We are scaling our Google Cloud footprint and the IAM roles are becoming unmanageable. We currently have too many "Editor" roles assigned. I want to move toward the Principle of Least Privilege using IAM Recommender and Workload Identity. How do you guys structure your folders and projects to ensure security without blocking the development team’s velocity or causing permission errors?
3 answers
Transitioning away from the "Editor" role is the most important security step you can take. We organized our GCP Resource Hierarchy using a "Production" and "Non-Production" folder structure. For our GKE workloads, we strictly use Workload Identity so that pods don't use the default compute service account, which is way too permissive. The IAM Recommender tool is a lifesaver; it analyzed our history and suggested removing 60% of our unused permissions. It took us three months to fully transition, but our security posture is now much tighter and we pass audits easily.
Are you using Terraform to manage these IAM policies as code, or are you currently making these changes manually through the Google Cloud Console?
Focus on Group-based IAM rather than individual user assignments. It makes onboarding and offboarding employees 100 times easier when you just add them to a Google Group.
This is a gold standard tip. Coupling Google Groups with a solid Folder hierarchy is the foundation of any well-governed Google Cloud environment I've ever worked in.
Gregory, we are currently 50/50. Some legacy projects are manual, but we are moving toward Terraform for everything. Managing IAM through code is the only way to stay sane at our scale. It allows us to peer-review permission changes before they are applied, which prevents someone accidentally locking themselves out of a project or exposing a bucket to the public internet.