IAM for GCP — Resource-based Conditional access

Background

One discussion with fellow practitioners around IAM piqued my interest as we want to create more granular access on top of the roles given to the IAM principal. In a more simple way we are able to utilize to set roles to configure permission, eg. giving viewer access or any other more specific roles. However, how can we give such permission only for selected conditions? We can utilize conditional access within the IAM to set such a situation.

Notes: please see the documentation below as this snippet is only for quick test and contextual test.

Configuring resource-based access | Cloud IAM Documentation

Context

So in short we need to:

1. Set the IAM principal (for more granular access for multiple users we can create a group).
2. Adding a role to the particular principal.
3. Add conditions on top of that particular role.

That’s it, so let’s try.

Test

[One] Create the principal (add new group, user, or service account) then add the roles I want to. For simplicity, I use two roles which Compute Instance Admin, and Viewer.

have user ‘dev’ and assign role

[Two] Select the particular principal and edit so we can see the lists of roles then set the condition for the specific role. Here I will choose that role Compute Instance Admin will affect only “Compute instance” and “GCE with name prefix of ‘web’”.

Open the edit pane for the particular principal

Then we can click the Add condition button to start the configuration. Directly we are presented with the option to build using a builder or directly using the editor. At this point, I will add the condition by selecting

The first condition is:

Type — is — compute.googleapis.com/instance

And

The second group condition is:

#as I want to have 'web' as prefix for the instance name
Name — Start with — project/<project name>/zones/<zone-id>/instances/web 

Notes: to find the resource name format please go to the document

Setting up condition using builder

Or if using the condition editor

Setting up condition using editor

[Four] Check for the VM permission on Compute Engine UI using ‘dev’ user.

I can see that I am able to run commands to the particular instance with ‘web’ prefix and is located in asia-southeast2-a ( the rule is applied for zone a, b, and c). Now let’s see if I want to check the other VM.

I can see that I have no permission on the other instance. I think this is an overly simplified configuration however it does help a lot if we need some case of granular permission. There are more options to be configured on the conditional which more combinations can be applied.

Join FAUN: Website 💻|Podcast 🎙️|Twitter 🐦|Facebook 👥|Instagram 📷|Facebook Group 🗣️|Linkedin Group 💬| Slack 📱|Cloud Native News 📰|More.

If this post was helpful, please click the clap 👏 button below a few times to show your support for the author 👇