Assigning proper permissions for Google Cloud administrators are of utmost importance. It’s crucial to strike a balance between granting your employees the necessary access to excel in their roles avoiding the potential pitfalls of excessive permissions. Bestowing unrestricted access upon all your employees could lead to unintended errors or even intentional misuse of services outside the employees’ purview. So, it’s imperative to assign to your principals the precise permissions required, adhering to the principle of least privilege.
Google Cloud offers predefined roles, which encompass a set of permissions. By assigning these roles, all the included permissions are granted to the respective principals, whether they’re service accounts, end users, or groups. However, there are instances where an organization may require a more nuanced approach than the predefined roles provide.
For example, a large company may have distinct volume administrators and backup administrators. The company might want to allow their volume administrators to create, delete, and resize volumes, without extending privileges to back up and delete backups of those volumes. Likewise, a company may want to allow backup administrators the ability to back up volumes and delete backups, but not to delete the volumes that they are backing up. That way, if the volume is accidentally or intentionally deleted, the same individual or group can’t eliminate the corresponding backup and the group that performs backups cannot accidentally or intentionally delete the volume as shown below.
Although the use of predefined roles is generally recommended, assigning the Google Cloud NetApp Volumes admin role to both job functions in this scenario would result in excessive permissions for both administrators. To mitigate this issue, you can establish a custom role that is tailored specifically for the volume administrator and a separate custom role for the backup administrator. By doing so, you can strike a balance between granting the necessary permissions and maintaining a granular level of control over the administration tasks.
This blog post delves into the various role types that are available in Google Cloud. It also provides a guide on how to create a custom role for Google Cloud NetApp Volumes (NetApp Volumes), creating a new a custom role for a backup administrator as an example. Although we show how to create and assign this custom role by using the console, you can perform the same tasks by using the Google SDK/CLI instead.
What Google Cloud roles are offered with NetApp Volumes?
Google Cloud provides three types of roles: basic, predefined, and custom.
Basic roles were introduced before Google Cloud Identity and Access Management (IAM) was available. These roles are very permissive, offer no granularity, and thus should be used sparingly and only for validation and test environments or for very small environments. The three basic roles include:
- Viewer (roles/viewer). Provides viewing and read-only access to all resources in the project, folder, or organization.
- Editor (roles/editor). Provides viewer access plus the ability to change the state of some resources in the project, folder, or organization.
- Owner (roles/owner). Provides editor access and the ability to set up sensitive tasks—for example, to change roles and permissions—in the project, folder, or organization.
You can use a basic role to grant access to NetApp Volumes. However, the recipient then also has access to a vast array of other Google Cloud services that may not be necessary and that may contradict the principle of least privilege.
Predefined roles, introduced with Google IAM, are created by Google Cloud to limit permissions for certain functionality or job types and to provide more granularity. Google Cloud has created and maintains a vast array of predefined roles for its services, including two predefined roles for Google Cloud NetApp Volumes:
- Google Cloud NetApp Volumes Viewer (roles/netapp.viewer). This role limits users to only reading resources within NetApp Volumes.
- Google Cloud NetApp Volumes Admin (roles/netapp.admin). This role grants users full access to all NetApp Volumes resources.
Custom roles allow you to fine-tune a role for your specific needs. This type of role is useful if you have specific job roles and want to limit access to Google Cloud resources for a specific principal. Custom roles facilitate the principle of least privilege both to enhance security and to help eliminate potential mishaps.
How to create and apply a custom role
First, you need to create the custom role, then you apply it to a principal. A principal can be a service account, a user, or a group. Before you can create a custom role, you must be granted the Role Administrator (roles/iam.roleAdmin) or the Organization Role Administrator (roles/iam.organizationRoleAdmin) role.
Create a custom role for NetApp Volumes
The simplest way to create a custom role is by starting with a predefined role that encompasses many permissions, including at least some of your required permissions. You can then add or remove permissions and save the result as a new role.
As an example, let’s create a role that has permission to create backup policies and backup vaults. It can also create and delete backups and restore volumes from backup. However, it does not have permission to delete any volumes or storage pools.
Step 1 – Access the Google Cloud NetApp Volumes Admin Role
Start by going to the Roles page on the Google Cloud console.
All the roles in your project will be displayed. Next, use the filter to enter "Google Cloud NetApp Volumes Admin", and that role should appear. The Google Cloud NetApp Volumes Admin role should have excess permissions than what you need.
Step 2 – Create new role from Google Cloud NetApp Volumes Admin role
Select the Google Cloud NetApp Volumes Admin role, and the CREATE ROLE FROM SELECTION button becomes blue. Click CREATE ROLE FROM SELECTION.
The Create Role page then displays, and you can enter a title, a description, the ID, and the launch stage for the role. The launch stage includes Alpha and Beta for testing the role, and it includes General Availability for full role deployment.
Since this role has not been tested yet, we will set the role to the Alpha stage for the example. This can be changed later.
Deselect all the permissions that you don’t want the new role to have. Be sure to page forward to deselect all the excess permissions.
Make sure to include resourcemanager.projects.get and resourcemanager.projects.list to allow access to the project. (If you’re creating a project-based custom role, resourcemanager.projects.list does not apply).
The role in this example includes only the following permissions after the rest are deselected:
In this case, your backup administrator can restore volumes from backups, so you must give them the netapp.volumes.create and netapp.storagePools.list permissions. The permission netapp.volumes.update is also required to attach a backup policy to a volume. Your backup administrator is not allowed to delete any volumes, however.
Step 3 – Save the new custom role
Hit CREATE, and your new custom role has been created and saved. It will appear on the list for all roles in the project.
Next, you need to attach this role to a principal.
Attach the custom role to a principal
To attach the new custom role to your backup administrator, you must still have the Role Administrator (roles/iam.RoleAdmin) or the Organization Role Administrator (roles/iam.organizationRoleAdmin) role assigned to your principal.
You want to give this role’s permissions to a backup administrator on Google Cloud. First, go to the IAM area on the console.
On the Permissions page, select the ALLOW policies and VIEW BY PRINCIPALS.
Simply scroll down to the principal that you want and click the Edit Principal pencil button to the right. The Assign Roles page appears.
Click on +ADD ANOTHER ROLE at the bottom. Select Role and then Custom. Your custom role should then be selectable on the right.
Select it and save the changes. You can also test the changes to confirm that the role does what you want it to do by using the TEST CHANGES button below.
Now when that backup administrator logs in, they have only the permissions that are assigned to them. In this example, a principal assigned to just this role sees the following on the Volumes page. As the right-hand column shows, the ability to delete a volume is grayed out (disabled), so the backup admin is unable to delete a volume.
You have finished creating and attaching the backup admin custom role!
Now what?
Now that you know how to create custom roles, you’re ready to start separating duties and operating in a very secure environment, using the principle of least privilege. You could also build a subsequent custom role can then be created for a volume administrator to allow access to create and to delete volumes but not to create or to delete backups by using the same approach with a different set of permissions. Be sure to create and apply granular custom roles in compliance with your company’s own regulations.
Get started today. Learn more about custom roles and how to set up IAM permissions for NetApp Volumes. Then try it out for yourself! And be sure to let us know how it goes. We’d love to hear your feedback!