Grant and revoke access

Every subject - a user or a group - follows a two-step process to gain access to the global API server. Grant a subject with permissions in the global API server using IAMRoleBinding to a predefined IAMRole. All role and role bindings are global.

Personas (IO, PA, AO) are not roles but are collections of user roles mapped to specific permissions and assigned to individual users.

Set up role bindings

You can set up role bindings that give team members access to resources at the organization or project level.

To get the permissions that you need to set up role bindings, ask your Organization IAM Admin to grant you the Organization IAM Admin role.

To assign a role to an authorized member, follow these steps:

Console

  1. Sign in to the GDC console.
  2. Select an organization or project from the scope picker.
    • To set up role bindings for an organization, select an organization.
    • To set up role bindings for a project, select a project.
  3. In the navigation menu, click Identity and Access > Access.
  4. Click Add Member.
  5. Choose whether you want to add individual users or groups.
  6. In the Identity provider list, select an identity provider.
  7. In the Username or group alias field, enter the username, email address, or alias.
  8. In the Role list, select the role that you want to assign to the user or group, such as Organization Viewer at the organization level or Project Creator at the project level.
  9. Click Add.

The member appears in the Authorized member list.

gdcloud

  1. Ensure you have the gdcloud CLI installed.

  2. Sign in using the gdcloud auth login command to authenticate with your identity provider. For more information, see the gdcloud CLI authentication.

  3. Set up role bindings.

    • Set up role bindings for an organization:

      gdcloud organizations add-iam-policy-binding ORGANIZATION \
        --member=USER_ACCOUNT \
        --role= ROLE
      

      Replace the following variables:

      • ORGANIZATION: the name of the organization for which you're setting up the role binding.
      • USER_ACCOUNT: the user account to which you want to grant the role. This flag accepts either a user email address with the identity provider prefix (user:idpprefix-user@example.com) or a service account name with the service account project (serviceAccount:projectName:serviceAccountName).
      • ROLE: the name of the predefined or custom role you want to assign to the user.
    • Set up role bindings for a project:

      gdcloud projects add-iam-policy-binding PROJECT \
        --member=USER_ACCOUNT \
        --role= ROLE
      

      Replace the following variables:

      • PROJECT: the name of the project for which you're setting up the role binding.
      • USER_ACCOUNT: the user account to which you want to grant the role. This flag accepts either a user email address with the identity provider prefix (user:idpprefix-user@example.com) or a service account name with the service account project (serviceAccount:projectName:serviceAccountName).
      • ROLE: the name of the predefined or custom role you want to assign to the user.

API

  1. Export the user credential that you use:

    export GLOBAL_API_SERVER_KUBECONFIG=GLOBAL_API_SERVER_KUBECONFIG
    
  2. Export the user account for which you want to assign the role, including the identity provider prefix (such as idpprefix-paul@example.com):

    export USERNAME=IDP_PREFIX-USER_EMAIL
    
  3. Export the name of the role the user needs, such as project-creator. Refer to Role definitions to find the according role.

    export ROLE_NAME=ROLE_NAME
    
  4. Export the namespace where the binding must be created:

    export BINDING_NAMESPACE=BINDING_NAMESPACE
    

    Replace BINDING_NAMESPACE with platform for organization-scoped roles, or the name of the target project's namespace for project-scoped roles.

    See Role definitions for a list of roles and their scope.

  5. Create and apply an IAMRoleBinding custom resource:

    cat <<EOF | kubectl --kubeconfig ${GLOBAL_API_SERVER_KUBECONFIG} apply -f -
    apiVersion: iam.global.gdc.goog/v1
    kind: IAMRoleBinding
    metadata:
      name: ${USERNAME}-${ROLE_NAME}-binding
      namespace: ${BINDING_NAMESPACE}
    spec:
      roleRef:
        apiGroup: iam.global.gdc.goog
        kind: IAMRole
        name: ${ROLE_NAME}
      subjects:
      - apiGroup: rbac.authorization.k8s.io
        kind: User
        name: ${USERNAME}
    EOF
    

Remove role bindings

When access is no longer required, remove a member and their associated roles, permissions, and access.

To remove members, work through the following steps:

Console

  1. Sign in to the GDC console.
  2. In the navigation menu, click Identity and Access > Access.
  3. In the Authorized members list, select a member.
  4. Click Remove member.
  5. When prompted, click Remove member to confirm.

gdcloud

  1. Ensure you have the gdcloud CLI installed.

  2. Sign in using the gdcloud auth login command to authenticate with your identity provider. For more information, see the gdcloud CLI authentication.

  3. Remove role bindings.

    • Remove role bindings for an organization:

      gdcloud organizations remove-iam-policy-binding ORGANIZATION \
        --member=USER_ACCOUNT \
        --role= ROLE
      

      Replace the following variables:

      • ORGANIZATION: the name of the organization from which you're removing the role binding.
      • USER_ACCOUNT: the user account from which you want to remove the role. This flag accepts either a user email address with the identity provider prefix (user:idpprefix-user@example.com) or a service account name with the service account project (serviceAccount:projectName:serviceAccountName).
      • ROLE: the name of the predefined or custom role you want to remove from the user account.
    • Remove role bindings for a project:

      gdcloud projects remove-iam-policy-binding PROJECT \
        --member=USER_ACCOUNT \
        --role= ROLE
      

      Replace the following variables:

      • PROJECT: the name of the project from which you're removing the role binding.
      • USER_ACCOUNT: the user account from which you want to remove the role. This flag accepts either a user email address with the identity provider prefix (user:idpprefix-user@example.com) or a service account name with the service account project (serviceAccount:projectName:serviceAccountName).
      • ROLE: the name of the predefined or custom role you want to remove from the user account.

API

Delete the IAMRoleBinding to revoke the permission granted to the PA account:

kubectl --kubeconfig GLOBAL_API_SERVER_KUBECONFIG \
delete iamrolebinding USERNAME-ROLE_NAME-binding -n BINDING_NAMESPACE

Replace the following:

  • GLOBAL_API_SERVER_KUBECONFIG: the path to the kubeconfig file for accessing the Global API server.
  • USERNAME: the user account for which you want to remove the role, including the identity provider prefix (such as idpprefix-paul@example.com).
  • ROLE_NAME: the name of the role you want to remove, such as project-creator.
  • BINDING_NAMESPACE: replace with platform for organization-scoped roles, or the name of the target project's namespace for project-scoped roles.

Revoke user access

If a member leaves your organization or team, you can revoke their access to Google Distributed Cloud (GDC) air-gapped. Revoking a user's access logs them out of Distributed Cloud and removes their roles and permissions. You can also list the user's activity and sessions from their start and end time.

To revoke a user's access across a GDC universe, you must revoke access for each individual zone separately. Complete the following steps for each zone:

  1. Ensure you are signed in to the zone you want to revoke access for. For example, set the zonal URL configuration for gdcloud CLI, and then sign in:

    gdcloud config set organization_console_url ZONE_URL
    gdcloud auth login
    

    Replace ZONE_URL with the GDC console URL for the zone to revoke user access for, which resembles https://console.ORG_NAME.ZONE_NAME.ORG_SUFFIX.

    For more information on switching zonal contexts, see Manage resources across zones.

  2. Get the permissions that you need to revoke users. Ask your Organization IAM Admin to grant you the Org Session Admin (org-session-admin) role.

  3. Revoke the user's access for the zone:

    gdcloud admin auth revoke --accounts USER_EMAIL
    

    Replace USER_EMAIL with the email of the user to revoke access.

    After running the command, you see output similar to the following. This example revokes access from the user ariel@example.com:

    Success: NUMBER of sessions revoked for user ariel@example.com
    

    In this example, the variable NUMBER refers to the number of active sessions the user had.

  4. Confirm you've revoked the user's access by running the gdcloud admin auth revoke command again. If successful, you see the following:

    No sessions found for account: ariel@example.com
    
  5. Repeat the previous steps for each zone in your universe.