Table of Contents hide
Identity & Access Management – IAM
- administrators authorize who can take what action on which resources
- IAM Member can be a Google Account (for end users), a service account (for apps and virtual machines), a Google group, or a Google Workspace or Cloud Identity domain that can access a resource.
- IAM Role is a collection of permissions granted to authenticated members.
- supports 3 kinds of roles
- Primitive roles – board level of access
- Predefined roles – finer-grained granular access control
- Custom roles – tailored permissions when predefined roles don’t meet the needs.
- Best practice is to use Predefined over primitive roles
- IAM Policy binds one or more members to a role.
- IAM policy can be set at any level in the resource hierarchy: organization level, folder level, the project level, or the resource level.
- IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
- Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
- Service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person.
- Access Scopes are the legacy method of specifying permissions for the instance for default service accounts
- Best practice is to set the full
cloud-platformaccess scope on the instance, then securely limit the service account’s access using IAM roles.
- Delegate responsibility with groups (instead of individual users) and service accounts (for server-to-server interactions)
- Cloud Identity is an Identity as a Service (IDaaS) solution that helps centrally manage the users and groups.
- configured to federate identities between Google and other identity providers, such as Active Directory and Azure Active Directory
- Cloud Identity and Google Workspace support Security Assertion Markup Language (SAML) 2.0 for single sign-on with authentication performed by an external identity provider (IdP)
- With SAML, Cloud Identity or Google Workspace acts as a service provider that trusts the SAML IdP to verify a user’s identity on its behalf.
- Google Cloud Directory Sync – GCDS implements the synchronization process between external IdP
- Google Cloud Billing defines billing accounts linked to Google Cloud Projects to determine who pays for a given set of Google Cloud resources.
- To move the project to a different billing account, you must be a billing administrator and the project owner.
- To link a project to a billing account, you must be a Billing Account Administrator or Billing Account User on the billing account OR Project Billing Manager on the project
- Cloud Billing budgets can be created to monitor all of the Google Cloud charges in one place and configure alerts
- supports BigQuery export with detailed Google Cloud billing data (such as usage, cost estimates, and pricing data) automatically throughout the day to a specified BigQuery dataset
- Google Cloud billing data is not added retroactively to BigQuery, so the data before export is enabled will not be visible.