Adjust IAM permissions


This topic describes how to limit the types of Google Cloud resources Config Connector can create and manage by limiting the Identity and Access Management (IAM) permissions assigned to your Google service account.

IAM permissions for Config Connector

IAM authorizes your Config Connector installation to take action on specific resources. By limiting the permissions assigned to your Config Connector service account, you have greater control over what kinds of resources Config Connector can create.

Adjust permissions for your Config Connector after installation

During the installation of Config Connector, you may have selected a temporary role and assigned the role to the service account that you configure Config Connector with. For example, an editor role in a single Google Cloud project.

If you have configured Config Connector in namespaced mode, you may have even created more than one service account for each namespace with their respective role assignment.

These initial IAM permissions for these service accounts can be removed or updated to align with your organization's specific security considerations and permission control protocols.

One core advantage of Config Connector is unified tooling. This means you can use Config Connector to keep fine tuning the IAM after installation. You can use the IAMPolicyMember or IAMPartialPolicy resources in Config Connector to configure IAM permissions. Although this does require you to have a service account with IAM administrator permissions across your projects, folders or organization, and this service account be configured to bind to the Config Connector installation through either cluster mode or namespaced mode.

Config Connector can then be used to bootstrap and manage important IAM policies. The following sections list different policy examples.

Organization owner permission

To expand Config Connector's permissions so it can manage all projects and folders for a given organization:

  1. Create the following YAML manifest:

    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMPolicyMember
    metadata:
     name: iampolicymember-orglevel-permission
     namespace: NAMESPACE
    spec:
     member: serviceAccount:SERVICE_ACCOUNT_NAME@HOST_PROJECT_ID.iam.gserviceaccount.com
     role: roles/owner
     resourceRef:
       kind: Organization
       external: ORGANIZATION_ID
    

    Replace the following:

    • NAMESPACE with the name of your namespace
    • SERVICE_ACCOUNT_NAME with your service account name
    • HOST_PROJECT_ID with the host project ID of your service account
    • roles/owner with the appropriate role
    • ORGANIZATION_ID with your organization ID
  2. Apply the YAML manifest to your cluster using kubectl or any Config Management tools of your choice.

Folder owner permission

To expand Config Connector's permissions so it can manage all projects and folders in a given folder:

  1. Create the following YAML manifest:

    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMPolicyMember
    metadata:
     name: iampolicymember-orglevel-permission
     namespace: NAMESPACE
    spec:
     member: serviceAccount:SERVICE_ACCOUNT_NAME@HOST_PROJECT_ID.iam.gserviceaccount.com
     role: roles/owner
     resourceRef:
       kind: Folder
       external: folders/FOLDER_ID
    

    Replace the following:

    • NAMESPACE with the name of your namespace
    • SERVICE_ACCOUNT_NAME with your service account name
    • HOST_PROJECT_ID with the host project ID of your service account
    • roles/owner with the appropriate role
    • FOLDER_ID with your folder ID
  2. Apply the YAML manifest to your cluster using kubectl or any Config Management tools of your choice.

Project Owner permissions

To allow Config Connector to manage a specific project's resources, run the following command:

  1. Create the following YAML manifest:

    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMPolicyMember
    metadata:
     name: iampolicymember-orglevel-permission
     namespace: NAMESPACE
    spec:
     member: serviceAccount:SERVICE_ACCOUNT_NAME@HOST_PROJECT_ID.iam.gserviceaccount.com
     role: roles/owner
     resourceRef:
       kind: Project
       external: projects/PROJECT_ID
    

    Replace the following:

    • NAMESPACE with the name of your namespace
    • SERVICE_ACCOUNT_NAME with your service account name
    • HOST_PROJECT_ID with the host project ID of your service account
    • roles/owner with the appropriate role
    • PROJECT_ID with your target project ID
  2. Apply the YAML manifest to your cluster using kubectl or any Config Management tools of your choice.

Limited permissions

If you prefer to grant more limited permissions to Config Connector, you can assign one or more IAM permissions to your Config Connector installation by creating a few IAMPolicyMember resources or a combined IAMPartialPolicy resource. The following roles are commonly assigned to the Config Connector service account:

  • Editor: Granting the editor role allows most Config Connector features except Project or Organization wide configurations such as IAM modifications.

  • IAM Service Account Admin role: Granting the roles/iam.serviceAccountAdmin permissions allows Config Connector to configure IAM service accounts.

  • Resource Manager: Granting a Resource Manager role such as roles/resourcemanager.folderCreator allows Config Connector to manage folders and organizations.

Custom roles

IAM also provides the ability to create customized roles. You can create a custom role with one or more permissions and then grant that custom role to Config Connector. For more information, see Understanding IAM custom roles.

What's next