This pages describes how to configure different projects with different Cloud IAM roles in order to establish separation of duties among individuals or teams for typical activities associated with using Binary Authorization.
Activities and associated Cloud IAM roles
In Google Cloud, separation of duties is accomplished by assigning Cloud IAM roles to accounts in different projects. These accounts include service accounts, used by GKE and Binary Authorization, and user accounts, accessed by people.
By providing different organizational roles with specific Cloud IAM roles, you can enforce the principle of least privilege, ensuring that the user and service accounts in your organization have only the roles essential to performing their intended functions.
To see the underlying permissions for each Cloud IAM role, see Understanding roles.
The following table describes typical Binary Authorization activities. Separation of duties is achieved by having separate Google Cloud projects. Each project is only granted the minimum required Cloud IAM roles to accomplish the activity and associated tasks.
For an end-to-end tutorial describing this scenario, see: Multi-project setup.
|Activity||Task||IAM roles on Deployer Project||IAM roles on Attestor Project||IAM roles on Attestations Project|
|Security Operations (SecOps) Management||Create attestors||None||roles/containeranalysis.notesEditor roles/binaryauthorization.attestorsAdmin||None|
|Config Binary Authorization policy||roles/binaryauthorization.policyEditor||roles/binaryauthorization.attestorsViewer||None|
|Deployment Management||Enable Binary Authorization for a cluster||roles/serviceusage.serviceUsageAdmin
|Attestation management||Create attestations||None||roles/containeranalysis.notesAttacher||roles/containeranalysis.occurrencesEditor|