Help secure IAM with VPC Service Controls

With VPC Service Controls, you can create perimeters, which are boundaries around your Google Cloud resources. You can then define security policies that help prevent access to supported services from outside of the perimeter. For more information about VPC Service Controls, see the VPC Service Controls overview.

You can use VPC Service Controls to help secure the following IAM-related APIs:

  • IAM API
  • Security Token Service API

Help secure the IAM API

You can help secure your Identity and Access Management (IAM) resources by using VPC Service Controls. IAM resources include the following:

  • Custom roles
  • Service account keys
  • Service accounts
  • Workload identity pools

How VPC Service Controls works with IAM

When you restrict IAM with a perimeter, only actions that use the IAM API are restricted. These actions include managing custom IAM roles, managing workload identity pools, and managing service accounts and keys. The perimeter doesn't restrict workforce pools actions because workforce pools are organization-level resources.

The perimeter around IAM doesn't restrict access management (that is, getting or setting IAM policies) for resources owned by other services, like Resource Manager projects, folders, and organizations or Compute Engine virtual machine instances. To restrict access management for these resources, create a perimeter that restricts the service that owns the resources. For a list of resources that accept IAM policies and the services that own them, see Resource types that accept allow policies.

Additionally, the perimeter doesn't restrict actions that use other APIs, including the following:

  • IAM Policy Simulator API
  • IAM Policy Troubleshooter API
  • Security Token Service API
  • Service Account Credentials API (including the legacy signBlob and signJwt methods in the IAM API)

For more details about how VPC Service Controls works with IAM, see the IAM entry in the VPC Service Controls supported products table.

Help secure the Security Token Service API

You can help secure token exchanges by using VPC Service Controls.

When you restrict the Security Token Service API with a perimeter, only the following entities can exchange tokens:

  • Resources within the same perimeter as the workload identity pool you're using to exchange the token
  • Principals with the attributes defined in the service perimeter

For more details about how VPC Service Controls works with IAM, see the Security Token Service entry in the VPC Service Controls supported products table.

What's next