Reputation:
Prevent IAM escalation in GCP
I want to create a GCP project and to grant access on specific APIs / permissions to a team.
But I want them to be autonomous : they should be able to create their own service accounts on the scopes I allow.
The issue is that if I give them the IAM editor permisson, they can grant themselves any other permission in the project.
The Kubernetes's RBAC API is very well designed for that and a user who is able to modify the roles can't put more permission than the ones he has.
So is it possible to have for example a user with the Cloud SQL admin role, to allow him to grant similar permissions to service accounts, but also to prevent him from granting Cloud Storage permissions ?
Upvotes: 1
Views: 816
Answers (3)
Reputation: 6149
It seems it is possible as per the documentation here:
https://cloud.google.com/iam/docs/setting-limits-on-granting-roles
In large organizations, it can be helpful to let teams independently manage the Identity and Access Management (IAM) policies for their resources. However, letting a principal grant or revoke all IAM roles can greatly increase your security risk.
Given use case:
Consider a scenario where you want to let a user, Finn ([email protected]), act as a limited IAM admin for your project. You want Finn to be able to grant and revoke only the Billing Account Administrator (roles/billing.admin) and Billing Account User (roles/billing.user) roles for your project.
I'm trying to achieve the same thing. I want a Terraform service account to be able to do everything it needs to do, EXCEPT allow users to elevate their role beyond the scope of the project (ie. No owner level roles, only resource level roles).
Upvotes: 0
Reputation: 75715
Sadly not. It's not possible to prevent "roles/permission escalation". If someone is IAM admin, he can assign the role that her want, even to himself and higher they hide current permission.
However, you have policies which allow you to limit things on the project or organisation: allowed API, external account allowed, public IP...
Upvotes: 1
Reputation: 81336
I want to create a GCP project and to grant access on specific APIs / permissions to a team.
You can do that for services, that is one of the reasons that Google IAM exists. You cannot specify roles for APIs specifically - you can prevent any APIs from being enabled by not granting permission to enable services. You can use Organization Policy Contraints to prevent certain APIs from being enabled for the project but not for individuals.
But I want them to be autonomous : they should be able to create their own service accounts on the scopes I allow.
This is not supported by Google Cloud IAM. If you have permission to create a service account (roles/iam.serviceAccountAdmin), you also have permission to assign roles to that service account. This is an admin level permission that should only be granted to admins and not regular users. Manage this role carefully as an admin can create a service account with the Project Owner role.
So is it possible to have for example a user with the Cloud SQL admin role, to allow him to grant similar permissions to service accounts, but also to prevent him from granting Cloud Storage permissions ?
This is not supported. In order to have permission to assign roles to a service account, you must be a service account admin.
Upvotes: 0
Related Questions
- GCP IAM - Policy inheritance/precedence
- Understanding GCP IAM policies for various resources
- GCP limit service account to have conditional access to a single instance
- GCP equivalent of "deny" permissions in aws policy
- Can I directly apply GCP's IAM policy to a Resource
- How to apply 2fa, ACL for IAM in GCP
- Limiting Access to GCP Resources with Google Identity and IAM
- Using Cloud IAM to limit access to App Engine in Google Cloud Platform
- How GCP denies like AWS does at OU level?
- Google Cloud Platform: Minimal IAM permissions for gcloud command