I am aware that in order to use the GTM server container, I need to provision (connect and link) with GCP's AppEngine.
When provisioning, the "AppEngine administrator" role alone caused an error, so I tried using the basic role "editor" and it worked.
I would like to apply a role with minimum privileges if possible, do you know of any?
There are hundreds of roles and its a pain to keep track of all of them and what each role does. I use google documents [1], [2] to assign roles, these are the roles available and what each role does.
[1] https://cloud.google.com/iam/docs/understanding-roles#access-approval-roles
[2] https://cloud.google.com/appengine/docs/standard/python/roles
Related
I need some help understanding the behavior of AD and the security around it.
In a nutshell I have a requirement to automate just in time elevation to certain privileged groups, where Domain Admins is one of the groups we need to add membership to.
Here is a summary on the way I set things up
I created a new group called DomainAdminJit which is a member of "Domain Admins", I add a service account as a delegate to DomainAdminJit to modify membership where I expect to add users to this group instead of the domain admin group directly, for organization purposes mainly.
This works fine but a few minutes later all permissions are to the service account are being stripped, researching this turms out to be done because the AdminSDHolder is reverting those permissions.
My initial reaction was to add the service account with write properties and write permissions to the AdminSDHolder container, but somehow that doesn't work.
I do see the service account now at the DomainAdminsJit group however I get insufficient rights when attempting to add a user to the DomainAdminsJit using that service account.
What am I missing and how do I ensure that service account is always able to add members to a group that is a member of Domain admins and not have the permissions revert?
Your help would greatly be appreciated
Thank you
I create successfully a ServicePrincipal (SP) in AzureAD and able to do a lot of stull like {Connect to Azure, Create resource, etc...}
I need my SP to use command Get-AzNetworkServiceTag but it always return empty values.
When I try command command Get-AzNetworkServiceTag with my own account I get expected result. I believe problem come from permission and your help is very welcome to set least privilege.
My current permissions looks like:
Do you know which one should I use ?
Alternative question is what is best practices to determine permissions based on powershell command ? Although permissions could name to determine there is so many that it's difficult to choose correct one. Thanks you.
The command Get-AzNetworkServiceTag essentially calls the Azure Management REST API - Service Tags - List, it is not related to Azure AD, to solve the issue, you need to assign the Azure RBAC role(not Azure AD admin role) to your service principal.
To solve the issue, the easiest way is to assign the built-in role e.g. Reader, Contributor to your service principal at the subscription scope. But if you want to the
least privilege, your option is to create a custom role then use it, you could follow the steps below.
1.Navigate to your subscription in the portal -> Access control (IAM) -> Add -> Add custom role, follow the screenshots.
Then skip the Permissions, in the JSON, click Edit, add Microsoft.Network/*/read to actions -> Next and create it.
After creating the custom role, wait for a while, navigate to the Access control (IAM) -> add the custom role to your service principal.
In conclusion, the Microsoft.Network/*/read action permission is the least privilege in this case, after giving the role, it will work fine.
Alternative question is what is best practice to determine permissions based on powershell command?
You just need to know what does the command do, then find the operation in the Azure resource provider operations, in this case, there is no such operation like Microsoft.Network/serviceTags/read, so we need to use Microsoft.Network/*/read at least.
You are facing this issue because Powershell cmdlet works differently than compared to MS Graph. Instead of permissions, Powershell require roles to do this operations. Please add Global Administrator role to your service principle and then try the Connect-AzAccount so that, the issue will be fixed.
For more details, you may refer to Assigning administrator roles in Azure Active Directory.
Is it possible to have multiple profiles for a PIM role within Azure? If not, is this something that is on the roadmap?
Question from customer: "as you know you can customize the roles to specify the window for that privilege, the approvers and so on. Could you have multiple profiles for each role in the future?"
This is possible with the privileged access groups feature. Simply create two groups, apply different policies and make the users eligible for the group (do not assign the group as eligible, since the members are eligible for the group, which would require them to activate twice). Documentation can be found at aka.ms/pag
Thanks Steve, but what I can see it's only for Azure AD roles, right? It's not possible to assign Azure resources.
Thanks again!
When you create a new privileged access group you can only assign Azure AD roles but not Azure resources roles during the creation, that's what I meant... because with that you can modify the properties for that specific role, in terms of time of the privileged mode, who are the approvers, and so on... will it be available in the future?
Do we know when will it be in GA?
Thanks!!
Ignore assigning roles at group creation time. Simply create the role and enable it for role assignment (this part is required if you want to use it with PIM). Once it's created (even with no AAD roles assigned to it) you can enable the group for Privileged access. After enabling the group for privileged access you can assign members as Eligible, and configure assignment and activation settings for the member and/or owner roles. ETA for GA of this feature (privileged access groups) is end of the calendar year.
I am trying to create a subscription during the application run time, the code should be able to create a subscription and clean it up after it finishes.
I want to do this with the least possible permissions to the service account I am using. For now, I have created a custom role and gave two access to the role pubsub.subscriptions.create , pubsub.subscriptions.delete.
Although this is allowing the creation and clean up of a subscription, it is allowing not only to delete the current subscription, but also the subscriptions created by other users in the same project.
How can I assign permissions, to be able to create subscriptions in Pub/Sub, delete the subscription created by this service account?
Another way to put it could be, how can I, create a subscription at run time and modify only this subscription's permission to include pubsub.subscriptions.delete. (with the same service account).
Is there a way to make a service account admin/editor for the resources(topics, subscriptions, compute engine, etc.) created by this account? something like an IAM role - make admin after resource creation.
Related Documentation Links:
https://cloud.google.com/pubsub/docs/access-control
This is impossible due to limitations of the Google IAM by design.
In Google IAM permissions correspond 1:1 with REST methods. To call a method, the caller needs that permission. In other words, permissions are granted on methods so that call them, and not on objects so that modify/rename/delete them, as would be necessary in your case. You want to delete a certain object, right?
To get more granular access, you need to assign a Policy with a Custom Role on a Subscription object explicitly, but you can hardly assign a Pub/Sub Custom Role below the Project level.
A Subscription creator does not become an "Admin" of the created object as it could be in an access management service with permissions assigned on objects. If explicit assigning of a Policy with a Custom Role on a freshly created Subscription was possible, it must be done by an account with a Role that can manage permissions: pubsub.admin for example. That means that you would have to grant this Role to your service account in addition to the existing Custom Role with the pubsub.subscriptions.create and *.delete permissions. As soon as you do this, the least privilege principle becomes meaningless.
Understanding IAM custom roles
Cloud IAM Documentation > Understanding roles > Pub/Sub roles
Access Control > Required permissions
Access Control > Roles
Using IAM, I am trying to allow certain users to access API's and allow them to create OAuth client credentials. Is there a predefined role for allowing this? I don't want to use the role of project editor, because I'm trying to allow access to only the necessary services.
It's when the user is in their project, and they go to "APIs and Services" > Credentials, the user receives this error:
You don't have permission to view API keys, OAuth clients, and service account keys.
Roles/Permissions:
-App Engine Admin
-Cloud Functions Developer
-Cloud Datastore Owner
-Service Account Admin
-Source Repository Administrator
-Storage Admin
So I believe I've come across the solution. After failing to find a predefined role or any answers online, I started to delve into creating custom roles. If anyone has issues with this in the future, here is what I have done.
I went to Project Settings > Roles > Create Role. I then created 2 custom Roles, here are all the permissions I assigned to them:
"Custom API"
container.apiServices.create
container.apiServices.delete
container.apiServices.get
container.apiServices.list
container.apiServices.update
container.apiServices.updateStatus
serviceusage.apiKeys.create
serviceusage.apiKeys.delete
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
serviceusage.apiKeys.regenerate
serviceusage.apiKeys.revert
serviceusage.apiKeys.update
"Custom Client Auth"
clientauthconfig.brands.create
clientauthconfig.brands.delete
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.create
clientauthconfig.clients.createSecret
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.list
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.undelete
clientauthconfig.clients.update
*Note that at the time of writing, these individual permissions are in a "testing" state, and may not work as intended.
You can go to the roles page:
https://console.cloud.google.com/iam-admin/roles?project=[your-project-id]
And there you can filter for the permission you need:
Now you can see in the list all the roles include the permission you need, and you can return to the IAM page:
https://console.cloud.google.com/iam-admin/iam?project=[your-project-id]
And select one of those rules: