Google provides a range of cloud related identity and access management services. Let’s take a look at the release note updates between January 1st 2019 and December 31st 2019. The full release notes page is available here.
Google Cloud IAM provides “Fine-grained access control and visibility for centrally managing cloud resources.”. The basic feature list contains the following:
- Enterprise-grade access control
- Basic roles management
- Granular resource control
- Context-aware access
- Built-in audit trail
- Web, programmatic, and command-line access
Some stats: there were 8 updates to the release notes over this period. There was 1 resolved issue and 7 feature changes. Let’s take a look in a bit of detail.
Service Account Descriptions
The first update of 2019 was 28 March 2019 where a change to the how you create service accounts was made, allowing the ability to add a description.
Service Account Management API
August 20th 2019, saw the introduction of the Service Account Credentials API as GA. The functionality is to essentially allow services to leverage OAuth2 access tokens, OIDC id_tokens and signed JWT’s to gain access to underlying resources. They describe a subtle difference between direct and delegated access. The new API is for the management of what the service accounts can do and what permissions they are assigned. The focus on short lived, refers to a default lifespan of 300 seconds per issued credential.
IAM Recommender Tool goes Beta
September 23rd 2019, and Google released their IAM recommender tool in Beta. This tool is effectively all about reducing the risks associated with permission misalignment. It’s quite common for users and services to be assigned permissions, only for them to go unused, be accumulated as the user rotates roles, and ultimately never be removed. The recommender is focused upon upholding the principle of least privilege, by analysing assignments and usage over a 90 day period and looking for differences.
Deleted user and policy member changes
December 9th 2019, saw both a change and an issue, with regards to user to policy membership. Specifically, if the user is deleted. There was a previous issue, where if a member of a role was deleted, you could not at a new member with the same user id. This has now been resolved and deleted user’s with existing memberships, are prefixed accordingly. Interestingly, this feature was then reverted 4 days later.
Cloud IAM Conditions goes beta
Another release for December, this time on the 12th. Cloud IAM Conditions as added to beta availability, and is essentially attribute based access control, where access to a resource, is based on zero or more conditions. The process involves the Common Expression Language, to build up a set of rules objects, presented in JSON. Contextual related conditions, could refer to IP address or time of day.
Policy Troubleshooter goes GA
December 17th 2019, saw the last update of the year. This was for the Policy Troubleshooter, which become generally available. As the name suggests, it assists in working out how a user does or doesn’t have access to a resource. Essentially a policy analyser, that unionises all associated access and works out what the effective permissions are. It’s accessible via REST or the CLI which would be handy for automated testing I presume?
This article was originally written in Feb 2020 – ed.