This pages describes how to configure different projects with different IAM roles to establish separation of duties among individuals or teams for typical activities associated with using Binary Authorization.
Activities and associated IAM roles
In Google Cloud, separation of duties is accomplished by assigning IAM roles to accounts in different projects. These accounts include service accounts, used by GKE and Binary Authorization, and user accounts, accessed by people.
By providing different organizational roles with specific IAM roles, you can enforce the principle of least privilege, ensuring that the user and service accounts in your organization have only the roles essential to performing their intended functions.
To see the underlying permissions for each IAM role, see Understanding roles.
The following table describes typical Binary Authorization activities. Separation of duties is achieved by having separate Google Cloud project. Each project is only granted the minimum required IAM roles to accomplish the activity and associated tasks.
For an end-to-end tutorial describing this scenario, see: Multi-project setup.
| Activity | Task | IAM roles on Deployer Project | IAM roles on Attestor Project | IAM roles on Attestations Project |
|---|---|---|---|---|
| Security Operations (SecOps) Management | Create attestors | None | roles/containeranalysis.notesEditor roles/binaryauthorization.attestorsAdmin | None |
| Config Binary Authorization policy | roles/binaryauthorization.policyEditor | roles/binaryauthorization.attestorsViewer | None | |
| Deployment Management | Enable Binary Authorization for a cluster | roles/serviceusage.serviceUsageAdmin roles/container.clusterAdmin |
None | None |
| Attestation management | Create attestations | None | roles/containeranalysis.notes.attacher | roles/containeranalysis.occurrences.editor |