GCP IAM and Admin
What is IAM ?
Identity and Access Management is access control management service that allows specific user to access specific resource
standard definition: With IAM you manage access control by defining who(identity) has what access (role) for which resource.
Layman term: With IAM you manage access control by defining which user(firstname.lastname@example.org) has what access(admin, owner, editor, viewer, custom permission, etc.) for which resource(google compute engine, cloud storage, databases, etc.)
The three main part of access management are:
- Principal : It can be a Google account(email@example.com, firstname.lastname@example.org), service account(custom_name.PROJECT_NUMBERemail@example.com), a Google group/Workspace account (mainly an email id).
- Role : A role is a collection of permissions. Permission determine what operations are allowed on a resource. For Example, Launching a virtual machine, creating storage bucket or viewing or editing the bucket etc. In layman term — admin, owner, editor, viewer, custom permission, etc.
- Policy : Policy binds roles to principals. For example if we assign firstname.lastname@example.org(principal) to have an admin permission(role) on google storage bucket(resource). He will be able to create, update and delete the bucket and other user will not.
What is Service Account and Why we need that ?
Let’s take a person called John Wick and he has an google account email@example.com. He can utilize the resources based on the role assigned to him.
But as technologies grows he became lazy(we all are) and wrote a python script to launch new virtual machine. He try to run the script but fails every single time and don’t know the reason behind it. One day his friend boogeyman asked him,
Boogeyman — John how are you able to launch machine manually on GCP?
John replied “Bro I have the role assigned to me that allow to launch machines.”
Boogeyman — John that means you are able to use that service through UI but how your python script is going to connect to that service?
John said “oh fish, my script don’t have the permission to interact to other GCP services”
Boogeyman — John, just like you have a google account and roles are bonded to it, similarly there is an service account that are bonded to virtual machines so that underlying application can connect to other services and work instead of you.
Long Story short
Service accounts is used when you want to authenticate machines, such as Google engine VMs to use other Google Cloud Services. After attaching a service account to the a VM it is able to talk to other GCP services.
AWS IAM and Admin concept are similar to GCP. AWS has IAM users and IAM groups.
Thanks for reading.