This document explains how you can manage permissions effectively across a multi-zone Google Distributed Cloud (GDC) air-gapped universe. To maintain access to resources that can span multiple zones, you must implement global permissions that consistently apply to them. GDC provides Identity and Access Management (IAM) features to control your global permissions scheme without having to track and maintain zone-level access.
This document is for IT administrators within the platform administrator group who are responsible for developing and maintaining access control for resources that span across multiple zones in a GDC universe.
For more information, see Audiences for GDC air-gapped documentation.
Access that spans a universe
GDC offers several key IAM capabilities to help control access to your zones and the resources within each zone.
Streamline role management
GDC provides built-in global permissions control that lets you apply and manage IAM roles that span all zones automatically. Global control over your permissions removes segmented use cases where you must manually apply roles in each zone. Role-based access control (RBAC) is global by default, but provides fine-tuned zonal permission allocation, when necessary.
For example, consider you have a new developer that needs to access your project's resources. Since a project is global by default, it spans all zones in your universe. Instead of manually applying and maintaining the roles necessary to access the project in each zone, you apply a global access role for the project, which applies to all zones the project resides within automatically. The new developer's project access now evolves with your universe, and is propagated to new zones automatically if your universe grows.
For more information about role bindings in GDC, see Grant and revoke access.
Sign in once and propagate your existing credentials
GDC offers identity providers (IdP) to streamline authenticating users in your universe, without the hassle of signing in to each zone separately. An IdP is a system that centrally manages and secures user identities, providing authentication services. Connecting to an existing IdP lets users access GDC using their organization's credentials, without needing to create or manage separate accounts within GDC. Since an IdP is a global resource that is configured to span multiple zones by default, you can access GDC through the same IdP regardless of the zone you work in. For more information about IdPs in GDC, see Connect to an identity provider.
Global workload and service permissions control
Just as human users benefit from IdPs to streamline authentication across zones, your workloads and services can also benefit from global authentication in your universe with service accounts. Service accounts are the accounts that workloads and services use to programmatically consume resources and access microservices securely. Since a service account is a global resource that is configured to span multiple zones by default, your workloads and services can access resources that span a universe uniformly with a single set of global permissions.
As an example, consider you have a VM that has an attached storage volume. Because a volume can span two zones, if you want to allow the VM to access the volume, it must have access permissions in all zones where the volume resides. With global service accounts, you can provide the VM access to the storage volume once, which propagates to all zones where the volume resides. This capability lets you configure access on a universal scale, without managing zone-specific access.
For more information about service accounts in GDC, see Authenticate with service accounts.