2

In my organization, we work with GCP and have multiple projects there. I'm now trying to organize the IAM roles between all the projects and I'm not sure about some of the IAM settings. Do projects act as completely separate entities with completely different IAM roles/permissions or is there an overlap between them that can lead to a situation where a change in one project might affect another project?

Improve this question
7
  • 1
    Are you using GCP Organizations? If not, then projects are completely isolated. If you are review Jen's answer. I will add that roles can be created at the project level (isolated) but also at the organization level, which means inheritance kicks in. However, changes to IAM in one project do not affect other projects except for cross project access. If you change/create a role in Project A, that does not affect roles in Project B. You can have roles with the same name in multiple projects with different permissions. Commented Sep 17, 2020 at 0:16
  • @JohnHanley > If not, then projects are completely isolated. \n I just tried to access a bucket from another project and it worked. In my case project A supposedly belongs to an organization. Project B is my personal project (doesn't belong to any organizations). Am I missing something? Or isolated in terms of inheritance? Commented May 22, 2024 at 13:02
  • @x-yuri - permissions are granted to principals (email, etc). Permissions can be granted at the Project/Bucket/Object resource levels. Which principal did you use to access the bucket? I recommend creating a new question. Commented May 22, 2024 at 15:10
  • @JohnHanley I don't think I have a question. Rather your phrase sounded inaccurate. Projects not belonging to an organization are probably isolated in terms of inheritance. But projects are not completely isolated. If I have a service account in project A, I can give it permissions in project B. Answering your question I used a service account from project A to access a bucket in project B. Commented May 22, 2024 at 16:15
  • @x-yuri - projects are completely isolated. You are of course free to modify settings/permissions/etc to change that. You granted permission to principal X in project B, it did not happen mysteriously. However, in the real world, we usually mean isolated in the sense of VPCs and the resources attached to them. You can grant permission to a resource, but that does not mean you can access it. Commented May 22, 2024 at 16:20

2 Answers 2

Reset to default
6

Changing roles in one project will not directly change roles set on another project. But there are some things you'll want to consider.

While projects can have their own access control rules, it is possible to manage access at more than the project level. Here are the four resource points where you can manage access:

Organization level. The organization resource represents your company. IAM roles granted at this level are inherited by all resources under the organization.

Folder level. Folders can contain projects, other folders, or a combination of both. Roles granted at the highest folder level will be inherited by projects or other folders that are contained in that parent folder.

Project level. Projects represent a trust boundary within your company. Services within the same project have a default level of trust. For example, App Engine instances can access Cloud Storage buckets within the same project. IAM roles granted at the project level are inherited by resources within that project.

Resource level. In addition to the existing Cloud Storage and BigQuery ACL systems, additional resources such as Genomics Datasets, Pub/Sub topics, and Compute Engine instances support lower-level roles so that you can grant certain users permission to a single resource within a project.

Access can be at the individual level, through a service account, or through organization-wide and Google Group membership. That means that when you add or remove someone from the organization or a Google group, you may inadvertently add or remove them from various roles in different projects.

Also, if a member (individual or group) is assigned a role that gives the capability to change IAM roles, then anyone in that member group can modify permissions. They may change rules in ways you don't want.

When in doubt, use testPermissions to verify that roles are working as expected.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

The IAM roles you set in a project won't affect other projects.

Google Cloud resources are organized hierarchically, where the organization node is the root node in the hierarchy, the projects are the children of the organization, and the other resources are descendants of projects. You can set Identity and Access Management (IAM) policies at different levels of the resource hierarchy. Resources inherit the policies of the parent resource. The effective policy for a resource is the union of the policy set at that resource and the policy inherited from its parent.

Please check the following documentation where you will find a good explanation of the resource hierarchy for access control

I think this diagram can help you to understand better how IAM works: enter image description here

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.