Johannes Passing's blog about identity and access management, Windows, security, cryptography, and other stuff| jpassing.com
Johannes Passing's blog about identity and access management, Windows, security, cryptography, and other stuff| jpassing.com
Before we can call a Google API, we have to obtain an OAuth access token. As we learned before, there are different types of access tokens, and service account access tokens are a little different from user access tokens. The vast majority of Google Cloud APIs don’t discriminate between these two types of token and work with both. But beyond Google Cloud, there are still many Google APIs that don’t accept service account access tokens. If we want to use these APIs in an unattended scenari...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Given an OAuth client ID such as 1234567890-9iuxy238472ny4qmfad0ppg77s61vabo14j0s.apps.googleusercontent.com, how can we find out which Google Cloud project the OAuth client belongs to? If we look closely at OAuth client IDs, we notice that they follow a common pattern: NUMBER-GIBBERISH.apps.googleusercontent.com This pattern isn’t a coincidence: NUMBER is the project number of the Google Cloud project that the OAuth client belongs to, and GIBBERISH identifies the individual Client ID withi...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
Google Cloud IAM implements discretionary access control, meaning each resource - be it a folder, project, or VM - has an IAM policy. We can think of this policy as an access control list, outlining who can access the resource and what actions they’re permitted to take. This model is extremely flexible. But as we scale, management can become a challenge: As the number of resources, IAM policies, and users grow, controlling access on a per-resource, per-user basis quickly becomes unviable. T...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM
The primary focus of JIT Access has been privileged access management (PAM) – enabling users to request just-in-time privileged access to Google Cloud projects on a temporary basis. When I published the project in 2022, Google Cloud didn’t provide any such capabilities as part of the platform, so the project filled an important gap. With Privileged Access Manager in preview now, that situation has changed and managing just-in-time privileged access is now a platform feature. This raises t...| Posts on Identity, access, and stuff - Johannes Passing's blog about IAM