This topic describes the Identity and Access Management (IAM) roles you can use to configure Assured Workloads for Government. Roles limit an authenticated identity's ability to access resources. Only grant an identity the permissions it needs in order to interact with applicable Google Cloud APIs, features, or resources.
To be able to create an Assured Workloads environment, you must be assigned one of the roles listed below with that ability, as well as a Cloud Billing access control role. You must also have an active, valid billing account. For more information, see Overview of Cloud Billing access control.
Required roles
Following are the minimum required Assured Workloads-related roles. To learn how to grant, change, or revoke access to resources using IAM roles, see Granting, changing, and revoking access to resources.
- Assured Workloads Administrator: For creating workload environments.
- Resource Manager Organization Admin: Access to administer all resources belonging to an organization.
Assured Workloads roles
Following are the IAM roles that are associated with
Assured Workloads, and how to grant these roles using the
gcloud command-line tool. To learn how to grant these roles in the
Cloud Console or programmatically, see Granting, changing, and
revoking access to resources in
IAM documentation.
Replace the ORGANIZATION_ID placeholder
with the actual organization identifier and example@customer.org with the user
email address. To retrieve your organization ID, see Retrieving your
organization
ID.
roles/assuredworkloads.admin
For creating workloads. Allows read-write access.
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="user:example@customer.org" \ --role="roles/assuredworkloads.admin"
roles/assuredworkloads.editor
Allows read-write access.
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="user:example@customer.org" \ --role="roles/assuredworkloads.editor"
roles/assuredworkloads.reader
For getting and listing workloads. Allows read-only access.
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="user:example@customer.org" \ --role="roles/assuredworkloads.reader"
Custom roles
If you want to define your own roles to contain bundles of permissions that you specify, use custom roles.
Assured Workloads IAM best practices
Properly securing IAM roles to follow least privileged is a Google Cloud security best practice. This principle follows the rule that users should only have access to the products, services, and applications required by their role. Users are not currently restricted from using out-of-scope services with Assured Workloads projects when deploying products and services outside of the Assured Workloads environment.
The list of in-scope products by compliance regime helps to guide security admins when creating custom roles that limit user access to only in-scope products within the Assured Workloads environment. Custom roles are able to help support obtaining and maintaining compliance within an Assured Workloads environment.