Synopsis:
Google Cloud Platform has awesome built in functionality for keeping your cloud projects secure. Microsoft Active directory and LDAP like services are used by enterprises to manage the users accessing the (IT) resources of the business. Google Cloud Platform requires a user to have a Cloud Identity to be able to access the resources of a project, be that GSuite or from another source such as a federated Active Directory
Problem:
From what I have experienced, seen and would love to know how other people deal with this is that because the resources of a project are managed by a different part of the organisation than the Active Directory, and the resources might be managed at a different “lower” level again e.g.
- “IT” manage the creation of a GSuite account (if you have it) and they also create separately an Active Directory (or equiv) to allow the machine (and user) access to the network, printers, drives etc. The user is also more than likely put into one or more “groups”
- Some form of project admin for your Google Cloud Projects has to grant the user (via the user name or the group they belong too) access to the project and potentially resources in the project.
- Over time, and due to legal or contractual requirements users may have their rights to use resources changed and this needs to be easily managed and not be a conglomeration of two teams time to work out who job it is to revoke the rights.
Added to this to manage these requests you may use any number of systems to grant guest access or other rights to resources.
Solution:
I am proposing to (at a super high level) build a system that will:
- Standardise the naming conventions of the groups an organisation could have
- Have a Meta datastore that holds the organisational structure of groups, users (physical and IAM) and projects permissions
- A process that runs in a project and queries the Meta datastore to get the permissions that should be in place in the requesting project and set them
- A store of the history of the changes that have been made to the permissions.
Where to start:
I am first of all going to look at how Google cloud projects are set up and what the hierarchy of resource, are the permissions uniform (analogous) across all types of resource is and progress from there.
FULL DISCLOSURE: I have already made a start here, but knowing what I do now then I am going to start again as I think there are improvements to be made. Also Google are always updating what they do and therefore things have changed!