This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Grant IAM Access to Organization

Posted on 12-19-2023 01:12 PM
NickK
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I would like to grant IAM read access to a storage bucket in one of my projects to all service accounts, users, etc. in my organization.  I don't want to grant public access and therefore do not want to use allUsers or allAuthenticatedUsers.  Is there a way to do this?  

I understand I can create a group and add new service accounts to that group, however, I would prefer to not have to manage a group every time somebody builds a project.  

I see there's "All principals in a Cloud Identity account (domain)" if using IAM v2 API and can specify a principle "principalSet://goog/cloudIdentityCustomerId/CLOUD_IDENTITY_CUSTOMER_ID" but have no idea how to actually use this or if IAM v2.  principalSet is invalid if trying to use in an IAM binding (terraform).  
https://cloud.google.com/iam/docs/principal-identifiers#v2

Thanks.

 

Solved Solved
3 4 3,992
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
iamawaneendra
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Nick,

To grant IAM read access to a storage bucket for all users and service accounts in your organization without making it public or manually managing groups, you can use the IAM v2 API with the principalSet identifier:

  1. Enable IAM API v2: Make sure the IAM API v2 is enabled in your Google Cloud project.

  2. Get Your Cloud Identity Customer ID: Find your Cloud Identity Customer ID in your account settings.

  3. Define the IAM Policy: Use the IAM v2 API to assign the roles/storage.objectViewer role to principalSet://goog/cloudIdentityCustomerId/YOUR_CLOUD_IDENTITY_CUSTOMER_ID.

  4. Apply the Policy with Terraform: If Terraform doesn't directly support IAM v2 features, you might need to use workarounds like local-exec provisioners to apply your IAM policies via gcloud commands or API calls.

  5. Test Access: Ensure the policy grants the correct access without exposing your resources publicly.

Hope it helps. 

View solution in original post

Jump to Solution
4 REPLIES 4

Posted on --/--/---- --:-- AM
NickK
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Let me add a little more context of what I'm really trying to accomplish.  I would like to use a storage bucket to house a GCE startup script that I am referencing from a module that builds a very specific type of VM.  A member of our DevOps team would use the module in their Terraform code to build a VM.  There's no way to predict the project or service account they would be assigning to the VM.  If there is a way to allow access to all GCE instances in my organization (either by scope or some sort of impersonation) that may work too.  Basically, I need GCE compute resources to be able to read from the bucket during system startup.  Therefore, the data is somewhat sensitive and I don't want to allow public access (allUsers) or all authenticated access (allAuthenticatedUsers) unless I can restrict to only authenticated users / service accounts associated with my organization. 

Jump to Solution

Posted on --/--/---- --:-- AM
fbonalair
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hello,
Did you find a way for this use case ?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
iamawaneendra
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Nick,

To grant IAM read access to a storage bucket for all users and service accounts in your organization without making it public or manually managing groups, you can use the IAM v2 API with the principalSet identifier:

  1. Enable IAM API v2: Make sure the IAM API v2 is enabled in your Google Cloud project.

  2. Get Your Cloud Identity Customer ID: Find your Cloud Identity Customer ID in your account settings.

  3. Define the IAM Policy: Use the IAM v2 API to assign the roles/storage.objectViewer role to principalSet://goog/cloudIdentityCustomerId/YOUR_CLOUD_IDENTITY_CUSTOMER_ID.

  4. Apply the Policy with Terraform: If Terraform doesn't directly support IAM v2 features, you might need to use workarounds like local-exec provisioners to apply your IAM policies via gcloud commands or API calls.

  5. Test Access: Ensure the policy grants the correct access without exposing your resources publicly.

Hope it helps. 

Jump to Solution

Posted on --/--/---- --:-- AM
davidg527
Bronze 4
Bronze 4
In response to iamawaneendra
Reply posted on --/--/---- --:-- AM

Hi, 

According the Docs the  IAM v2 principal identifiers  are just for deny policies. I tried with both a project and a bucket IAM binding and it wasn't possible using the format principal identifier format  principalSet://goog/cloudIdentityCustomerId/<<ID>>.

We are facing the same problem. We want to share a bucket containing the service catalogue solutions with all the projects (service accounts) within the organisation. But maintain a group is too much.

Hopefully, someone from Google can see and review this. 

Jump to Solution
0 Likes
Top Labels in this Space
Top Solution Authors
View all