Intro

My notes on how to authenticate with Google Cloud

Documentation

• Authentication overview

Tips and Tidbits

• Authentication determines who you are, authorization determines what you can do, and auditing logs what you did.

• A principal is an entity, also known as an identity, that can be granted access to a resource.

• Google Cloud APIs support two types of principals: user accounts and service accounts

  • User accounts are managed as Google Accounts, and they represent a developer, administrator, or any other person who interacts with Google Cloud.   See Authenticating as an end user 

  • Service accounts are managed by IAM, and they represent non-human users. See Authenticating as a service account

    • Your application assumes the identity of the service account to call Google APIs, so that the users aren't directly involved.

• Google Cloud APIs only accept requests from registered applications, which are uniquely identifiable applications that present a credential at the time of the request.

• Application credentials provide the required information about the caller making a request to a Google Cloud API.

  • Valid credential types include API keys, OAuth 2.0 client credentials, or service account keys.

  • Service accounts are unique, because they can be used as both an application credential or a principal identity. See Understanding service accounts for more information.

• By default, all Google Cloud projects come with a single user: the original project creator.

  • No other users have access to the project, and therefore, access to Compute Engine resources, until a user is added as a project member or is bound to a specific resource.

• Google Cloud APIs use the OAuth 2.0 protocol for authenticating both user accounts and service accounts.

  • The OAuth 2.0 authentication process determines both the principal and the application.

  • Most Google Cloud APIs also support anonymous access to public data using API keys.

  • However, API keys only identify the application, not the principal. When using API keys, the principal must be authenticated by other means.

Open

Source: https://cloud.google.com/docs/authentication

Access Control For Users

• To give users the ability to create and manage your Compute Engine resources, you can add users as team members to your project or to specific resources and grant them permissions using Identity and Access Management (IAM) roles.

• A team member can be an individual user with a valid Google Account, a Google Group, a service account, or a G Suite domain.

  • When you add a team member to a project or to a resource, you specify which roles to grant them.

  • IAM provides three types of roles: predefined roles, primitive roles, and custom roles.

• Resources inherit the policies of their parent resources in the Google Cloud resource hierarchy.

  • The effective policy for a resource is the union of the policy set at that resource and the policy inherited from its parent.

Pages Under This Topic