This blueprint shows two applications of delegated role grants:
- how to use them to restrict service usage in a GCP project
- how to use them to allow administrative access to a service via a predefined role, while restricting administrators from minting other admins.
In its default configuration, the blueprint provisions two sets of permissions:
- the roles listed in
direct_role_grantswill be granted unconditionally to the users listed inproject_administrators. - additionally,
project_administratorswill be granted the roleroles/resourcemanager.projectIamAdminin a restricted fashion, allowing them to only grant the roles listed indelegated_role_grantsto other users.
By carefully choosing direct_role_grants and delegated_role_grants, you can restrict which services can be used within the project while still giving enough freedom to project administrators to still grant permissions to other principals within their projects.
This diagram shows the resources and expected behaviour:
A Medium article has been published for this blueprint, refer to it for more details on the context and the specifics of running the blueprint.
By changing the restricted_role_grant, the blueprint can be used to grant administrators a predefined role like roles/compute.networkAdmin, which allows setting IAM policies on service resources like subnetworks, but restrict the roles that those administrators are able to confer to other users.
You can easily configure the blueprint for this use case:
# terraform.tfvars
delegated_role_grants = ["roles/compute.networkUser"]
direct_role_grants = []
restricted_role_grant = "roles/compute.networkAdmin"This diagram shows the resources and expected behaviour:
Clone this repository or open it in cloud shell, then go through the following steps to create resources:
terraform initterraform apply -var project_id=my-project-id 'project_administrators=["user:[email protected]"]'
Once done testing, you can clean up resources by running terraform destroy.
This blueprint includes a python script that audits a list of roles to ensure you're not granting the setIamPolicy permission at the project, folder or organization level. To audit all the predefined compute roles, run it like this:
pip3 install -r requirements.txt
gcloud iam roles list --filter="name:roles/compute. stage=GA" --format="get(name)" > roles.txt
python3 audit.py roles.txtIf you get any warnings, check the roles and remove any of them granting any of the following permissions:
resourcemanager.projects.setIamPolicyresourcemanager.folders.setIamPolicyresourcemanager.organizations.setIamPolicy
| name | description | type | required | default |
|---|---|---|---|---|
| project_administrators | List identities granted administrator permissions. | list(string) |
✓ | |
| project_id | GCP project id where to grant direct and delegated roles to the users listed in project_administrators. | string |
✓ | |
| delegated_role_grants | List of roles that project administrators will be allowed to grant/revoke. | list(string) |
[…] |
|
| direct_role_grants | List of roles granted directly to project administrators. | list(string) |
[…] |
|
| project_create | Create project instead of using an existing one. | bool |
false |
|
| restricted_role_grant | Role grant to which the restrictions will apply. | string |
"roles/resourcemanager.projectIamAdmin" |
module "test" {
source = "./fabric/blueprints/cloud-operations/iam-delegated-role-grants"
project_create = true
project_id = "project-1"
project_administrators = ["user:[email protected]"]
}
# tftest modules=2 resources=4