GCP

Explaining IAM roles in Google Cloud Platform (GCP): Basic, Custom, and Predefined

From storage solutions to application development, Google Cloud Platform (GCP) offers a wide variety of services to meet the needs of its users. But with these opportunities comes several security risks. This is where Identity and Access Management (IAM) roles come in, providing an extra layer of security for your data and services.

What is IAM on GCP?

As previously mentioned, IAM is an additional layer of security on GCP that allows principals to control which users or groups have access to vital resources. Before IAM, GCP used a primitive access control system called Access Control Lists (ACLs). ACLs were difficult to manage as they did not provide granular control over permissions. In response, IAM was introduced to address these limitations and provide more flexibility in managing access on GCP.

How Does IAM Work?

IAM works by using roles to control access to resources. For more context, let's use a relatable scenario. Imagine you're part of a team developing a web application on GCP. This application utilizes various GCP services like storage, databases, and AI capabilities. As the project progresses, you want to ensure that each team member has the appropriate level of access to perform their tasks effectively without compromising the security of the application.

With IAM roles in GCP, you can assign specific roles to each developer based on their responsibilities. For example, you can grant the database administrator role to the team member responsible for managing the database, allowing them to perform administrative tasks such as backups and schema updates. Similarly, you can assign the AI services role to a developer who needs access to train machine learning models.

By using IAM roles, you can ensure that each developer has the necessary permissions to carry out their responsibilities, while limiting their access to other resources or data that are not relevant to their tasks. This approach enhances the security of the application and enables effective collaboration within the team

Sample of IAM roles available for a given project

IAM Bindings

IAM bindings act as the bridge between roles and the entities requiring those roles. By defining IAM bindings, i.e., specifying which IAM role should be assigned to a particular user or service account, you create a link between a particular IAM role and the corresponding user/service account that should possess that role. This association determines the level of access and the actions that can be performed on GCP resources.

IAM Role Types

IAM roles are divided into three categories: Basic, Predefined, or Custom.


Basic Roles

Predefined Roles

Custom Roles

Description


Broad permissions across all GCP services.

Roles created by Google.

Tailored permissions according to needs.

Pros

  • Easy to use.

  • Grants full access to all services in a project.

  • Suitable for development or testing environments.



  • Allows more granular permissions.

  • Useful in restricting access to specific services or resources.

  • Reduces the risk of granting excessive permissions.

  • Designed to align with common use cases.



  • Allows users to create roles that meet specific requirements.

  • Provides the highest level of granularity.

  • Offers flexibility and control over access.



Cons

  • Risk of granting excessive permissions.

  • Inability to precisely define and control permissions.



  • May not provide the exact set of permissions required.

  • Limited customization options.



  • Can be complex to manage, requires careful consideration to avoid broad or restrictive permissions.

  • Requires understanding of resource-specific permissions.

  • Increased administrative workload.



Basic Roles

Basic roles provide a set of broad permissions across all Google Cloud services. These roles grant access to common actions and operations across the entire GCP environment. Google explicitly states that Basic roles are not recommended in production environments unless there is no alternative. The roles can be assigned to users, service accounts, or Google Groups.

Pros

  • They are easy to use.
  • Grants full access to all services in a project.

Cons

  • Risk of granting excessive permissions.
  • Can be difficult to manage.

Limitations

  • Basic roles are rigid and cannot be modified.

Predefined Roles

Predefined roles, as the name implies, are roles that have been created by Google and equally maintained by them. Google may update these roles as needed to reflect changes to their Cloud services and features. Predefined roles can be assigned to users, service accounts, or Google Groups.

Pros

  • Allows more granular permissions than Basic roles.
  • Useful in restricting access to specific services or resources.

Cons

  • May not provide the exact set of permissions required.

Limitations

  • Predefined roles cannot be modified.

Custom Roles

Custom roles provide the flexibility you need to tailor permissions according to specific requirements. With custom roles, you can select and define the precise set of permissions that align with your needs. These roles are created and managed by users, providing you with total control over the permissions assigned within your GCP project.

You can create a custom role by selecting the desired permissions, naming the role, and assigning it to users or groups. Custom roles can be assigned to users, service accounts, or Google Groups. Custom roles may be necessary when a user needs access to a specific resource or action that is not covered by a predefined role.

Pros

  • Allows users to create roles that meet specific requirements.
  • More granular control over permissions.

Cons

  • Can be complex to manage.
  • Requires careful consideration to ensure that permissions are not overly broad nor too restrictive.

Limitations

  • Custom roles cannot exceed a total of 64 KB.

Best Practices for IAM Roles

To maintain appropriate access control in Google Cloud environments, it is recommended to follow these best practices for IAM roles:

Limiting the number of users with Owner roles

This practice reduces the risk of unintended modifications to IAM policies. By assigning Owner roles only to trusted individuals who truly need administrative control, you minimize the potential for accidental or malicious changes that could impact the security of your resources.

Using predefined roles whenever possible

Predefined roles are designed to provide the minimum necessary permissions for specific tasks or responsibilities. By utilizing these roles, you ensure that users have the appropriate level of access without granting excessive permissions.

Regularly reviewing IAM policies

Continuous review of IAM policies is crucial to ensure that users have the necessary access to resources based on their roles and responsibilities. Regularly assessing and updating policies helps align permissions with changing organizational requirements, project changes, and employee role changes. This helps to mitigate risks and optimize resource security.

Conclusion

Google Cloud IAM provides a powerful and flexible way to manage access control in GCP. IAM roles allow for granular control over permissions, enabling users to access only the resources they need to do their job. By utilizing the best practices for IAM roles, such as limiting the number of users with owner roles and regularly reviewing IAM policies, you can help ensure the security and integrity of your data on GCP.

To learn more about GCP, check out our GCP Cloud Digital Leader Certification course.

The certification marks a great stepping stone to achieving Google Cloud Professional Cloud Architect, Developer, and DevOps certifications.

KodeKloud

5 min read