Reputation: 328
Restricting IAM Users to a specific region and Instance type/Class in GCP
I am new to GCP but I have worked on AWS. Here, what I want to achieve to restrict IAM users to particular region and Compute Engine type
Like We have in AWS, writing custom roles to restrict them in us-east, the same way I want them to locked-in 'us-central1' and lock the compute engine type to most basic one.
Can I create such a custom role or condition to achieve the requirement? Explicit deny kind off permission I need here
Update: Restricting Location at Organization level this is something useful, please help me any other way if there?
Upvotes: 2
Views: 2433
Answers (2)
Reputation: 2605
You may rely on Cloud IAM Conditions in this case. They add extra granularity level to IAM policies. An access to the resource is granted only if the condition expression is True. You can check against various attributes using available variables, operators, functions.
Resources that accept conditional role bindings:
Compute Engine
- Global backend services
- Regional backend services
- Firewalls
- Images
- Instance templates
- Instances
- Regional persistent disks
- Zonal persistent disks
- Snapshots
In the existing Resource name format names of VM instances contain zone-id that could be helpful for the location-based restrictions:
Compute Engine instances
projects/project-id/zones/zone-id/instances/instance-id
Next you can use Resource attributes to create conditions that evaluate the resource in the access request, for example:
resource.type == "compute.googleapis.com/Instance"
resource.name.startsWith("projects/project-id/zones/zone-id")
IAM policies that use instance type are not supported at this time. A relevant feature request was recently created on the Issue Tracker. You may keep an eye on this one: https://issuetracker.google.com/158524244.
Upvotes: 2
Reputation: 3794
Google Cloud Platform supports resource locations restrictions. This relevant section of the documentation explains them in details. Refer to the Setting the organization policy section of the documentation for the exact procedure to be followed. But notice that in the specific case for Compute Engine there are the following limitations to the resource location constraints that you set up, related to different aspects of the products such as Snapshots and images, Managed Instance Groups, Sole-tenant nodes, etc.
Upvotes: -1
Related Questions
- Terraform GCP Assign IAM roles to service account
- GCP limit service account to have conditional access to a single instance
- GCP IAM Role condition based on part of resource name
- GCP Custom IAM role creation with Terraform
- IAM Role to allow IAM users to create only VM Instances and Disk in GCP?
- Limiting Access to GCP Resources with Google Identity and IAM
- Cloud IAM conditions - How to limit instanceAdmin to a specific instance name only
- Limiting access of a GCP Cloud IAM custom role only to a bucket
- How do I specify different regions per resource for Terraform GCP module?
- Terraform: How to use iam_policy without locking yourself out