Help secure IAM with VPC Service Controls

You can help secure your Identity and Access Management (IAM) resources by using VPC Service Controls. IAM resources include the following:

  • Custom roles
  • Service account keys
  • Service accounts
  • Workload identity pools

With VPC Service Controls, you can create perimeters, which are boundaries around your Google Cloud resources. You can then define security policies that help prevent access to supported services from outside of the perimeter. For more information about VPC Service Controls, see the VPC Service Controls overview.

How VPC Service Controls works with IAM

When you restrict IAM with a perimeter, only actions that use the IAM API are restricted. These actions include managing custom IAM roles, managing workload identity pools, and managing service accounts and keys. The perimeter does not restrict actions that use other APIs, including the following:

  • IAM Policy Simulator API
  • IAM Policy Troubleshooter API
  • Security Token Service API
  • Service Account Credentials API (including the legacy signBlob and signJwt methods in the IAM API)

The perimeter around IAM also does not restrict getting or setting IAM policies for resources owned by other services, such as Compute Engine virtual machine instances. To restrict getting and setting IAM policies for these resources, create a perimeter that restricts the service that owns the resources. For a list of resources that accept IAM policies and the services that own them, see Resource types that accept IAM policies.

For more details about how VPC Service Controls works with IAM, see the IAM entry in the VPC Service Controls supported products table.

What's next