-
Notifications
You must be signed in to change notification settings - Fork 0
IAM
David Liu edited this page Aug 3, 2024
·
18 revisions
- Because Workspace offers more features than Cloud Identity, it is also more costly per license.
Cloud Identity is an Identity as a Service (IDaaS) solution that centrally manages users and groups
Cloud Identity offers a free edition and a premium edition.
By default, the free edition of Cloud Identity provides 50 user licenses. And the free license can be applied by request with no
A principal can be a
- Google Account (for end users)
- a service account (for applications and compute workloads)
- Use service account for instance principal purpose
- WARN: consider access scope impact on permission validation
- a Google group
- a Google Workspace account or Cloud Identity domain that can access a resource.
principal identifier is typically an email address.
https://cloud.google.com/iam/docs/groups-in-cloud-console Group is a member group. This feature requires an organization
- Permissions to create, view, edit, and delete groups, are managed by Google Workspace, not IAM.
- Managed in organization layer, not project layer
User can be a Principal in IAM or Member of Group
- Invitation will be sent to Principal as email.
- There is no direct way to fetch all users within an org
- A role is a collection of permissions.
- Permissions determine what operations are allowed on a resource.
- The allow policy is a collection of role bindings that bind one or more principals to individual roles.
- define who (principal) has what type of access (role) on a resource, you need to create an allow policy and attach it to the resource
- It is considered as legacy
- It has effect if you have enabled the related API on the project
- The default scope is not best practise, use
Allow full access to all Cloud APIsas best practise - The default scope includes
- Read-only access to Cloud Storage
- Write access to write Compute Engine logs:
- Write access to publish metric data to your Google Cloud projects:
- Read-only access to Service Management features required for Google Cloud Endpoints(Alpha):
- Read/write access to Service Control features required for Google Cloud Endpoints(Alpha):
- Write access to Cloud Trace allows an application running on a VM to write trace data to a project.