On-Demand Access for Google Cloud Platform (GCP)

2 years ago
Written by
Fouad Matin

This post will guide you through the process of setting up on-demand access control for Google Cloud with Indent. You and your team will be able to get, review, and revoke temporary access to production in minutes.

Without Indent, most teams have either:

  1. Open-by-default access where most, if not all, engineers have standing Editor / Owner access to Google Cloud
  2. Locked down IAM where only a handful of senior engineers / DevOps have any access to Google Cloud

Check out this demo for requesting access to Google Groups:

There are tradeoffs with both approaches that ultimately come down to: do you want to prioritize speed or security? With Indent, you can get both with a policy that grants engineers access faster than they can boot up local env.

Prerequisite: RBAC with Google Groups

Before we get started, let's talk about the Google Cloud access control model. There's a lot of technical information about this model on the Google Cloud documentation, but let's keep it simple for our purposes.

There are two Google Cloud specific terms to know:

  • Principals: people or groups that you want to grant access.
  • Roles: permissions that you want to grant to the principals.

Most teams will directly add engineers as principals and grant them Owner access to not have to deal with regularly updating the IAM policy. This can work for some companies during the early days, but as usage picks up and the team grows, it becomes more important to have a clear policy that is easy to understand and manage to avoid accidents.

We recommend implementing role-based access control (RBAC) with Google Groups to easily manage the permissions you're granting to your team. If you already have groups configured as principals, you can skip to Step 1. If not, here are some options for groups that could work based on your goals.

Option 1: Job-specific groups

For most companies starting with open-by-default, we recommend adopting a job-specific groups model. This means you'll give engineers a base Viewer role that lets them still click around. If they want to make changes they can request the elevated access on-demand.

When people need Editor (or Owner) access, they can request temporary membership of a group that grants them the necessary access.

Group EmailGroup NameSuggested Permission(s)
acl-prod-editor@...GCP Prod EditorEditor
acl-prod-owner@...GCP Prod OwnerOwner

Frequently asked question: What's the difference between Editor and Owner?

Editors have all Viewer permissions, plus permissions for actions that modify state, such as changing existing resources (e.g. create a bucket or delete an instance).

Meanwhile, Owners have all the permissions that Editors do but they can also modify roles and billing for the project. If you're deciding between granting someone Editor vs Owner roles, they probably just need Editor.

Option 2: Workflow-oriented groups

As your team or security risk grows, you'll want to create more groups to manage the fine-grained access engineers need. This approach maps the workflows that engineers might need to accomplish to pre-configured groups that have everything they need.

Group EmailGroup NameSuggested Permission(s)
acl-prod-logs-viewer@...GCP Prod LogsLogs Viewer
Monitoring AlertPolicy Viewer
Monitoring Viewer
acl-prod-storage-viewer@...GCP Prod Storage ViewerStorage Object Viewer
acl-prod-storage-admin@...GCP Prod Storage AdminStorage Admin
acl-prod-sql-viewer@...GCP Prod Database ViewerCloud SQL Viewer
acl-prod-sql-admin@...GCP Prod Database AdminCloud SQL Admin
acl-prod-editor@...GCP Prod EditorEditor

Step 1: Add Indent to Slack

Indent is available as a Slack app that allows your team to get, review, and revoke access directly from Slack. If you haven't connected Indent to your Slack, you can do that now:

Get started →

Step 2: Install Google Groups Integration

Once you've installed Indent into your Slack workspace, you can install the Google Groups integration to pull groups as resources and allow your team to request access. You can one-click install Google: indent.com/start

As part of the installation, you can configure the reviewers for the groups you imported into Indent and where you want notifications to be sent.

Step 3: Grant Access to Google Cloud

Congratulations, you're all done! In Slack, you can type /access, request from your Indent dashboard or go to: access.new

Any member of your team can request access to any of the Google Groups you just imported, you'll get a notification and you can approve without ever leaving Slack. Now your team can get access to prod on-demand, faster than they can boot up a local environment. Happy accessing!

Try Indent for free.