Google Cloud Platform (GCP) offers two essential services for managing access and security, which are Identity and Access Management (IAM) and Identity-Aware Proxy (IAP). While both play critical roles in securing your cloud environment, they serve different purposes and operate at different levels of the technology stack. In this article, we will go through IAP and IAM one by one and we will see the difference between them.
What is GCP Identity-Aware Proxy (IAP)?
GCP Identity & Aware Proxy is a proxy-based authentication and authorization service offered by Google Cloud. It allows organizations to secure and manage access to their cloud resources efficiently. The proxy sits between the client and the application, acting as a gatekeeper to enforce fine-grained access controls and identity-based authentication.
Below is the flow of how authentication works for App Engine applications
How IAP Authentication Works
When users send requests to access your Google Cloud resources, the traffic is routed through either App Engine (for application access) or Cloud Load Balancing (for accessing Compute Engine or GKE resources).
The serving infrastructure code, to which user is trying to connect first determines if an Identity-Aware Proxy (IAP) is enabled for the application or backend service. If IAP is enabled, then it sends information to the IAP authentication server about the resources which user is trying to access. This information includes Google Cloud project number, the request URL, and any IAP credentials present in the request headers or cookies.
After successful authentication, IAP checks the relevant IAM policy to confirm if the user has the necessary authorization to access the desired resource. If the user possesses the IAP-secured Web App User role within the Google Cloud Console project where the resource resides, they are granted authorization to access the application.
Key Features of GCP Identity-Aware Proxy (IAP):
- Context-Aware Access: IAP provides context-aware access control, allowing you to define access policies based on user identity, device trustworthiness, and other contextual factors. This ensures that users can only access resources when certain conditions are met.
- Secure Remote Access: With IAP, you can provide secure access to your applications and VMs from anywhere, even over untrusted networks like the Internet. This is achieved through secure authentication and encryption.
- Zero Trust Security: IAP operates on the principle of zero trust, meaning that access is never implicitly trusted based solely on network location. Users and devices must authenticate and meet access criteria before gaining entry.
- Integration with Identity Providers: IAP seamlessly integrates with popular identity providers like Google Workspace, Cloud Identity, and third-party identity solutions, allowing you to leverage your existing user directories.
- Granular Access Control: You can define fine-grained access policies, specifying who can access specific resources, such as applications running on App Engine, Compute Engine, or even SSH access to VM instances.
Working of Google Cloud Identity-Aware Proxy (IAP) with Real-Time Implementation
Imagine you work as an IT administrator in a medium-sized organization. Your company has an internal HR portal that contains sensitive employee data, including payroll information, performance reviews, and personal records. You need to ensure that only authorized HR personnel can access this portal, whether they are in the office or working remotely.
Step 1: Setting Up IAP
You begin by configuring IAP for the HR portal application hosted on Google Cloud App Engine. This involves enabling IAP for the specific App Engine service and specifying access policies.
Step 2: Define Access Policies
Next, you define access policies within IAP:
- HR Managers Group: You create a Google Group called “HR Managers” and add all HR managers to it. This group will have access to the HR portal.
- Authentication: You configure IAP to use Google Workspace accounts for authentication. This ensures that only employees with company email addresses can access the portal.
- Context Evaluation: You configure IAP to evaluate context factors like the user’s identity, device trustworthiness, and location.
Step 3: Real-Time Access Control
Now, let’s see how IAP works when someone attempts to access the HR portal:
- Alice, an HR manager, attempts to access the HR portal from her office computer at the company headquarters. When she navigates to the portal’s URL, she is redirected to the Google Sign-In page.
- Alice signs in with her company’s Google Workspace account, which matches the domain specified in the access policy. IAP authenticates her identity and evaluates her context, including her location (office) and the fact that she’s part of the “HR Managers” Google Group.
- IAP checks that Alice’s identity and context match the defined access policies. Since Alice is an HR manager and is accessing the portal from a trusted location, IAP grants her access.
- IAP establishes a secure tunnel between Alice’s office computer and the HR portal, ensuring that data transmission is encrypted and secure.
Step 4: Non-Authorized User Access:
- Bob, a regular employee, attempts to access the HR portal from his home computer. When he navigates to the portal’s URL, he is redirected to the Google Sign-In page.
- Bob signs in with his company’s Google Workspace account. IAP authenticates his identity but evaluates his context, which includes his location (outside the office) and his group membership.
- IAP determines that Bob is not a member of the “HR Managers” group and is accessing the portal from an untrusted location (home). Access is denied, and Bob cannot access the HR portal.
Benefits of GCP Identity & Aware Proxy:
- Enhanced Security: GCP Identity & Aware Proxy provides robust security measures by dynamically verifying user identities and authorizing access based on their assigned roles and permissions. This minimizes the risk of unauthorized access and helps prevent potential security breaches.
- Improved User Experience: With GCP Identity & Aware Proxy, users can access multiple web applications seamlessly by using a single set of credentials. This eliminates the need to remember and manage different usernames and passwords for each application, improving the overall user experience.
- Granular Access Control: Organizations can define and enforce fine-grained access controls using the Context-Aware Access feature. By considering user attributes, device security status, and network location, access can be restricted to specific individuals or groups, enhancing data privacy and control.
- Scalability and Flexibility: GCP Identity & Aware Proxy is built on Google Cloud’s highly scalable infrastructure, ensuring that it can handle millions of requests efficiently. Additionally, it offers flexibility in integration with various identity providers, making it suitable for organizations of all sizes with different authentication requirements.
What is IAM & Admin in Google Cloud?
IAM & Admin is a foundational service within Google Cloud that empowers you to manage and control access to GCP resources. It enables you to define who (identities) has access to what (resources) and what they can do (permissions). IAM & Admin serves as the cornerstone for ensuring the confidentiality, integrity, and availability of your cloud resources.
How Does IAM & Admin Work?
- Users, Groups, and Service Accounts: IAM allows you to define and manage various identity types. These include individual user accounts, Google Groups, and service accounts. User accounts represent individual human users, providing them access to GCP resources. Google Groups allow you to manage access collectively for a set of users, making it easier to assign permissions to multiple individuals at once. Service accounts are special accounts used by applications and services to access GCP resources programmatically.
- Roles and Permissions: IAM revolves around roles and permissions. Roles define sets of permissions that determine what actions can be performed on specific resources within GCP. IAM offers predefined roles, such as owner, editor, and viewer, with varying levels of access. Additionally, you can create custom roles to fit the specific needs of your organization. Permissions are rules that allow or deny specific actions on resources, such as reading, writing, or modifying.
- Assigning Roles and Permissions: Once roles and permissions are defined, you assign them to members (users, groups, or service accounts) within your GCP project, projects, folders, or resources. This allows you to control who has access to what resources and what actions they can perform. You can assign multiple roles to a single member, and roles can be at different levels – project, folder, or resource-specific.
- Inheritance and Hierarchy: IAM inherits permissions from parent resources to child resources in a hierarchical structure. This means that permissions assigned at a higher level, such as the project or folder level, automatically apply to the resources contained within. This inheritance simplifies access management by reducing the need to assign permissions individually to each resource.
- Organization Policies: IAM also works in conjunction with organization policies, which provide additional controls and constraints within GCP. Organization policies enable administrators to enforce specific restrictions and best practices, such as allowing or disallowing certain types of resources or API access, across multiple projects within an organization.
- GCP-wide access: IAM provides the ability to grant access to resources across multiple projects within your GCP organization using Cloud Identity and Access Management (Cloud IAM). This allows centralized management of access for users or groups across your organization’s projects.
Benefits of IAM & Admin:
- Improved Security: IAM & Admin allows you to define fine-grained roles and assign them only to the necessary members. This reduces the risk of unauthorized access to sensitive resources, enhancing your overall security posture.
- Granular Access Control: With IAM & Admin, you have granular control over user access to individual resources and actions. This enables you to limit access to specific functionalities, reducing the potential for accidental or malicious actions.
- User-Friendly Access Management: IAM & Admin uses a simple and user-friendly interface to manage roles and permissions. It allows you to easily add or remove members from roles, granting or revoking their access with just a few clicks.
- Simplified Compliance: By utilizing IAM & Admin, you can align your access management practices with regulatory compliance requirements. IAM provides audit logs that help you track and monitor user activities, ensuring accountability and transparency.
- Scalability and Flexibility: IAM & Admin is designed to scale with your organization’s growth. You can easily manage access for large user bases and complex projects, ensuring that access controls remain manageable as your cloud environment evolves.
Difference between IAP and IAM
1. Purpose:
- IAM (Identity and Access Management): IAM is primarily concerned with controlling access to GCP resources such as virtual machines, databases, storage buckets, and other cloud services. It focuses on managing permissions and roles for users, groups, and service accounts within the GCP environment.
- IAP (Identity-Aware Proxy): IAP, on the other hand, is focused on securing access to web applications and VMs hosted on GCP. It provides context-aware access control to protect web applications from unauthorized access based on user identity and context.
2. Level of Control:
- IAM: IAM operates at the level of GCP resources and services. It grants or revokes permissions to perform actions on these resources.
- IAP: IAP operates at the application layer and secures access to web applications and VMs. It enforces access control based on the specific web application being protected.
3. Use Case:
- IAM: IAM is used for managing access control to cloud resources within GCP. For example, you can use IAM to control who can create virtual machines, read data from a storage bucket, or manage databases.
- IAP: IAP is used for securing web applications by controlling who can access them. For example, you can use IAP to protect an internal HR portal, ensuring that only authorized employees can access it.
4. Components:
- IAM: IAM involves defining identities (users, groups, service accounts), roles, permissions, and policies. It focuses on granting or denying access permissions to GCP resources.
- IAP: IAP includes access policies, authentication methods, context evaluation, and secure tunnel creation. It’s specifically designed to protect web applications and VMs.
5. Access Control Mechanism:
- IAM: IAM uses roles and permissions to control who can perform actions on GCP resources. It’s a foundation for controlling access to various cloud services.
- IAP: IAP uses identity and context-based access control for web applications. It ensures that users must authenticate and meet specific criteria before gaining access.
6. Scope:
- IAM: IAM’s scope is broader, covering all GCP resources and services.
- IAP: IAP’s scope is narrower, focusing exclusively on web applications and VMs.
In summary, IAM and IAP are complementary but serve different purposes within GCP. IAM is used for controlling access to GCP resources, while IAP is dedicated to securing access to web applications and VMs. Understanding when and how to use each service is crucial for maintaining a secure and well-managed cloud environment.
That’s all for now.
Thank you for reading!!
Stay tuned for more articles on Cloud and DevOps. Don’t forget to follow me for regular updates and insights.