Contents x
    Account Access Identifiers in Google Cloud Platform
    • 17 Apr 2023
    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Account Access Identifiers in Google Cloud Platform

    • Updated on 17 Apr 2023
    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    In Google Cloud Platform (GCP), a principal can be a Google Account (for end users), a service account (for applications and compute workloads), or a Google group. Each principal has its own identifier, which is typically an email address. Access to resources in GCP is granted to IAM principals.

    Types of GCP Principals used in Bobsled 

    There are three acceptable types of principals to used within Bobsled:

    • Google Account (end users)
    • Service Account (applications and compute workloads)
    • Google Group (collection of accounts and service accounts)

    Google Accounts

    A Google account is for a Google end user. Each account has an email address associated with it. Access is authorized for Google accounts using the email address.

    Google Groups

    A Google group is a collection of google users and service accounts. Each Google group has its own email address associated with it. Access is authorized for all users in the Google group using the group's email address. To learn how to create a Google group or view a group's details, please visit: https://cloud.google.com/iam/docs/groups-in-cloud-console.

    Service Accounts

    A service account is an account that can be used by an application or workload. Service Accounts are the suggested to leverage the shared data in a data pipeline or ongoing process beyond initial testing. Each service account has an email address associated with it. Access is authorized using the email address for the service account. To learn more about service accounts in GCP, please visit https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating

    The format of a service account is as follows: service-account-name@project-id.iam.gserviceaccount.com

    How does Bobsled use GCP IAM Principals?

    Google Cloud Storage Source

    To configure a GCS source, an IAM role will be created scoped to the permissions that Bobsled requires to read the source bucket. In the GCS source bucket, the Bobsled role will be assigned to a Bobsled Service Account to authorize read access to the source. 

    To learn how to configure a GCS source, please visit: Google Cloud Storage Source

    Google Cloud Storage Destination

    Bobsled will grant read access on the Bobsled-managed destination bucket to the principals that are configured in the destination section of a given share. This permits these identities to read from the destination bucket as well as copy data into their own buckets.

    To learn how to configure a GCS destination, please visit: Configure a Google Cloud Storage Destination

    Was this article helpful?
    What's Next