Every subject - a user or a group - follows a two-step process to gain access to the admin cluster, and system and user clusters:
Admin cluster access: Grant a subject with permissions in the admin cluster using
ClusterRoleBinding
orRoleBinding
to a predefinedClusterRole
.User cluster access: Create a
ProjectRole
andProjectRoleBinding
to propagate a KubernetesRole
andRoleBindings
to KubernetesNamespaces
in system and user clusters (corresponding to theProject
that theProjectRole
andProjectRoleBinding
are in).
Personas (IO, PA, AO) are not roles but are collections of user roles mapped to specific permissions and assigned to individual users.
Both the Organization IAM Admin and the Project IAM Admin can create more project roles and project role bindings to grant additional project-specific permissions. However, Organization IAM Admins can create project roles and project role bindings for any project. On the other hand, Project IAM Admins can only create project roles and project role bindings for projects they have permission to access.
Set up role bindings
You can set up role bindings that give team members access to resources at the organization or project level.
To get the permissions that you need to set up role bindings, ask your Organization IAM Admin to grant you the Organization IAM Admin role.
To assign a role to an authorized member, follow these steps:
Console
- Sign in to the GDC console.
- Click Select project to select an organization or project.
- To set up role bindings for an organization, select an organization.
- To set up role bindings for a project, select a project.
- In the navigation menu, click Identity and Access > Access.
- Click Add member.
- In the Identity provider list, select an identity provider.
- Choose whether you want to add individual users or groups.
- In the Username or group alias field, enter the username, email address, or alias.
- In the Role list, select the role that you want to assign to the user or group, such as Organization Viewer at the organization level or Project Creator at the project level.
- Click Add.
The member appears in the Authorized member list.
CLI
Export the user credential that you use:
export YOUR_IAM_ADMIN_KUBECONFIG=YOUR_IAM_ADMIN_KUBECONFIG
Export the email account of the user that you want to assign the role, such as
idpprefix-paul@example.com
:export USER_EMAIL=USER_EMAIL
Export the name of the role the user needs, such as
project-creator
. Refer to Role descriptions to find the according role.export ROLE_NAME=ROLE_NAME
Assign a user to a
ClusterRole
or aRole
:Assign a user to a
ClusterRole
:kubectl create --kubeconfig ${YOUR_IAM_ADMIN_KUBECONFIG} \ clusterrolebinding ${USER_EMAIL}-${ROLE_NAME}-binding \ --clusterrole=${ROLE_NAME} --user=${USER_EMAIL}
For cases when a
ClusterRole
requires aRoleBinding
instead of aClusterRoleBinding
, refer to the Role descriptions to find out what binding type the role needs and create a RoleBinding in the namespacegpc-system
instead:kubectl create --kubeconfig ${YOUR_IAM_ADMIN_KUBECONFIG} \ rolebinding ${USER_EMAIL}-${ROLE_NAME}-binding \ --clusterrole=${ROLE_NAME} --user=${USER_EMAIL} --namespace=gpc-system
Assign a user to a
Role
:Export the namespace where the binding must be created:
export BINDING_NAMESPACE=BINDING_NAMESPACE
Run the following commands to create a
RoleBinding
:kubectl create --kubeconfig ${YOUR_IAM_ADMIN_KUBECONFIG} \ rolebinding ${USER_EMAIL}-${ROLE_NAME}-binding \ --role=${ROLE_NAME} --user=${USER_EMAIL} --namespace=${BINDING_NAMESPACE}
Remove role bindings
When access is no longer required, remove a member and their associated roles, permissions, and access.
To remove members, work through the following steps:
Console
- Sign in to the GDC console.
- In the navigation menu, click Identity and Access > Access.
- In the Authorized members list, select a member.
- Click Remove member.
- When prompted, click Remove member to confirm.
CLI
Delete the ClusterRoleBinding
to revoke the permission granted to the
PA account:
kubectl --kubeconfig ${YOUR_IO_SECURITY_ADMIN_KUBECONFIG} \
delete clusterrolebinding ${PA_EMAIL}-pa
Revoke user access
If a member leaves your organization or team, you can revoke their access to Google Distributed Cloud (GDC) air-gapped appliance. Revoking a user's access logs them out of GDC air-gapped appliance and denies their roles and permissions. You can also list the user's activity and sessions from their start and end time.
To revoke a user's access, do the following:
Revoke the user's access:
gdcloud admin auth revoke --accounts USER_EMAIL
Replace USER_EMAIL with the email of the user to revoke access.
After running the command, you see output similar to the following. This example revokes access from the user
ariel@example.com
:Success: NUMBER of sessions revoked for user ariel@example.com
In this example, the variable NUMBER refers to the number of active sessions the user had.
Confirm you've revoked the user's access by running the
gdcloud admin auth revoke
command again. If successful, you see the following:No sessions found for account: ariel@example.com
List all revoked users
To view all revoked users and their activity and sessions, do the following:
List all revoked users from their start and end time:
gdcloud admin auth list --format="csv(ACCOUNT, IDENTITY_PROVIDER, CREATION_TIME, EXPIRATION_TIME)"
If successful, you see output similar to the following:
account,identity_provider,creation_time,expiration_time ariel@example.com,example-idp,2023-02-15 22:10:52,2023-02-15 23:10:52