In this episode of Behind the Cloud, Matt dives into Identity and Access Management (IAM) on Google Cloud. He discusses the common frustrations users face, and the significance of assigning specific, granular permissions to mitigate potential risks.

Watch below 👇 or head over to our YouTube channel

Transcript

Introduction to IAM roles

[00:00:00] Matt: Hello and welcome to another episode of Behind the Cloud. I’m afraid today isn’t going to be the most glamorous of episodes because what we’re here to talk about today is IAMs on GCP. Anybody who’s interacted with GCP, even from day one, will remember and feel how much of a headache permissions can be on the platform.

[00:00:24] Matt: All of these things can get really frustrating and can lead People getting more lax with how they deal with permissions and that can lead to big problems. What we’re aiming for here is the principle of least privilege. And to demonstrate why let’s just have a little bit of a hypothetical for a second.

Hypothetical Scenario: Service Account with Owner Permissions

[00:00:39] Matt: Say you’ve gone and created a service account and just to make your life easier you’ve just given it owner permissions just so that everything’s going to be covered when it, if a dev, a dev comes up a specific problem or a specific permissions issue. Maybe they’re going to create a new data pipeline, maybe they’re going to add it into an application.

[00:00:57] Matt: Whatever that may be. They complete their work, they publish it to GitHub, and shock horror, they also publish a service account key to GitHub. Now you’ve got a service account key in a public GitHub repository. that is available to anyone on the internet. And that service account has access to literally everything within your GCP project.

[00:01:16] Matt: It can create new services, it could delete data, it could rack up some pretty substantial bills. You can see how these things can very easily leak. Now let’s take an alternative view of it. You’ve created that service account, but this time you’ve given it the very specific granular permissions that it needs in order to perform its functions.

Hypothetical Scenario: Service Account with Granular Permissions

[00:01:32] Matt: Function. Let’s say that all it really needs to do is to read the information from a single table within BigQ. You’ve taken the time to give that service account those specific permissions. Everything happens as before, but this time, the only thing any bad actor has to be able to do with that service account is view some data.

[00:01:49] Matt: So at the worst, we’ve got a minor data leak, whereas before we could have a total data leak, data deletion, data loss, and giant bills. Where you’re going to spend most of your time in IAM is probably on this main IAMS page. This is where you’re going to see all of the current, Users that have access and service accounts that have access to your project, the roles they have, editor, owner, etc, and any security insights and things like that which we’ll go into in a second.

Navigating the IAM Page

[00:02:15] Matt: You can grant access to people by clicking the grant access button. In here your principal is going to be an email address, so a particular user, maybe a group, and down here is where you’re going to find all of your roles. So you’ve got your basic roles. These are sort of umbrella roles that contain a lot of permissions.

Granting Access & Understanding Roles

[00:02:31] Matt: Owner pretty much contains everything that you would need to do anything that within the project. And then lower than that, you have a number of very much more specific types of roles that are just for singular purposes, you can search here to, to. Filter by particular products, types of roles, anything like that, just to narrow things down.

[00:02:50] Matt: You can click up here to sort things by role. So you can see how many editors you’ve got, particular organization administrators, whatever it may be. All the different roles that are available within your project. You can come here, look at all of them and sort them in that way. There’s also a button on the top right here called include Google provided role grants.

Google Provided Role Grants

[00:03:08] Matt: When Google creates resources and provisions various services throughout the GCP. A lot of the time it will also create default service accounts. By default, they’re hidden here for the most part. And if you want to see them, you can tick this button and see other service accounts that have been created by Google.

Security Insights

[00:03:28] Matt: Obviously if you’re Project gets larger and you have lots of different services, then this can get quite a long list. So the ability to filter those out can be quite useful. You’ll also see in some projects, security insights and those security insights are essentially, Google will look at what access and what use that particular account.

[00:03:47] Matt: Either user or service account has had in the last 30 or so days. And based on that, it will make recommendations on if it thinks that the user or service account has excess permissions. So if for example, a specific user is only been interacting with. Big query, querying some tables and maybe creating datasets, but it’s been given the owner permission.

[00:04:08] Matt: Google’s going to say, you know, we’ve got 8, 000 plus access permissions here that you can probably clean up to, to make things a little bit more secure. In the top, you can see history of any recommendations that Google has made. over the last however many days right now there’s nothing in here and you decide whether you need you want to take or ignore those recommendations you can also nice and easily differentiate apart from the obvious between service accounts and user accounts just by these icons on the left hand side you can filter to look at specific types of inheritance roles names any of that kind of thing and you can also search to quickly and easily find users or potentially you’re looking for a compute engine default service account, for example, you can search things like that.

Privileged Access Manager Overview

[00:04:52] Matt: Recently Google’s added something called Privileged Access Manager within the last month or so. Now Privileged Access Manager is, I’ll show you this in a different project, Privileged Access Manager is a way of giving people larger amounts of access but for defined periods of time and those accesses have to be approved by a particular person.

[00:05:13] Matt: This is really advantageous when say you are setting something up for the first time. What you’ll often find is. So you bring in a dev or a agency to complete some work for you. They may not know right from the offset, exactly what permissions they’re going to require to complete what they’re trying to complete, and it can end up being coming a bit of a headache.

Creating New Entitlements

[00:05:32] Matt: Like, Oh, I also need BigQuery dot jobs dot user dot whatever. This will allow you to give more broad permission, knowing full well, that it’s not going to last more than say a day to be able to do that, you can, you can create new entitlements and these entitlements will you can give them a specific name give them all of the specific roles that you want to give them Select how long that entitlement is allowed to be valid for so you can set it as little as an hour Just put some dummy data in here.

[00:06:01] Matt: You can’t even though it shows you here to add basic say I could make someone an owner that’s not actually allowed and it will shout at you that you can’t do that. So I don’t know why it’s in there, but just something to keep in mind. Let’s just grab something random for now. You can then specify which individuals are able to request this specific type of access.

Requesting and Approving Access

[00:06:20] Matt: So the idea here is, say somebody has a limited access to the platform if they need to perform a specific action they can come to privilege access manager, they can request a specific entitlement and then it can either just be automatically approved or it can go to an approver here You can add approvers if you want someone within your organisation to be vetting these to make sure that people aren’t just With nearly being able to get themselves all these entitlements just by requesting them, you can put in a principle and that person will be asked to approve any requests within here.

Monitoring Access and Logs

[00:06:53] Matt: You can also activate, access requests without having any sort of approval. Also, you can set additional notifications for people when new users are granted access. In case you want a larger visibility on things you can see who’s been granted What what’s waiting to be approved and any logs of who has?

[00:07:13] Matt: Been granted access when they were granted access when it was revoked all those kinds of things So all of this is a nice way of just collecting together a number of different Accesses and being able to grant people temporary access to these special privileged access manager grants for a short period of time when they’re trying to undertake a specific type of project.

Conclusion

[00:07:32] Matt: We’re running a little bit long so I think we’ll call this part one and then we’ll do a part two which will look at service accounts, policy analysers, and groups. That’s a little bit of a whistle stop tour around IAMS. Thank you so much for watching. As always, if you’ve got any questions or comments, please let us know.

[00:07:50] Matt: Any ideas for videos, we’re always open to more. you And like and subscribe so you don’t miss any new videos and content that’s coming up in the near future. Thanks.