Compute Engine IAM Best Practices

(notes from Next ’17)

Cloud IAM


Types of identities

null null null null
Google Account Service Account G Suite Domain Google Group
Represents Employee or User Application Component All members of the specified domain All members of the group
Call APIs? Yes Yes No No
Log in to Console? Yes No No No
Notes An instance can run as a service account.





Create from scratch is not recommended. Copy and edit existing roles.


Two mechanisms to limit and instance’s API access:

OAuth Access Scopes (Old)

  • Pre-IAM
    • 3 primitive roles
    • 1 GCE service account per project
      • Editor
  • Broader granularity
    • compute
    • compute.readonly
    • Cloud-platform // allowed access to all APIs

IAM Roles (Now)

  • 70+ roles
  • Instances can run as separate service accounts
  • Finer Granularity
    • Compute Instance Admin
    • Compute Network Admin

One-Click SSH with Automagically-Managed Keys

When you click that SSH button, what happens?

Computes ssh keys. Sends pubkey to instance via Gcloud metadata service. Starts session with privkey.

  • Option: Automatic key management
    • Web console and gcloud
  • Option: Manual key management using ssh-keys metadata
    • Project metadata (will be inherited by all instances)
    • Instance metadata (just for that instance)
  • But, SSH is powerful
    • Sudo (anyone who can ssh is in the sudoers group)
    • Run commands as the instance’s service account

A service account is an identity and a resource


Service account actor role

  • Allows a user to “act as” the service account
    • iam.serviceAccounts.actAs permission
    • Compute Engine checks for iam.serviceAccounts.actAs if the method could:
      • Run code inside the guest, or
      • Change the service account


  • Use existing identities:
    • G Suite
    • LDAP -> G Suite Directory Sync
  • Don’t store keys or secrets in code
  • Google client libraries = code just works
  • Enforce 2-step verification
  • Disable password auth for ssh
  • Disable root login for ssh

Least Privilege

  • Predefined roles or custom roles
  • Reduce the number of accounts that can perform powerful operations, such as:
Powerful Operation Roles that can perform the operation
Set IAM policy Owner
Organization Administrator
Act as a service account Owner
Service Account Actor
  • Best Practice: Grant Service Accoutn Actor role on service account, not project
    • Exception: project metadata //If someone needs to set project level metadata, or startup scripts for all new instances, etc.

Grant roles to groups, not users.


Grant Least Privilege to Applications


Rotate Keys

  • Service Account keys
    • serviceAccounts.keys.create()
    • Replace old key with new key
    • serviceAccounts.keys.delete()
  • SSH keys
    • instances.setMetadata()
    • Replace old key with new key
    • instances.setMetadata()

No secrets in Instance Metadata

  • Use metadata for configuration, not secrets
  • Instance metadata is part of the instance resource
    • instances.Get()
  • Best Practice: store secrets in cloud storage, and grant permission to the instance’s service account.

Centralized control


  • Centralized control with Organization node
    • Recover access to abandoned projects
  • Best Practices:
    • Org node for your domain
    • Folders for:
      • Shared resources
      • Individual teams
    • Project per service per environment (dev/test/prod)

Centrally Manage Images

Best Practices on Compute Engine:

  • Use Google-provided images as your base image
  • Publish your approved images to a shared project, and make available to others
  • Test these images in a separate project, not in the shared images project (someone could use by mistake).

Centrally Control Networks

  • Single project
    • Network admin and security admin roles
    • Grant devs compute instance admin role
  • Multiple projects – xpn
    • One xpn host project per network
    • Grant networking team the owner role on the xpn host project
      • Networking team can grant teams access to specific subnets or all subnets

Leave a trace

  • Retain audit logs
    • Retention periods depend on business risks
    • Cloud storage or bigquery
  • Forward events from the guest for centralized logging
    • Stackdriver logging agent
      • Sshd logs

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s