79 lines
5.9 KiB
Markdown
79 lines
5.9 KiB
Markdown
# Delegated Role Grants
|
|
|
|
This example shows two applications of [delegated role grants](https://cloud.google.com/iam/docs/setting-limits-on-granting-roles):
|
|
|
|
- how to use them to restrict service usage in a GCP project
|
|
- how to use them to allow administrative access to a service via a predefined role, while restricting administrators from minting other admins.
|
|
|
|
## Restricting service usage
|
|
|
|
In its default configuration, the example provisions two sets of permissions:
|
|
|
|
- the roles listed in `direct_role_grants` will be granted unconditionally to the users listed in `project_administrators`.
|
|
- additionally, `project_administrators` will be granted the role `roles/resourcemanager.projectIamAdmin` in a restricted fashion, allowing them to only grant the roles listed in `delegated_role_grants` to other users.
|
|
|
|
By carefully choosing `direct_role_grants` and `delegated_role_grants`, you can restrict which services can be used within the project while still giving enough freedom to project administrators to still grant permissions to other principals within their projects.
|
|
|
|
This diagram shows the resources and expected behaviour:
|
|
|
|
<img src="diagram.png" width="572px">
|
|
|
|
|
|
A [Medium article](https://medium.com/@jccb/managing-gcp-service-usage-through-delegated-role-grants-a843610f2226) has been published for this example, refer to it for more details on the context and the specifics of running the example.
|
|
|
|
## Restricting a predefined role
|
|
|
|
By changing the `restricted_role_grant`, the example can be used to grant administrators a predefined role like `roles/compute.networkAdmin`, which allows setting IAM policies on service resources like subnetworks, but restrict the roles that those administrators are able to confer to other users.
|
|
|
|
You can easily configure the example for this use case:
|
|
|
|
```hcl
|
|
# terraform.tfvars
|
|
|
|
delegated_role_grants = ["roles/compute.networkUser"]
|
|
direct_role_grants = []
|
|
restricted_role_grant = "roles/compute.networkAdmin"
|
|
```
|
|
|
|
This diagram shows the resources and expected behaviour:
|
|
|
|
<img src="diagram-2.png" width="572px">
|
|
|
|
## Running the example
|
|
|
|
Clone this repository or [open it in cloud shell](https://ssh.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fcloud-foundation-fabric&cloudshell_print=cloud-shell-readme.txt&cloudshell_working_dir=examples%2Fcloud-operations%2Fiam-delegated-role-grants), then go through the following steps to create resources:
|
|
|
|
- `terraform init`
|
|
- `terraform apply -var project_id=my-project-id 'project_administrators=["user:project-admin@example.com"]'`
|
|
|
|
Once done testing, you can clean up resources by running `terraform destroy`.
|
|
|
|
## Auditing Roles
|
|
|
|
This example includes a python script that audits a list of roles to ensure you're not granting the `setIamPolicy` permission at the project, folder or organization level. To audit all the predefined compute roles, run it like this:
|
|
|
|
```bash
|
|
pip3 install -r requirements.txt
|
|
gcloud iam roles list --filter="name:roles/compute. stage=GA" --format="get(name)" > roles.txt
|
|
python3 audit.py roles.txt
|
|
```
|
|
|
|
If you get any warnings, check the roles and remove any of them granting any of the following permissions:
|
|
- `resourcemanager.projects.setIamPolicy`
|
|
- `resourcemanager.folders.setIamPolicy`
|
|
- `resourcemanager.organizations.setIamPolicy`
|
|
<!-- BEGIN TFDOC -->
|
|
|
|
## Variables
|
|
|
|
| name | description | type | required | default |
|
|
|---|---|:---:|:---:|:---:|
|
|
| [project_administrators](variables.tf#L62) | List identities granted administrator permissions. | <code>list(string)</code> | ✓ | |
|
|
| [project_id](variables.tf#L73) | GCP project id where to grant direct and delegated roles to the users listed in project_administrators. | <code>string</code> | ✓ | |
|
|
| [delegated_role_grants](variables.tf#L17) | List of roles that project administrators will be allowed to grant/revoke. | <code>list(string)</code> | | <code title="[ "roles/storage.admin", "roles/storage.hmacKeyAdmin", "roles/storage.legacyBucketOwner", "roles/storage.objectAdmin", "roles/storage.objectCreator", "roles/storage.objectViewer", "roles/compute.admin", "roles/compute.imageUser", "roles/compute.instanceAdmin", "roles/compute.instanceAdmin.v1", "roles/compute.networkAdmin", "roles/compute.networkUser", "roles/compute.networkViewer", "roles/compute.orgFirewallPolicyAdmin", "roles/compute.orgFirewallPolicyUser", "roles/compute.orgSecurityPolicyAdmin", "roles/compute.orgSecurityPolicyUser", "roles/compute.orgSecurityResourceAdmin", "roles/compute.osAdminLogin", "roles/compute.osLogin", "roles/compute.osLoginExternalUser", "roles/compute.packetMirroringAdmin", "roles/compute.packetMirroringUser", "roles/compute.publicIpAdmin", "roles/compute.securityAdmin", "roles/compute.serviceAgent", "roles/compute.storageAdmin", "roles/compute.viewer", "roles/viewer" ]">[…]</code> |
|
|
| [direct_role_grants](variables.tf#L53) | List of roles granted directly to project administrators. | <code>list(string)</code> | | <code title="[ "roles/compute.admin", "roles/storage.admin", ]">[…]</code> |
|
|
| [project_create](variables.tf#L67) | Create project instead of using an existing one. | <code>bool</code> | | <code>false</code> |
|
|
| [restricted_role_grant](variables.tf#L78) | Role grant to which the restrictions will apply. | <code>string</code> | | <code>"roles/resourcemanager.projectIamAdmin"</code> |
|
|
|
|
<!-- END TFDOC -->
|