GCP - IAM

Google Cloud Identity and Access Management – IAM

Google Cloud ID 및 액세스 관리 – IAM을 통해 관리자는 누가 어떤 리소스에 대해 어떤 조치를 취할 수 있는지 승인할 수 있습니다.
IAM은 규정 준수 프로세스를 용이하게 하는 기본 제공 감사를 통해 전체 조직의 보안 정책에 대한 통합 보기를 제공합니다.

 

IAM Components

IAM manages access control by defining who (identity) has what access (role) for which resource

Member

구성원은 Google 계정(최종 사용자용), 서비스 계정(앱 및 가상 머신용), Google 그룹 또는 리소스에 액세스할 수 있는 Google Workspace 또는 Cloud ID 도메인일 수 있습니다.
회원의 ID는 사용자, 서비스 계정 또는 Google 그룹과 연결된 이메일 주소입니다. 또는 Google Workspace 또는 Cloud ID 도메인과 연결된 도메인 이름입니다.

 

Role

리소스에 대한 액세스 권한이 최종 사용자에게 직접 부여되지 않습니다.
역할은 권한 모음이며 인증된 구성원에게 부여됩니다.
권한은 예를 들어 service.resource.verb 형식으로 표시됩니다. compute.instances.list
권한은 리소스에 허용되는 작업을 결정합니다.
구성원에게 부여된 역할은 역할에 포함된 모든 권한을 부여합니다.
GCP는 다양한 역할 유형을 지원합니다.

Basic or Primitive roles

• Roles historically available in the Google Cloud Console. Also, referred to as primitive roles
• Roles are Owner, Editor, and Viewer.
• Provide board level of permissions and not recommended

Predefined roles

• Roles that give fine-grained granular access control
• Roles are created and maintained by Google and automatically updated as necessary, such as when Google Cloud adds new features or services.

Custom roles

• Roles created to tailor permissions to the needs of the organization, when predefined roles don’t meet the needs.
• Custom roles are not maintained by Google; when new permissions, features, or services are added to Google Cloud, the custom roles will not be updated automatically.

 

IAM Policy

IAM 정책은 하나 이상의 구성원을 역할에 바인딩합니다.
IAM 정책은 어떤 역할이 어떤 구성원에게 부여되는지 정의하고 적용하며 이 정책은 리소스에 연결됩니다.
리소스에 연결된 IAM 정책은 리소스에 대한 액세스 유형(역할)이 있는 사람(구성원)을 정의합니다.
IAM 정책은 리소스 계층 구조의 모든 수준(조직 수준, 폴더 수준, 프로젝트 수준 또는 리소스 수준)에서 설정할 수 있습니다.
IAM 정책 상속은 전이적이며 리소스는 모든 상위 리소스의 정책을 상속합니다.
리소스에 대한 효과적인 정책은 해당 리소스에 설정된 정책과 계층의 상위에서 상속된 정책의 통합입니다.
기본적으로 권한 -> 역할 -> (IAM 정책) -> 구성원
인증된 구성원이 리소스에 액세스를 시도하면 IAM은 리소스의 정책을 확인하여 작업이 허용되는지 여부를 결정합니다.

 

Service Accounts

• A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person.
• Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as Google Workspace or Cloud Identity users through domain-wide delegation.
• is identified by its email address, which is unique to the account.
• does not have passwords, and cannot log in via browsers or cookies.
• are associated with private/public RSA key-pairs that are used for authentication to Google.
• Other users or service accounts cannot impersonate a service account.

• are not members of the Google Workspace domain, unlike user accounts.

 

IAM User vs Service Account Decision Tree

 

https://jayendrapatil.com/tag/gcp-iam/