GCP Resource Hierarchy
- The below diagram represents the Google cloud resource hierarchy
- IAM policy inheritance:
- when we apply/assign IAM Policy at organization level, folder, the project and in some cases at the resource level.
- Resources will inherit policies from parent node (project).
GCP Authentication
- GCP Handles authentication using GSuite (for Google Suite USers) and Cloud Identity (For Active Directory) which acts as authentication service for GCloud
- To this cloud identity we can bring in members from Active Directory by sync or ADFS, then the users of your active directory can be authenticated using cloud identity
- These users can be grouped together by using Google Groups
- CloudIdentity/GSuite brings members to Google cloud in the case of Corporate accounts
IAM Policy
- IAM Policy binds one or more members to a role and can be applied at different GCP resource hierarchy levels
- For official documentation of roles Refer Here
- Refer Here for the GCP Permissions
- Permissions in the GCP will be in the form
service.resource.verb - Create a Custom Role
- Navigate to the roles section in IAM and Admin
- Navigate to the roles section in IAM and Admin
- Now we can create the IAM Policy and apply this role to any member (user/service account)
- Refer Here to manage workload identity pools and proividers
- To bring in users from your existing active directories into gcp Refer Here
- In gcp depending the resource we will be using two kinds of users
- allAuthenticatedUsers
- allUsers
Multi-factor authentication
- In GCP, CloudIdentity/GSuite enables multifactor authentication
- In case of personal gcp accounts navigate to accounts.google.com => security => Enable MFA
Google Storage
- We need to look at
- Storage Buckets
- FileStore
- Data Transfer
