I hired someone to temporarily work in my project hosted in GCP (Google Cloud Platform), he requested to have the Project IAM Admin role.
I want him to be able to create, delete, edit new users, but not change the existent users. Is that possible?
Will this person be able to create/remove/edit owner roles with the Project IAM Admin?
I would like to know what is the best approach regarding the security/permissions in this case.
As per the official GCP document on Grant an IAM role by using the Google Cloud console and based on my observation GCP Project IAM admin role allows users to manage IAM roles and permissions for all users within the project, which means they will be able to create, delete and modify any users permissions including owner roles but this can lead to security risk. With the help of the resourcemanager.projects.delete role, they can delete projects also.
But if you want to use it as a temporary hired person to create, delete and edit new users without changing existing user’s roles, the Project IAM admin role will not be suitable. In order to prevent this you can follow the below workarounds :
-
Create a custom IAM role with specific permissions needed for user management. For example you can grant permissions like,
<code> iam.serviceAccounts.createiam.serviceAccounts.deleteiam.serviceAccounts.update</code><code> iam.serviceAccounts.create iam.serviceAccounts.delete iam.serviceAccounts.update </code>iam.serviceAccounts.create iam.serviceAccounts.delete iam.serviceAccounts.update
NOTE : Resourcemanager.projects.delete role ( To avoid Project deletion exclude this role).
But ensure this custom role is only limited to the actions you want to apply such as creating new service accounts.
- And the next best approach would be using WIF (workload identity federation) for time-limited access. For example you can manually remove once the project is complete.