Part of setting up a cloud solution environment involves managing users and assigning them roles. The GCP resources related to this are Cloud IAM and Cloud Identity. I realized that I didn’t have a good conceptual understanding of the difference between these.
To gain this understanding, I needed to veer off into the world of digital security. Digital security centers around tracking who is accessing what. Specifically, this refers to authentication, authorization and auditing. Authentication ensures that the user is who they say they are. Authorization manages what a user can do. Auditing tracks what users do. GCP has three different tools for each of these. Cloud Identity handles authentication. Cloud IAM manages authorization. Auditing is done with Cloud Audit Logs.
Cloud Identity exists outside GCP. It is the authenitcation part of GSuite, but runs independently as a stand alone platform. It is an IDaaS which are tools related to identity services and endpoint administration. As I dug into this, it reminded me of AD or LDAP which I worked with long, long ago. Were they related? Yes and no. Yes, in the sense that they are hierarchical, but not really because AD is, as the name says, tied to directories or file system structures. An IDaaS is more dynamic than a directory structure. Google’s approach is based on BeyondCorp. At this point, it is time to pull back from this security rabbithole and refocus on how Cloud IAM manages resources access.