Google Cloud Establishing Identity(IAM)

In recent years, Google Cloud is one of such innovations that have seen an increase in its usage because more and more people are adopting Cloud. Since there has been more demand in computing needs, a number of services have been launched for global customers and IAM is one of them. So, What does IAM mean?

IAM stands for Identity and Access Management and with cloud IAM you can grant granular access to specific GCP resources and prevent unwanted access to other resources. Cloud IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.

Now let’s break down what is IAM:

1. Who = Member
2. can do what = Role
3. on which resource. = All resources across the GCP (Google Cloud Platform) like Projects, Organizations, Storage buckets, BigQuery, etc.

So, when we combine the “who can do what on which resource” forms an IAM Policy.

Now we get questions like what is meant by a Member? what is a Role? and what is IAM Policy?

Member

A member(Identity) is a person or a service account which can be Google Account, Google Group, G Suite Domain, or Cloud Identity domain. We can call the person as a people accounts that can be created and managed in Google Admin Console (Not a part of GCP).

Google Admin Console

People Account Types

1. Personal Account
2. G Suite/Cloud Identity Domain Account
3. Google Groups Account
4. Special Account (allAuthenticationUsers,allUsers)

Personal Account

This is the most basic and familiar account type which is basically personal Google accounts which often comes in the form of abcxy@gmail.com and also be aware that Non-Gmail accounts(abcxy@yahoo.com) associated with Google account comes under this category. These personal accounts are also named Unmanaged accounts in some cases.

G Suite/Cloud Identity Domain Account

These two G Suite/Cloud Identity manages organizational Google Accounts and there are managed in Google Admin Console and the difference between personal Google account and corporate Domain Google account is instead of being abcxy@gmail.com or abcxy@yahoo.com these accounts are represented by the organization Internet domain name.

Example:

If Joe is working for a company name buffer and his work email address is jeo@buffer.com and his identity for authenticating with Google Cloud Platform would be joe@buffer.com and which is corporately managed Google account or Google Identity.

So, before jumping into detail let’s first see the difference between G Suite and Cloud identity:

G Suite in addition to simply acting as a Google Identity it also has access to company-wide manage Google Applications such as Gmail, Google Calendar, etc, and were as Cloud Identity also considers to be Google accounts. However, they simply don’t have access to G Suite applications(Gmail, Google calendar) but simply act as identities for authenticating with services like Google Cloud Platform and also one other particular difference between Cloud Identity compares to G Suite is that we can synchronize an existing external directory such as Active Directory(A directory service that centralizes the management of users, computer and other objects within a network).

Why Synchronize with Active Directory Important?

Many organizations use different Active Directory for user management but actually we need to maintain Google accounts with Google Identity for GCP access. So, which results in two separate directory systems G Suite/Cloud Identity and Active Directory and by this separately maintaining GCP accounts in Cloud Identity alongside Active Directory is cumbersome and error-prone also.

Solution

To solve this problem we introduced synchronizing Active Directory to Cloud Identity which means that AD remains the single source in which you create and manage users and those user creation changes are automatically updated and synchronized to Cloud Identity without you have to separately maintain Cloud Identity apart from Active Directory.

How It Works

Cloud Identity maps Active Directory accounts on the AD server and will be automatically mapped to Cloud Identity accounts as well. So, which means that you will only actively maintain your users in Active directory and then Active directory will perform One-way sync from AD to Cloud Identity and not the other way round.

Active Directory also provides a single sign-on capability to GCP

Synchronize Tools

1. Google Cloud Directory Sync (GCDS)
2. Active Directory Federation Services (ADPS)

Google Groups Account

Google Groups is simply grouping Google user accounts into groups for easy management. Google Groups can be managed in either admin console for G Suite/Cloud Identity admins or legacy groups.google.com site for non-admins, like individual members have email address Google Groups also have addresses.

For example, if we create a group name banking and email address for that group will be banking@companyname.com.

Features(Non-GCP):

1. Group email list
2. Email alias (infotech@companyname.com)
3. Message board capabilities

Special Account

This account type varies by service.

allAuthenticatedUsers is a special identifier that represents all service accounts and all users on the internet who have authenticated with a Google Account and users who aren’t authenticated, such as anonymous visitors, aren’t included but accounts that aren’t connected to G Suite/Cloud Identity domain, such as personal Gmail accounts are included.

allUsers is also a special scope identifier that represents anyone who is on the Internet, with or without a Google account.