Get more control over your Compute Engine resources with new Cloud IAM features

栏目: IT资讯 · 发布时间: 6年前

Get more control over your Compute Engine resources with new Cloud IAM features

Get more control over your Compute Engine resources with new Cloud IAM features

admin GoogleCloud No comments

Source: Get more control over your Compute Engine resources with new Cloud IAM features from Google Cloud

Today, we are introducing two new Cloud IAM features, resource-level IAM and IAM conditions, to help you better manage security and access control in Google Compute Engine. Resource-level IAM allows you to set IAM policies on individual resources like VM instances and disks. IAM conditions allows you to grant access based on meeting pre-defined conditions, such as resource name prefix, raw request attributes (IP, device, etc.), or a specific time frame.

Managing resource-level access in Google Compute Engine

At Google Cloud Next 2018 we introduced Compute Engine resource-level IAM, which allows you to apply IAM policies on VMs, disks, images, and other Compute Engine resources, and provides you with flexibility and fine-grained control of your environment. The following diagram illustrates  the hierarchical resource model within GCP.

Get more control over your Compute Engine resources with new Cloud IAM features

You can apply IAM policies at the organization, folder or project level. These policies are inherited by the level(s) below, so that you can grant permissions effectively and efficiently. For example, as in the chart above, if you want to grant the instance admin role to Elizabeth, who works in Department X , you can apply IAM policy at the folder ( Department X) level, Now Elizabeth can manipulate instances on all the projects within the Department X folder. In a second example, you can grant powerful permissions for a group of developers who are working together on the Dev/test project , but restrict their access to adjacent Production project .

You may also want to set IAM policies that are even more granular. For example, you may want a group of testers to test a beta image in Project A , but restrict their access to other sensitive images and resources within the same project. If you could only set permissions at the project level or above, the test group would get access to either all or none of the images in the project. Before, in order to limit access to those sensitive images, you would have had to create a separate project just with that beta image, and grant the compute.imageUser role for the tester group on that separate project—a suboptimal workaround.

With Compute Engine resource-level IAM, in the example above, you can easily grant the compute.imageUser role to your tester group on a particular beta testing images without oversharing or workarounds. Let’s look at how you set these permissions:

gcloud beta images set-iam-policy betaTestImage1 betaImagePolicy.json

Where the betaImagePolicy.json file is defined as:

There are many more common use cases that you can enable with the new resource-level IAM policy support. For example, you can give a colleague and collaborator access to just one VM in a project for troubleshooting, or you can share a disk image with all authorized users within the organization so everyone has access to consistent image versions.

The Compute Engine resource-level IAM features are available in beta through the API, CLI, and the developer console. Check out the documentation to learn more.

Managing access with IAM conditions

In addition to setting resource-level IAM policies, you may need to express and enforce context-aware access via IAM policies. For example, you may want members of your on-call support team to perform actions as instance administrators, but limit their access to only on-call hours to help prevent accidental actions, and comply with the principle of least privilege .

IAM conditions allows you to restrict the scope of access rights to a granular set of conditions. You can specify a policy in the form of: Assign X role to Y when it meets condition Z. As introduced at Google Cloud Next ‘18 , Compute Engine currently offers you three conditional attributes: name prefix attributes, access-level attributes, and date/time attributes upon which to base policies, and give you more power to manage access control. Here’s a look at each of these conditional attributes.

1. Name prefix attribute

This attribute allows you to express an IAM policy only if the resource name matches a resource name prefix. A common use case involves creating a sandboxed developer playground, where developers build prototypes in the same project to reduce administrative overhead and optimize network performance. You can create this sandbox by inserting conditions in your project’s IAM policy that give the compute.instanceAdmin.v1 role to each developer, but limit each developer's access to only those resources that are named after that developer. Here is an example policy for your lead developer, dev1 , to have the instanceAdmin role, but only when manipulating VMs and disks starting with his/her name dev1 :

*Please note: The resource type format, like compute.instances, is subject to change in future releases of Cloud IAM Conditions.

By using name prefix matching, you can reduce the scope of access granted, so your developers can explore and develop however they want without disturbing others' resources.

2. Access-level attributes

You can use access-level attributes to help ensure that requests meet specific access levels to be authorized based on the raw attributes of that request, such as IP address or device status.

With access-level attributes, you can express conditions like: “Grant requests from a [Service Account] ONLY if the source VM instance is running the latest company-issued operating system image” or “Remote requests to manipulate instance states are granted ONLY if they originate from the corporate VPN.”

Please note the access-level attributes can only be used with Compute Engine Alpha APIs currently.

3. Date/time attribute

Date/time attributes let you add start and end dates, as well as times for your IAM policy. For example, you can say: “Grant Jane the Stackdriver log viewer role only while she is on call,” or “John is the compute admin for this production project only during an emergency fix.”

Support for IAM conditions provides you with flexible and fine-grained ways to help secure your organization’s cloud computing environment. There’s a private beta available for IAM conditions; if you’re interested, please sign up here . We encourage you to try the new conditional IAM features .

除非特别声明,此文章内容采用 知识共享署名 3.0 许可,代码示例采用 Apache 2.0 许可。更多细节请查看我们的 服务条款

Tags: Cloud


以上所述就是小编给大家介绍的《Get more control over your Compute Engine resources with new Cloud IAM features》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

结网

结网

王坚 / 人民邮电出版社 / 2010-12-10 / 59.00元

本书以如何创建、发布、推广互联网产品为主线,介绍了互联网产品经理的工作内容以及应对每一部分工作所需的方法和工具。为用户创造价值是产品经理的第一要务,产品经理的工作是围绕用户及具体任务展开的,本书丰富的案例和透彻的分析道出了从发现用户到最终满足用户这一过程背后的玄机。 本书面向现在正在从事及未来将要从事互联网相关工作的创业者和产品经理,也可以作为互联网产品策划人员或相关专业学生的参考书。新版完......一起来看看 《结网》 这本书的介绍吧!

MD5 加密
MD5 加密

MD5 加密工具

正则表达式在线测试
正则表达式在线测试

正则表达式在线测试

HEX CMYK 转换工具
HEX CMYK 转换工具

HEX CMYK 互转工具