Temporarly switch to high privileged Role with Google Cloud Platform IAM

Question

I am switching many of my projects over to Google Cloud Platform (GCP), but I traditionally have more experience with AWS.

In AWS, using IAM, I can grant my users a low privileged Role and configure a higher privileged Role to allow to assume (switch) temporarly to it after a recent MFA has been provided.

The idea is so that my developers do not have powerful Access Keys sitting in plaintext on their disk (of course there's full disk encryption). This mitigates the impact of leaking that key (read only access) and lessens risk of random mistakes being made. (ref AWS doc http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_sample-policies.html#ExampleMFAforIAMUserAge)

How can I reproduce this pattern with GCP IAM ?

score 0 · Answer 1 · answered Dec 18 '17 at 01:38

Well, that depends on how you would actually like to proceed. Although AWS & GCP Are different platforms you can still find similarities.

Try checking out these links if you just want to pre-define roles or access

https://cloud.google.com/iam/docs/granting-roles-to-service-accounts

https://cloud.google.com/iam/docs/service-accounts

https://cloud.google.com/iam/docs/understanding-roles#predefined_roles

Temporarly switch to high privileged Role with Google Cloud Platform IAM

1 Answers1