Imagine that you have just joined an organization. They provide you with an ID card as well as an access card. With this access card, you will be allowed to enter a certain number of locations, including your workplace, the parking lot, and the cafeteria, among other places. You need to seek special authorization in order to have access to the lab or document area where you have some confidential information if you want to see such information. In a manner similar to that of GCP, we have something called identity and access management, or IAM for short.
Identity and access management is one of the most crucially important precautions that can be taken to ensure data safety in cloud computing environments like Google Cloud Platform (GCP). Every action that is performed, such as adding or deletion of resources, or communication between different services of the platform happens through API. As a result of this, it is essential to pay close attention to the rights that enable access to the resources and to make ensure that the absolute bare minimum number of permissions required to carry out business processes are made available. IAM is developed from the least privilege principle, that is, users will be denied of the access by default. Access needs to be opened for the users explicitly.
For the purpose of assigning permissions, GCP uses a system known as Role Based Access Control (RBAC). RBAC denotes the practice of basing the assignment of permissions on the tasks or responsibilities that are associated with an identity.
A ROLE is a designated set of permissions that determines whether or not an individual has the authority to carry out certain activities on a resource. Within IAM, we are unable to directly provide permissions to users. Instead of giving them permissions, we give them roles, which are collections of one or more permissions. The format service.resource.verb is used to indicate permissions. One example of this format is the compute.instances.list permission. The kind of activities that may be performed on a resource are established by its permissions. A member receives all of the permissions associated with the position when the role is provided to them.
There are three types of roles in Google Cloud IAM:
- Basic roles
- Includes Owner, Editor, and Viewer role
- Provides broad level of permissions and it is not recommended
- Predefined roles
- Google creates and updates roles as needed, for as when Google Cloud introduces new features or services.
- Example: roles/notebooks.admin ; roles/ml.modelUser
- Custom roles
- Provides granular access according to a user-defined list of permissions
- We can create a custom IAM role with one or more permissions and then grant that custom role to users or groups.
- GCP does not update custom roles when new permissions, features, or services are introduced to platform