Separation of duties and Identity and Access Management roles

This pages describes how to configure different projects with different IAM roles in order to establish separation of duties among individuals or teams for typical activities associated with using Binary Authorization.

Activities and associated IAM roles

In Google Cloud, separation of duties is accomplished by assigning IAM roles to accounts in different projects. These accounts include service accounts, used by GKE and Binary Authorization, and user accounts, accessed by people.

By providing different organizational roles with specific IAM roles, you can enforce the principle of least privilege, ensuring that the user and service accounts in your organization have only the roles essential to performing their intended functions.

To see the underlying permissions for each IAM role, see Understanding roles.

The following table describes typical Binary Authorization activities. Separation of duties is achieved by having separate Google Cloud projects. Each project is only granted the minimum required IAM roles to accomplish the activity and associated tasks.

For an end-to-end tutorial describing this scenario, see: Multi-project setup.

Activity Task IAM roles on Deployer Project IAM roles on Attestor Project IAM roles on Attestations Project
Security Operations (SecOps) Management Create attestors None roles/containeranalysis.notesEditor roles/binaryauthorization.attestorsAdmin None
Config Binary Authorization policy roles/binaryauthorization.policyEditor roles/binaryauthorization.attestorsViewer None
Deployment Management Enable Binary Authorization for a cluster roles/serviceusage.serviceUsageAdmin
roles/container.clusterAdmin
None None
Attestation management Create attestations None roles/containeranalysis.notesAttacher roles/containeranalysis.occurrencesEditor