Introduction — Google Cloud Policy Troubleshooter

Prakash Singh

·

Follow

Published in

KPMG UK Engineering

·

4 min read

·

Jan 5, 2023

--

Listen

Share

Vishal has recently joined your team, As project owner you assigned Viewer role to him at project level that will give him only read-only permission on all the resources of the project but you were surprised to know when Vishal told you that he is able to edit one of the Storage Bucket objects but not others. Do you know, IAM Policy Troubleshooter is going to be your friend to find out the root cause for this?

I’ll tell you how but first understand a bit about how IAM policies work in GCP -

There are two types of policies — Allow Policies and Deny Policies.

Allow Policies — Allow policy is a collection of Role Bindings. Now what is Role Binding??

Role Binding is a set of three properties —

• Principal — This could be a user account, service account or a group.
• Role — The google IAM role that has a set of permissions.
• Condition — A condition specifies on what condition this role is applied i.e. — origin, target resource, specific time etc.

So one policy can have multiple role bindings the only condition is each Allow Policy can have maximum 1500 principals so if one user account is added to 100 different role binding sets than we are left with 1400 other principals.

Example of a policy definition -

Let’s decode the policy definition above -

• The Bindings element acts as a collection that contains multiple role binding sections.
• Role field defines the permissions this role binding is going to grant the “members” of that particular binding.
• Members field denotes the “principals” we discussed above as you can see it is a collection of different types such as users, groups, domain and service accounts.
• Point to be noted is, the “Condition” property of role binding which is optional and first role binding section doesn’t have that while the second role binding field is dependent on the condition so the user in second role binding will have the organizationViewer role only till Sep 2020.

Now let’s get back to our use case above, So what do you think how Vishal might have just “Viewer” role at project level while he can still add/update/delete the objects of one of the storage bucket?

This is where IAM Policy Troubleshooter is very helpful option, it requires following inputs to supply to it and it’ll tell us what all IAM policies applied to that principal.

• Principal — Email address of the principal (user, service account or group).
• Resource — Fully qualified name of the resource upon which we need to know the allocated permissions to the Principal. i.e — in our case the project id as //cloudresourcemanager.googleapis.com/projects/iam-policy-test-project
• Permission — The permission in question. Please note, we can’t put the role name here so the specific permission needs to be mentioned.

The result of this search will present the list of “Resource” and its “parents” if the permission is inherited from a parent of the resource we searched for.

Let’s understand this with the help of some screenshots -

• Open Policy Troubleshooter page under IAM and Admin menu item in Google Cloud Console.
• I Put the user account email in Principal field.
• Entered full project name in Resource1 field.
• Entered permission I need to check whether I have access or not.

For searching the permissions for a service, just write the service name followed by a dot(.) i.e. — storage.buckets.

• Please note that I can also add another set of “Resource-Permission” by clicking ADD ANOTHER PAIR button.

• After clicking CHECK ACCESS button, the details screen appears that shows what all Role Bindings are associated with that resource.
• Access column shows whether the “Principal” is granted that permission on the resource or not.
• Clicking on SEE BINDING DETAILS link in the last column further shows the details of that particular role binding as below -

So using this cool feature of Google Cloud IAM, the support representative could easily troubleshoot reason behind the strange behaviour of role mapping with Vishal’s profile. So the issue was Vishal was given the “Viewer” role to his user account at project level but he was a member of a Google Group that has “Storage Object Admin” role assigned to that group at that Storage Bucket level.

Security Reviewer (roles/iam.securityReviewer) IAM role on the organisation is required to be able to use the Policy Troubleshooter.

Useful Resources to learn more about Policy Troubleshooter -