Orchestration of Google Cloud Identity and Access Management Using Terraform

Security is vital for companies that adopt cloud technologies, no matter what stage they are in. In this article, Alexander Snegovoy, Cloud Architect at DataArt, explains how an organization can use advantages of Terraform for Identity Access Management in a Google Cloud environment.
19/06/20
ALL articles
By Alexander Snegovoy
DevOps/Cloud Architect at DataArt
Share
Orchestration of Google Cloud Identity and Access Management Using Terraform

Google Cloud Platform (GCP) emphasizes that establishing security on both the infrastructure and user levels is something that must be done at the beginning of the cloud journey. Team members with your project and/or organization do not have access to resources unless you assign it to them explicitly. This is essential because no one wants to provide full access to all resources or allow access from lower environments to production. Access management becomes even more challenging when you have many projects across the whole organization.

To build secure infrastructure, GCP provides you with an Identity Access Management (IAM) service. It offers many helpful features, including:

  • single interface to control access to all services
  • context-aware control (e.g., based on IP address, date/time, etc.)
  • fine-grained control (access to specific resources or even sets of resources)
  • recommendations engine to remove unwanted access to GCP resources
  • built-in audit trail to make compliance processes easy

Google Cloud IAM members include Google accounts and service accounts (for apps and VMs), Google groups, and G Suite/Cloud Identity users. Each member should have a role. Roles are sets of permissions for resources in GCP. A combination of a role and members is called a policy. This is illustrated in the diagram below.

Many companies are looking for the ability to control access to the whole GCP organization from a single place. Such a dashboard allows small organizations to manage access easily. But when there are many projects, more and more start looking for automation.

At DataArt, we found a good solution that works well for many clients is using Terraform. The significant advantage of such an approach is that you have access described in code, which means it could be versioned and tested. It pays off when organization scales. Because access is defined in code, it means no one uses "my-test-gce-service-account" for production instanced or anywhere else. Code provides the standards and conventions that every project follows.

When someone needs access to resources, they do not need to file a ticket or make a manual change without review. They could change the code and raise a Pull Request for review. For example, QA requires read access to objects in specific Google Cloud Storage Bucket.

Another advantage for many companies is that control over access with this approach is not in the hands of a single department but more decentralized. Google Cloud is all about security, so having teams looking at their access regularly and be accountable for it decreases incidents and reduces the number of security breaches. As an example, you allow developers to log in to an instance on a lower environment to troubleshoot an app. But a production environment should be accessible for admins only. Using the Terraform Workspaces feature, you can easily control access using the same code base. 

Such an approach will offer even more benefits when you have automation built around it. For instance, you have GCP Cloud Build triggered after a tag is being placed to a commit in the master branch, so you do not have to apply Terraform manually.

It sounds scary for many clients adopting GCP in the beginning because it is not something they are used to. But leveraging Terraform for identity and access management significantly reduces complexity and simplifies the overall process and experience in the Google Cloud Platform. It also decentralizes security and allows teams to be accountable for their access.


As a Google Cloud Partner, with certified architects, developers, data engineers, and account managers, DataArt leverages best GCP practices to offer a wide expertise in cloud governance, cloud economics, workload migration, infrastructure management among other services. Contact our GCP experts today to get assisted.

Sign Up for Updates!

Subscribe now to receive industry-related articles and updates

Choose industries of interest
Thank You for Joining!

You will receive regular updates based on your interests. No spam guaranteed

Add another email address
Read more
DataArt is a Google Cloud Partner

Check our GCP approved expertise and capabilitie

Learn more
Our Cloud Expertise

Optimize your cloud spending. Secure your cloud data. Learn how with DataArt’s cloud experts

Learn more
Sign Up for Updates!
Choose industries of interest
Thank You for Joining!

You will receive regular updates based on your interests. No spam guaranteed

Add another email address
Welcome
We are glad you found us
Please explore our services and find out how we can support your business goals.
Get in Touch