Hi terraform mates out there
I want to automate the role assignments process for service accounts and users on the Google Cloud Platform. I am actually thinking of creating IAM custom roles to get fine-grained roles terraform resources for different services, and assign that role to the users or service account I want to.
Checking the way to associate which members will get what roles, I am actually wondering what is the difference between use google_project_iam_binding and use google_project_iam_member resources.
My current understanding could fall on in using google_project_iam_binding to grant roles to service accounts and google_project_iam_member to user accounts, but I am not sure since in the documentation they use both to associate user accounts.
I also found this interesting article https://binx.io/nl/2021/12/16/how-to-name-your-google-project-iam-resources-in-terraform/
As you know, Google IAM resources in Terraform come in three flavors:
google_project_iam_policy to define a complete policy for the project.
google_project_iam_binding to define all the members of a single role.
google_project_iam_member to define a single role binding for a single principal.
I didn't know the previous sentence and I would like to deep dive in the way I can use policies, and IAM roles in a better way for my purpose.
As the documentation states:
google_project_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other
roles within the IAM policy for the project are preserved.
google_project_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for
the project are preserved.
This means that google_project_iam_binding will grant a role to a list of members, and revokes it from any other member.
So if your project had two users e.g: jane#example.com and joe#example.com who both have roles/editor on the project. Running the following Terraform snippet will revoke roles/editor from joe#example.com as it's not present in the member list of google_project_iam_binding
resource "google_project_iam_binding" "project" {
project = "your-project-id"
role = "roles/editor"
members = [
"user:jane#example.com",
]
}
However, if you have for example jane#example.com and joe#example.com who both have roles/editor on the project. If you want to add a new editor (somone#example.com) without affecting the other roles/users, you can use google_project_iam_member
resource "google_project_iam_member" "project" {
project = "your-project-id"
role = "roles/editor"
member = "user:someone#example.com"
}
Notes from the documentation:
google_project_iam_policy cannot be used in conjunction with
google_project_iam_binding, google_project_iam_member, or
google_project_iam_audit_config or they will fight over what your
policy should be.
google_project_iam_binding resources can be used in conjunction with
google_project_iam_member resources only if they do not grant
privilege to the same role.
See:
Terraform google_project_iam_binding deletes GCP compute engine default service account from IAM principals
https://discuss.hashicorp.com/t/difference-between-google-project-iam-binding-and-google-project-iam-member/49645/2
https://github.com/hashicorp/terraform-provider-google/issues/8354
Related
We have a tenant where all users are provided contributor access. Now, if i create a resource, what is the role assigned to me?
I can see that whatever resource I create, I still inherit contributor role only. But ideally, I should get owner role for the resources I create!!
What am I missing here? Can you please route me to relevant document if any. I dont see the clear information on this.
Lets say, by default all users are given a very restrictive role -> 'reader' role for all the resources.
Now, user can have all sorts of role on the resources created by him.. so this works in azure?
We have a tenant where all users are provided contributor access. Now,
if i create a resource, what is the role assigned to me?
You will get Contributor role. Because you did not explicitly assigned any role on the resource you created, you will inherit the role from the parent.
But ideally, I should get owner role for the resources I create!! What
am I missing here?
In order to get an owner role for the resource you crated, someone with owner or user access administrator role needs to grant you that role on the resource you created. You cannot grant yourself a higher role.
Lets say, by default all users are given a very restrictive role ->
'reader' role for all the resources. Now, user can have all sorts of
role on the resources created by him.. so this works in azure?
Explicit role assignment needs to be performed at the resource level.
Is there a way I can fetch all users currently assigned permissions to each resource created under a subscription.
To put in other words, I want to traverse all the resources created under a subscription & get the list of all users, service principal names, SGs, AAD groups, along with their role who have access to each resource. This report would help me perform a periodic user access review .
Any leads/code would be appreciated.
You could simply get that with the powershell command Get-AzRoleAssignment.
Without any parameter, Get-AzRoleAssignment will get all the role assignments in the subscription, you can also leverage different parameters e.g. -ObjectId, -Scope to list assignments to a specific user/service principal/security group, or to list assignments on a specific resource group or resource.
For more details, see https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-powershell
Same thing also can be achieved by the REST API, Azure CLI, and SDK of different languages.
Looking for a way to create Azure policy which denies based on policy rule, but does not deny, if you are an Owner on the policy assignment scope, or if the assignment scope is a specific AAD Group (Ideally a name wild card match)
Azure Policy Info:
The working Policy is denying role assignments if the role definition id is not within the parameter values
The Desire:
Specific role definition id is denied on role assignment attempt, if it does not match the whitelist, however, role assignment attempts are NOT denied if you are an Owner on the scope, or if not possible, the assignment scope is an AAD Group name match of a wild card or regex
The issue:
We have successfully denied all role assignments, if the role definition was not allowed in the Azure policy
We the admins are in turn now being blocked by policy, when attempting to assign custom roles that are not on the allowed role definitions list.
These custom roles not on the allowed list, are being assigned to AAD Groups
Not sure if we can create some kind of exclusion if you are an owner, or maybe for the aad group naming convention (customer-group-*)
Summary:
We need this Azure policy to deny customers the ability to assign any RBAC role that does not match the role definition id on the allowed list, but us as the admins, who will have 'Owner' or 'Contributor' role, need to still be able to assign roles not on the allowed list.
I have not been able to stratify a solution via either Azure Policy or RBAC, to achieve this.
Azure Policy is not "user-aware", so you cannot exclude based on Roles.
How to restrict a user from accessing specific resource groups?
For example, I have 10 resource groups in a subscription out of which the user should be able to access only 3 resource groups where the user can do their operations.
When you create a new user for Azure, they have no permissions at all against any subscriptions, logging into portal will present an empty view with no resources.
If you add that user the reader permission they will then be able to read any resource in the subscription, but not modify anything. As would be expected. With reader permission on the subscription, they cannot create anything, resource groups or otherwise.
If that user is only given permissions to a resource group, with no permission on the subscription, then they will only see the resource group they have permissions in. They will then have whatever permissions they have been granted within that group.
Under the surface, every contributer and reader role has the "Microsoft.Resources/subscriptions/resourceGroups/read" action, meaning that anyone with any contributer or reader role can see all resource groups.
There is no built in role that has explicitly defined resourceGroups/write or resourceGroups/* permission.
The only groups with that permission implicitly applied are contributer and owner, which have "*" applied.
This means that only contributers and owners can create resource groups in a subscription.
It would be possible to create a custom role that denied resourceGroup/write
So, to answer your question, to limit a user only to being able to see specific resource groups, ensure that they don't have any access at the subscription level (any access at all at this level will allow them to see resource groups), and only apply permissions to the resource groups you wish them to see.
For example, I have 10 resource groups in a subscription out of which
the user should be able to access only 3 resource groups where the
user can do their operations.
The above is possible with the following steps
Add the user to the subscription. Dont assign any role at subscription level for this user.
Add the User as contributor to the selected three resource groups (in Access Control (IAM)) property thru role assignment.
The above two configuration will enable the user to only view and operate on the explicit three resource groups, other resource group will not appear in Azure portal.
Best practice would be to add the user to security Group and assign the security group to the roles.
Add the user to the Contributor role in those resource groups.
Go to the resource group, then open Access Control (IAM), and add the user to Contributor role. Repeat for each resource group.
I'm using AzMan (1.0) for an ASP.Net web app, and I have a question about nested Roles.
Say I have the following roles:
MyApp
MyAppUser
MyAppAdmin
MyAppSupport
For the most part, all users (MyApp) can access the app, but some functions will be specific to the other roles.
I want to declaratively restrict access to the web pages to members of the MyApp role.
[PrincipalPermission(SecurityAction.Demand, Role = "MyApp")]
I will check User.IsInRole or use the AzMan API to check for operation permissions within my code.
The users are assigned to the lower level roles (user, admin, support) and those roles are added to the MyApp role.
The problem is that when I check if the user is a member of the MyApp role, they aren't, even though the role they are in belongs to the MyApp role. Is the only way to check this is to recursively go through all the roles? That'd mean I cant use the declarative security, or to do so I'd have to add all users to the top level group as well (not ideal).
It sounds like you're expecting composite Role Definition (where a Role Definition is defined to include other Role Definitions) to be supported in the call to IsInRole(). I think you'd get the results you want if you used Group inheritance and Role Assignment instead.
In other words, rather than depending on IsInRole to follow the Role Definition for "MyApp" to determine that the Role Definition "MyAppAdmin" is part of that definition, create the inheritance using Groups instead, and then assign one or more groups to your Role Definition using Role Assignment. You could create an "Administrators" group, which might be a member of the "Everyone" group.
I'm really thinking that your role names are really better group names. A role signifies certain capabilities, not a classification of users based on their rights. That's what a group is for.
For example, suppose that most users (not admins or support) have read-only access to your app. I tend to call that role "Viewer" and I assign it the tasks or operations that allows users in that role only the ability to view, not edit, any data. I would assign everyone to that role (whether I do that with just one group or several doesn't really matter). The "Support" role allows users assigned to it to perform certain operations (or tasks grouping operations). Only some people would be assigned to that role (again, maybe they are assigned individually, or I have a group named "Customer Support Reps" -- doesn't matter).
In my app, I could check IsInRole("Viewer") and everyone who is a user will be in that role. But if I check IsInRole("Support"), only the people in the "Customer Support Reps" group assigned to that role would return True.