GCP: IP address restriction to use service account from limited set of ip addresses

Question

I am using service accounts to access GCP resources like compute engine api , data store api . Is there any way to add ip restriction so that I can use service account only from some particular set of ip addresses ? As of now if I have service account credential for some GCP resource then I can access these resources from anywhere using service account , I want to restrict it to only a set of ips .

Answer 1

There is a capability called VPC Service Controls which can allow specific projects, IP Ranges and Service Accounts to have access to Google APIs in a protected project.

I'm not 100% sure if your specific use case can be configured, but look at the example here describing the "On Premise Network" example:

https://cloud.google.com/vpc-service-controls/docs/private-connectivity#on-premises_network_example

you'll need to learn about Access Levels and how to attach them to a VPC SC Perimeter

but what you're looking to do seems quite possible with an IP Address-based access Level and a perimeter around the project.

Answer 2

Google Cloud Service Account credentials cannot be restricted by location of the user, IP address, etc. Once you grant permissions to the credentials, they can be used from anywhere on any device that has access to Google Cloud.

AWS does provide some IAM policies that can be applied to some services (S3) based upon IP address. Google Cloud does not offer an equivalent feature yet.

Answer 3

The Google APIs are not project resources. To restrict access to a set of IPs would not be limited to just your project. IAM permissions are how access is controlled rather than IP based restrictions.

You can't restrict access to the APIs based on the requestor IP, only through IAM permissions