associated with a Google account can be an identity, including gmail.com or other domains.
2.b.2) Service account:
A service account is an account that belongs to your application instead of to an individual end user. When you run code that is hosted on GCP, you specify the account that the code should run as. You can create as many service accounts as needed to represent the different logical components of your application.
2.c.3) Google group:
A Google group is a named collection of Google accounts and service accounts. Every group has a unique email address that is associated with the group.
Google groups are a convenient way to apply an access policy to a collection of users. You can grant and change access controls for a whole group at once instead of granting or changing access controls one-at-a-time for individual users or service accounts.
2.d.4) G Suite domain:
A G Suite domain represents a virtual group of all the Google accounts that have been created in an organization's G Suite account. G Suite domains represent your organization's Internet domain name (such as turtledesk.com), and when you add a user to your G Suite domain, a new Google account is created for the user inside this virtual group (such as firstname.lastname@example.org).
2.e.5) Cloud Identity domain:
A Cloud Identity domain is like a G Suite domain because it represents a virtual group of all Google accounts in an organization. However, Cloud Identity domain users don't have access to G Suite applications and features.
A role is a collection of permissions. You cannot assign a permission to the user directly; instead you grant them a role. When you grant a role to a user, you grant them all the permissions that the role contains.
There are three kinds of roles in Cloud IAM:
Primitive roles: The roles historically available in the Google Cloud Platform Console will continue to work. These are the Owner, Editor, and Viewer roles.
Predefined roles: Predefined roles are the Cloud IAM roles that give finer-grained access control than the primitive roles. For example, the predefined role Pub/Sub Publisher (roles/pubsub.publisher) provides access to only publish messages to a Cloud Pub/Sub topic.
Custom roles: Roles that you create to tailor permissions to the needs of your organization when predefined roles don't meet your needs.
You can grant roles to users by creating a Cloud IAM policy, which is a collection of statements that define who has what type of access. A policy is attached to a resource and is used to enforce access control whenever that resource is accessed.
A Cloud IAM policy is represented by the IAM Policy object. An IAM Policy object consists of a list of bindings. A Binding binds a list of members to a role.
Cloud IAM provides a set of methods that you can use to create and manage access control policies on GCP resources. These methods are exposed by the services that support Cloud IAM. For example, the Cloud IAM methods are exposed by the Resource Manager, Cloud Pub/Sub, and Cloud Genomics APIs, just to name a few.
The Cloud IAM methods are:
setIamPolicy(): Allows you to set policies on your resources.
getIamPolicy(): Allows you to get a policy that was previously set.
testIamPermissions(): Allows you to test whether the caller has the specified permissions for a resource.
GCP resources are organized hierarchically, where the organization node is the root node in the hierarchy, the projects are the children of the organization, and the other resources are the children of projects. Each resource has exactly one parent.