'Permissions to grant for a "sandbox" project?

We're adding a GCP project to be used for greenfield development, e.g. sort of a developer sandbox. My inclination is to give application/service developers full permissions in that project, to reduce friction and let them get stuff done as quickly and easily as possible.

We then have a separate beta project which we use where we prepare work for production, where application/service developers would have limited-to-no access, but the devops team could productionize things. And then, of course, we have the production project, where everything is locked down tight.

Is a sandbox like this a good idea? What permission(s) would I grant? Owner? GCP recommends not using those legacy roles...

google-cloud-platformpermissions


Solution 1:[1]

  1. List all of what each team is allowed to do on each env.
  2. Translate this to a list of IAM permissions per team per env.
  3. If there is some predefined role/s that matches exactly these permissions then use that role/s
  4. If not, then create your own custom role/s for each team per each env.

For example, in the sandbox env:

if developers team is only allowed to create GKE clusters and deploy workloads to these GKEs then list all required permissions for such operation and find a predefined role that have permissions that only allows this operation. See here.

Or, if this is too wide and does not apply the least privilege concept for you then create your own custom role.

Solution 2:[2]

I personally don't recommend to restrict the IAM permission. Indeed, in a sandbox project, you want to try things, and maybe thing totally outside of the box and unexpected as usual way of working/processing. Using IAM to limit the set of allowed product restrict the creativity and protect you against (almost) nothing.

Indeed, if you want to perform security restriction it's for what? Limit the access to the service in Beta environment? Not sure... Prevent the overuse of resources in a non-production (and no profitable) environment? I think yes!

That's why, I recommend to use the Quotas to restrict the number of resources available for a project (i.e. only 10 CPUs in 1 region and not 3600 in 20 regions as by default). Like that, the app team will be able to try and experiment safely, without any restriction, but without killing your budget.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Atef Hares
Solution 2 guillaume blaquiere

Related Questions

How to use use Firestore document field's HashMap key value and populate recyclerview?

how to keep GKE cluster nodes in different regions?

Google Cloud TTS API for M1 Mac

Is it possible to render a video from AfterEffects in a Google Collaboratory notebook?

Allow-IAP Firewall Rule created in default VPC in GCP getting reflected in other VPC as well

Attribute Error when importing SpeechClient from google.cloud.speech

GCP Cost billing data

What is the difference between gcloud and gsutil?

Volume not persistent in Google Cloud

Permission Denied when trying to write on a TPU VM foler

Google Cloud Free Tier will start charging for static or ephemeral IP Address?

How to create a empty folder in google storage(bucket) using gsutil command?

How can size of the root disk in Google Compute Engine be increased?

Cannot switch Firestore from Datastore to native mode on GCP

action console simulator is not working and I cannot release my project