1

Is it possible to set up an access permission on GCP resource that requires multiple roles/permissions/groups membership? Basically, have a logical AND for permissions.

IAM "conditions" feature provides means for basic role assignment requirement, like time and duration restriction but this is not what I'm looking for.

Example organization structure:

- Testing folder:
 --- SomeProject     [Require "Testing" group membership]
 --- AnotherProject  [Require "Testing" group membership]
 --- SecretProject   [Require "Testing" AND "Secret" group membership]
 - Production folder
 --- SomeProject1    [Require "Production" group membership]
 --- AnotherProject1 [Require "Production" group mmebrship]
 --- SecretProject1  [Require "Production" AND "Secret" group membership]

Thanks.

Yotamz
  • 111
  • 1

1 Answers1

1

Hey as you mentioned Cloud IAM Conditions does not fit on your need. I think structuring organization can be one way to satisfy this requirement.

For example if we set as following and assigning permission on that folder level this cloud satisfies your needs.

                    ORG
                     |
      -------------------------------
     secret                      regular  (folders)
       |                           |
    --------                    --------
sec-      sec-               reg-     reg-  (Folders)
lab-1     lab-2              OP-1     OP-2

NOTE: I was meant to put this as a comment but due to my repulation putting this as an answer. However, if you suggest I will edit or change this answer.

Mustafiz
  • 186
  • 4