Google announced two new Cloud Identity and Access Management (IAM) features to help customers manage their security and access control in the Google Compute Engine better. These features are the resource-level IAM to set policies on individual resources, such as VM instances and disks, and IAM conditions to grant access based on predefined conditions, such as resource name prefix and raw request attributes like IP or device.
During Cloud Next 2018 in San Francisco, Google introduced the Compute Engine resource-level IAM, a feature allowing users to apply IAM policies on VMs, disks, images, and other Compute Engine resources, which provides more flexibility and fine-grained control of an environment. In addition to resource-level IAM, users can express and enforce context-aware access on resource-level policies using conditions. These IAM conditions, also announced at the same event, offer three conditional attributes: name prefix attributes, access-level attributes, and date/time attributes. By setting the attributes, users gain increases flexibility for managing access control.
With Compute Engine resource-level IAM, users can apply policies at the organization, folder or project level. Furthermore, these policies are inherited by the level(s) below providing users with the ability to grant permissions effectively and efficiently.
Users can set Compute Engine resource-level IAM policies by a command line statement such as:
gcloud beta images set-iam-policy betaTestImage1 betaImagePolicy.json
The betaImagePolicy.json file contains a policy definition for a particular group set to a specific role.
{
"policy":
"bindings": [
{
"members": [
"group:image-testers@example.com",
],
"role": "roles/compute.imageUser"
},
],
}
With the policy definitions, users can control which users can access which Compute Engine resources. The name prefix, access-level, and date/time attributes can be set on Compute Engine resource-level IAM policies. A user can specify a name prefix attribute on an IAM policy only to be applied if the resource name matches a resource name prefix. Furthermore, by using name prefix matching, users can reduce the scope of access granted. A user specifies the name prefix attribute in the policy definition file through a condition.
{
"policy": {
"bindings": [
{
"role": "roles/compute.instanceAdmin.v1",
"members": [
"user:dev1@example.com",
]
"condition": {
"title": "dev1 prefix",
"description": "Role granted only for instances and disks with Name Prefix dev1",
"expression":
"(resource.type=="compute.instances"&& resource.name.startsWith("projects/[PROJECT_NAME]/zones/[ZONE_NAME]/instances/dev1"))||(resource.type=="compute.disks"&&resource.name.startsWith("projects/[PROJECT_NAME]/zones/[ZONE_NAME]/disks/dev1"))"
}
}
}
}
With the access-level attributes, users can ensure that requests meet specific access levels to be authorized based on the raw attributes of that request, such as IP address or device status. According to the blog announcement:
With access-level attributes, you can express conditions like: "Grant requests from a [Service Account] ONLY if the source VM instance is running the latest company-issued operating system image" or "Remote requests to manipulate instance states are granted ONLY if they originate from the corporate VPN."
Lastly, the date/time attribute allows users to add start and end dates, as well as times for IAM policies. To comply with the principle of least-privilege enterprises, for instance, it can allow members of their on-call support team to perform actions as instance administrators, but limits their access to only on-call hours to help prevent accidental actions.
The Compute Engine resource-level IAM features are available in beta through the API, CLI, and the Developer Console. Furthermore, a private beta is available for the IAM conditions feature.