Managing User Access in Google Cloud

2021-04-02

Once you're logged in to your Google account, you can list all of the projects you have access to, either with a personal account or within an organization, by visiting the Cloud Resource Manager page:

https://console.cloud.google.com/cloud-resource-manager

A Google Cloud Platform project can be created without adding any billing information - there is a lot of testing you can do with GCPs modules before cost kicks in. However if you do want to add an account to your project, you can find the billing setup at:

https://console.cloud.google.com/billing/linkedaccount

You can also navigate to this page from the home dashboard - Billing is at the top of the Products list. (To see this list, click on the hamburger menu in the upper lefthand corner to expand the Navigation menu.)

User Roles

When you create a Google Cloud project, you are automatically an Owner on that project and have access to all of the active modules within it. You can add new modules, and you can also grant access to other users, through user accounts or service accounts.

As an example, BigQuery is the resource I grant permissions to most often, particularly when I'm collaborating with members of other teams on work that shares the same data source. In order to give a user access to BigQuery within a specific project, I might add that user to the project using their email address, then enable a combination of Roles for that user.

The most common combination of roles I grant for BigQuery access is:

BigQuery Data Viewer (read any data or metadata)
BigQuery Job User (run jobs, including queries)
BigQuery User (creation of new datasets within a project)

For more information about BigQuery roles, visit:

https://cloud.google.com/bigquery/docs/access-control#bigquery

Definitions of all the roles available to users in Google Cloud can be found here:

https://cloud.google.com/iam/docs/understanding-roles

Permissions management

From your project's home dashboard, expand the Navigation menu and select `IAM & Admin`. That will take you to a page with a list of all the user/service accounts with access to your project.

Add a new user to a project:

Navigate to IAM & Admin and select the +ADD button at the top of the page. In the dialog pane that pops up, add the user's email address, then select Roles and save. Roles can also be modified later.

Individual user accounts can't access Google Cloud projects programmatically - to do that, you'll need to use a Service Account. A service account is a special kind of account used by an application to make authorized API calls.

Create a service account:

Navigate to "Service Accounts" (under IAM & Admin) and select the CREATE NEW SERVICE ACCOUNT button at the top of the page. You'll be taken to a page that lets you set:

name
ID (a prefix on the service account's address)
description

All three are arbitrary - what you choose to name a service account won't impact its functionality in any way. However, be aware that there is currently no way to associate a service account to specific activity in the GCP dashboard, so the name and description may be the only clue you have to how the service account is being used. Choose wisely, be as descriptive as possible.

Other things you might need to do with users in a Google project

Bulk add/remove a user on multiple projects:

Go the resource management page and select all the projects you want to manage:

https://console.cloud.google.com/cloud-resource-manager

If you're an owner on all of the projects you've selected, you'll see an 'Add Member' button that allows you to enter a voxmedia.com email address and select Roles that will be applied across all the selected projects.

You can also use the resource manager to remove a user from multiple projects at once, or to adjust a user's Roles across multiple projects in one step.

https://cloud.google.com/iam/docs/granting-changing-revoking-access

Add roles to an existing account:

Navigate to IAM & Admin, find the account you want to modify and select Edit (the pencil icon on the right-hand side).

In the dialog pane that pops up, you'll see options for ADD ANOTHER ROLE or the trashcan icon to delete Roles.

Limit access for a specific service account:

In some cases, we've created service accounts for users within (or even outside) the organization, which they can use to gain access only to specific resources.

For example, to manage specific access to a service account on a BigQuery dataset:

Navigate to the dataset you want to manage
Under the query editor, click on the SHARE DATASET icon
In the popup window, you can add a user/service account, add specific roles for that account on that dataset only, and see what accounts already have access to the dataset.

https://cloud.google.com/bigquery/docs/dataset-access-controls#console

Managing access like this is slightly different for every resource type. For example, in Cloud Storage, you need to navigate to the bucket you want to manage, then go to the PERMISSIONS tab to add/remove/modify users.

Generate a credentials file:

Any time you're using the Google Cloud SDK (to use gcloud or bq tools locally) or requesting a Google Cloud resource programmatically, you need to have an environment variable set that points to a JSON credentials file from the project you're trying to access. This will be a credentials file associated with a specific service account.

To generate the file:

Navigate to the Service Accounts page
Choose the appropriate service account for the resource you're trying to access - click on the email address to get to its Details page
Go the KEYS tab and select 'Create new key' from the ADD KEY drop down.
As soon as you select 'Create' the file will be generated and downloaded locally.

In your app, virtualenv, or server environment, set the environment variable with the path to the credentials file:

export GOOGLE_APPLICATION_CREDENTIALS=/path/to/creds.json

Learn more about Google Cloud authentication here:

https://cloud.google.com/docs/authentication/getting-started

Barbara Shaurette