AWS assume-role equivalent in Google cloud (GCP)?

Question:

How to setup multi-account(project) in GCP, it is possible in AWS by using assume-role, anyone knows how to do it in Google Cloud (GCP)?

I tried to explore AWS equivalent in GCP, but not able to find any document.

Answer:

As documented, AssumeRole in AWS returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to.

In AWS you can create one set of long-term credentials in one account. Then you can use temporary security credentials to access all the other accounts by assuming roles in those accounts.

The equivalent of the above in GCP would be creating short-lived credentials for service accounts to impersonate their identities (Documentation link).

Accordingly, in GCP you have the “caller” and the “limited-privilege service account” for whom the credential is created.

To implement this scenario, first, use handy documentation on Service Accounts and Cloud IAM Permission Roles in GCP, as each account is a Service Account with specific role permissions, in order to understand how accounts work in GCP.

The link I posted above, provides detailed information on the flows that allow a caller to create short-lived credentials for a service account and the supported credential types.

Additionally, this link can assist you in visualizing and understanding the resource hierarchy architecture in GCP and give you examples on how to structure your project according to your organization’s structure.

Leave a Reply