Google Cloud Account Bills: How to Use GCP IAM Roles and Service Accounts (Service Account) to Implement the Principle of Least Permission

In the security field of cloud computing, there is a lesson in blood and tears that countless operations and architects have exchanged for company assets and even their own year-end awards:"

In the cloud, what is more terrible than not having a password is that everyone is using the administrator password.

”

Many friends who have just come into contact with Google Cloud (GCP), in order to save trouble, or because they think it is too troublesome to report errors in checking permissions, often directly put a brainless set on the development in the team or even a script running in the server.

Owner

(owner) or

Editor

(editor) role. This kind of practice is like making dozens of master keys to your door and distributing them to cleaners, couriers and passers-. Once a developed computer is phished by hackers, or the key (Key) is accidentally submitted to the public GitHub warehouse in the code, hackers can completely take over your entire Google cloud account in a few seconds, loot your core assets for several years, and even drive hundreds of high-end machines to dig mines in the background, leaving you with a sky-high deduction bill.

In GCP's security world, the core defense weapon in the rear is called

IAM(Identity and Access Management)

. The core soul of large plant-level network security is to resolutely implement

"Principle of Least Privilege (Principle of Least Privilege)"

Give only the right person or machine the least privilege of getting the job done at the right time.

Today we reject any official didactic rhetoric and do not recite boring provisions. Directly from the actual combat of the most hard core, take you to sort out the underlying logic of IAM, roles and service accounts, and weld a set of high-standard modern security defense lines for your cloud assets.

Stage 1: Deep Disassembly, GCP IAM's "3D World Model"

To match permissions in GCP, you must have a thorough understanding of the physical operating model of IAM in your head. Google's IAM permission control system is essentially a combination of three dimensions of elements that are welded to each other:

Who are you?(Members/Principals): The identity holder. It can be a company employee's Google email (such as [email protected]), a logical group, or a service account (Service Account) that we will focus on later.

What can you do?(Roles): A collection of characters. A role is a "gift bag" of a bunch of specific permissions (Permission) ". For example, to see the server list, you need to compute the. instances.list permission. To restart the server, you need to compute the. instances.start permission. Google has packaged these tiny permissions together into a variety of "roles"

”.

Where do you work?(Resources/Hierarchy): That's resource level. This is one of the great elegant designs of GCP. You can hang permissions at the entire "organization (Organization)" level, or at a specific "project (Project)" level, or even to a specific "GCS bucket (Bucket).

Core Security Insider: Permissions are inherited downward. If you give an employee Owner permission at the organizational level, he is the supreme god in all sub-projects, all servers and all databases of the company. Therefore, large factory specifications prohibit the indiscriminate issuance of high-level roles at the top of the organization or project.

The second stage: the "three huge pits of authority" that are strictly prohibited from being used by large factories"

Before configuring, let's help your cognitive "detoxification". The following three practices, in the formal enterprise security audit is an absolute vote veto:

1. Abuse of basic roles (Primitive Roles)

The basic role refers to the old

Owner

(Owner),

Editor

(Editors),

Viewer

(viewer). This kind of role belongs to the "extensive" antique. Editor can add and delete almost anything in the project (from code to database deletion).

Normative solution: fully embrace predefined roles (Predefined Roles). Need to manage virtual machines, only to Compute Admin; Only need to see the log, only to Logging Viewer. Let professional people do professional things.

2. The machine uses the personal certificate (User Credentials)

Many new people have written an automated script to back up the cloud database locally and regularly. In order to make the script run, he directly ran it locally with his own personal account.

gcloud auth login

.

Disaster: Once the employee leaves his job and the company cancels his email, the backup script, which has been running in the production environment for half a year, will instantly crash due to invalid permissions.

Standard solution: people walk the way, machines walk the bridge of machines. All programs, code, and third-party systems that need to interact with GCP must use a service account (Service Account).

The third stage: actual combat exercise-using service account (Service Account) to open up the keyless security chain

Let's simulate a most standard commercial production scenario: you write a Python back-end program that is deployed in GCP's

Compute Engine (GCE) virtual machines

Inside. This app needs to go every day

Cloud Storage (GCS) buckets

Read the user's avatar picture and write the running log into

Cloud Logging (Day

Chi Service)

.

If you follow the original approach, you need to go to the background to generate a JSON key file (Key) containing the password, and then download it and stuff it into the server's code package.

But the safety regulations of large factories tell you: in the cloud, all visible plaintext password files are leaked time bombs.

We use GCP's native service account to bind to IAM to achieve true "zero-key, high-security" cloud migration:

Step 1: Create a Dedicated Machine Identity (Service Account)

Enter

GCP Console

,Find it in the navigation menu at the top left

IAM & Admin-> Service Account (Service Accounts)"

.

Click "Create a service account" at the top ".

Service account name: named gce-web-app-runner. It will automatically generate a dedicated machine mailbox shaped like a [email protected].

Click Create and continue.

Step 2: Precisely Priming the Minimum Permissions (IAM Binding)

In the same creation page, the system will ask you what role you want to assign to this machine identity. We firmly do not choose Editor and carry out accurate permission cutting:

Click the role drop-down menu and search for and select Storage Object Viewer ". Note: This role is only allowed to read the files in the bucket. Even if a hacker controls the server, he will not inject a Trojan into your bucket or empty the entire bucket with one click.

Click Add another role, search for and select Logs Writer ". Note: Only the permission to write logs is given, and the permission to view other system logs is not given.

Click Finish.

Step 3: Soul Fit-Mount Identity to Virtual Machine

The identity and permissions are all matched, and now we are going to let the virtual machine running the code "wear this dress".

Go to the Compute Engine -> VM Instances page, click your web server, and click Edit.

Go down and find the configuration item "Service Account (Service Account).

In the drop-down menu, cut off the original default Default service account and select the gce-web-app-runner you just created.

Change Access Scopes to Allow full access to all Cloud APIs ". Architect technology to avoid the inside story: this is the most vulnerable place for countless novices. GCP Early Use

"Scopes" to control the car is now obsolete. The new generation of specifications is to turn on the green light (Full Access) here, and completely transfer the real permission security gate to the IAM role in the second step above to take over.

Click Save to restart the instance.

Miracle Moment: "Keyless Gods" within the Code"

Now, you connect to this server and take a look at your Python code. You don't need to write anything in the code.

AWS_ACCESS_KEY

Or put Google's JSON password file hard-coded in it. You just need to call Google's official SDK directly:

Python

from google.cloud import storage

# Inject Soul: There is no need to pass any key parameters at all, and the SDK will automatically go to the host network card to sniff the identity of the mounted Service Account

storage_client = storage.Client()

bucket = storage_client.bucket("my-user-avatars")

blob = bucket.blob("user_101.jpg")

# Silky read

data = blob.download_as_bytes()

print("data read successfully without secret! ")

Since identities and permissions are naturally closed-loop at the bottom of the Google network, your production environment code does not have any plaintext passwords. Even if a hacker turns your Git warehouse upside down, he can't steal any fragments of cloud sovereignty.

The fourth stage: the history of avoiding the pit and tears of commercial operation and maintenance and the reinforcement of the defense line.

After this keyless architecture runs, your cloud asset security factor has exceeded 95% of the workshop team. But as the chief safety officer (CISO), you must immediately issue an executive order to weld the following two hidden holes that are prone to major safety accidents:

1. It is strictly forbidden to manually generate "service account key (JSON Key)"

In the details page of the service account, there is a tab called "Keys", which allows you to click "Create new key" and download a JSON file.

Cruel reality: Many developers are too lazy to match environment variables when debugging code locally for the convenience of diagrams, and directly generate a JSON key and lock it in their own computers. Once his computer was lost, or when he left office, he used WeChat to send the document privately, the company's security wire fence was torn open. Moreover, this manually generated Key is valid for several years by default and is extremely difficult to audit.

Large factory defense specification: fundamentally prohibit the creation of service account keys through organization policies (Organization policies). * If the development does need to be debugged on the local computer

, instruct them to use the gcloud auth application-default login command to temporarily obtain dynamic short-acting credentials locally through their personal enterprise Google mailbox. If it is a cross-cloud call (for example, AWS machines want to connect to GCP), Workload Identity Federation (workload identity federation) is adopted to allow AWS to use its own OIDC token and GCP to directly pair secret signals from a distance to realize two-way communication without physical keys.

2. Embrace the dimension reduction blow of "IAM conditional restrictions (IAM Conditions)".

Once the traditional authority is granted, it is effective 24 hours a day. However, if your company encounters an emergency online failure and needs to have an outsourcing expert temporarily go in this afternoon to take a look at the database of the production environment and withdraw the authority after today, what should I do?

Original practice: match the role today and delete it when you leave work. If you forget, the account number of outsourcing experts will become a permanent hidden danger.

Advanced specification configuration: When granting a role on the IAM page, click Add Condition ". You can write an extremely accurate rule: "The user's permission will take effect only when the time is between 2026-05-30 13:00 and 18:00 and the source IP of the request is the public network IP of the company office." As soon as the clock passes 18 o'clock, Google's online brain will automatically void the user's pass instantly. Timed fuse, leaving no trace of future trouble.

Summary

Playing with the minimum rights management specification in Google Cloud, the core industrial essence actually lies in 16 words:

People walk humanely, machine mount, put an end to plaintext, time fuse

.

Cloud security never relies on various cumbersome verbal rules and regulations to restrict human nature, but relies on this seamless distributed IAM mechanism that sinks to the bottom of cloud native to form physical dimension reduction isolation. Give the dominant power to the "principle of least authority", and while enjoying the ultimate sense of development brought by keyless communication, make your entire cloud business empire as stable as Mount Tai on the public network.