With VPC Service Controls, you can create perimeters, which are boundaries around your Google Cloud resources. You can then define security policies that help prevent access to supported services from outside of the perimeter. For more information about VPC Service Controls, see the VPC Service Controls overview.
You can use VPC Service Controls to help secure the following IAM-related APIs:
- IAM API
- Security Token Service API
- Privileged Access Manager API
Help secure the IAM API
You can help secure your Identity and Access Management (IAM) resources by using VPC Service Controls. IAM resources include the following:
- Custom roles
- Service account keys
- Service accounts
- Workload identity pools
How VPC Service Controls works with IAM
When you restrict IAM with a perimeter, only actions that use the IAM API are restricted. These actions include managing custom IAM roles, managing workload identity pools, and managing service accounts and keys. The perimeter doesn't restrict workforce pools actions because workforce pools are organization-level resources.
The perimeter around IAM doesn't restrict access management (that is, getting or setting IAM policies) for resources owned by other services, like Resource Manager projects, folders, and organizations or Compute Engine virtual machine instances. To restrict access management for these resources, create a perimeter that restricts the service that owns the resources. For a list of resources that accept IAM policies and the services that own them, see Resource types that accept allow policies.
Additionally, the perimeter doesn't restrict actions that use other APIs, including the following:
- IAM Policy Simulator API
- IAM Policy Troubleshooter API
- Security Token Service API
- Service Account Credentials API (including the legacy
signBlob
andsignJwt
methods in the IAM API)
For more details about how VPC Service Controls works with IAM, see the IAM entry in the VPC Service Controls supported products table.
Help secure the Security Token Service API
You can help secure token exchanges by using VPC Service Controls.
When you restrict the Security Token Service API with a perimeter, only the following entities can exchange tokens:
- Resources within the same perimeter as the workload identity pool you're using to exchange the token
- Principals with the attributes defined in the service perimeter
When you create an ingress
or egress rule to allow token exchanges, you must set the identity type to
ANY_IDENTITY
because the token
method has no authorization.
For more details about how VPC Service Controls works with IAM, see the Security Token Service entry in the VPC Service Controls supported products table.
Help secure the Privileged Access Manager API
You can help secure your Privileged Access Manager resources by using VPC Service Controls. Privileged Access Manager resources include the following:
- Entitlements
- Grants
VPC Service Controls doesn't support adding folder-level or organization-level resources into a service perimeter. You can't use a perimeter to protect folder-level or organization-level Privileged Access Manager resources. VPC Service Controls protects project-level Privileged Access Manager resources.
For more details about how VPC Service Controls works with Privileged Access Manager, see the Privileged Access Manager entry in the VPC Service Controls supported products table.
What's next
- Learn how to create a service perimeter.