Integrations
Integrations
Breadcrumbs

GCP IAM3

Integration model

Active governance

In general, DSAs (Data Sharing Agreements) of Anjana Data Platform are represented in GCP as custom roles with pre-granted default permissions. The DSA signatories have no direct effect on this plugin, as their final representation depends on the data service in which access is materialized.

Anjana Data Platform creates and deletes roles automatically, as well as applies or removes their assignment to the affected users with the aim of materializing the processes of joining and leaving a DSA.

The custom roles created by Anjana Data Platform follow this naming convention:

<configurable prefix>_<DSA logical name>_v<DSA version number>

Where:

  • <configurable prefix>: prefix defined by the organization to identify roles managed by Anjana Data Platform. It is configured in the plugin's YAML.

  • <DSA logical name>: functional name of the agreement as it appears in Anjana.

  • v<DSA version number>: version number of the DSA, which allows distinguishing between active and historical versions.

Important: It is important to set a prefix and DSA logical name that complies with the restrictions for creating roles in Google IAM:

  • have between 3 and 64 characters,

  • and conform to the pattern [a-zA-Z0-9_\.] (alphanumeric, _ and .).

Reference: Naming resources | Google

To manage permissions and roles, the plugin connects to a Google IAM instance, which exposes the identity and access management API for Google Cloud resources.

The DSA is represented by a custom role with generic pre-granted technology access permissions. Users are associated with that role (they acquire those permissions) through IAM policies, where fine-grained access at the element level is further specified in the technologies that support it.

Additional restrictions related to the number of users associated with a resource may apply according to the IAM quotas and limits defined by Google. These can be found at Quotas and limits | IAM Documentation | Google Cloud.

The actions applied to GCP are:

  • Creation/deletion of custom roles.

  • Assignment of roles to users via IAM policies with applicability conditions (to manage access at the element level).
    The GCP IAM plugin retrieves the names of the roles, and it is through other plugins (such as GCP BigQuery and GCP Storage) that these roles are assigned or removed for users.

Required credentials

The required credentials must be configured in the yaml file in the “credentialsContent” section of each configured instance.

Service account creation

For GCP it is necessary to create a service account in IAM for each plugin individually and, after that, assign the necessary permissions for the execution of the specific tasks of each plugin.


att_1_for_171901183.png


To properly customize the permissions, it is necessary to create custom roles in which the permissions are grouped, which are then associated with the service accounts.


att_4_for_171901183.png

Active governance of access permissions

The permissions used for active governance:

  • iam.roles.create

  • iam.roles.delete

  • iam.roles.list


APIs required in project:

  • Identity and Access Management (IAM) API

  • Admin API SDK

In summary, the permissions used for the custom role will be as follows:

att_2_for_171901183.png

To assign permissions to the BigQuery service account it is necessary to assign the role with the permissions to the user:

att_5_for_171901183.png