GCP Organization Policy Administrator: How to Delegate the Organizational Policy Administrator role
What the problem is?
Currently to manage Org Policies in GCP you need the predefined role roles/orgpolicy.policyAdmin
which is grantable at the Organization Level only, for big organizations or organizations that have separate Security management scopes this represents a restriction
Challenges
- Large Organizations with thousands of projects/folders can have separate Org Policy Administrator Units in accordance with trust boundaries.
- We need the concept of Org Policy Administration Delegation to further limit the scope at which the changes are applied. Delegation can occur at the folder or project level
- Complex organizational hierarchies require a solution which is future-proof in which more folders/projects are added to the hierarchy
- Compliance with Least Privilege (only give the least amount of access at the smallest scope) and Traceability are a must
Implementation
Let’s start by creating a resource hierarchy similar to the one outlined in the previous diagram
We’ll be creating a sample Tag Key with two Tag Values, it is important to remember that Tags are true GCP resources (with its own IAM permission model) with organization wide scope that are later attached to other resources. The Key, its individual values and the binding between the Tag Value and a particular resources can be controlled with IAM permissions. (The Tags section is accessible from the IAM & Admin menu at the Organization Level)
Once the Tag Values are defined we can begin the association or binding between the Tag Values and the resources. To speed up the process we can use the Resource Manager and access the Tags for one of the sample Security Scopes.
We have two options Inherited and Direct tags. The Tags ability to be inherited is a key characteristic for this model to work since we want future projects and subfolders to keep the same Security Scope and Delegated Admin privileges.
We will associate a Tag from the current organization that represents one of the sample Security Scopes (Security Scope 3) to the corresponding Security Scope Tag Value (For this particular example we can correlate based on the folders names and tag values)
As we can see from the Resource Manager the Tag binding is also inherited between subfolders and projects
The next is step is to assign the Organization Policy Admin role to IAM principal including and IAM condition to restrict the scope to only the resources tagged with the particular scope.
Optionally we can validate from the Policy Troubleshooter the principal will only have access to manage Org Policies when the above condition is met
{
"role": "roles/orgpolicy.policyAdmin",
"members": [
"user:testuser@ulab03.com"
],
"condition": {
"expression": "resource.matchTag(\"65773642793/org-policy-admin-security-scope\", \"security-scope-3\")",
"title": "security-scope-3"
}
}
Finally if we try to manage Org Policies from different security scopes we can see the Delegation Model is successfully applied.
References
https://cloud.google.com/resource-manager/docs/tags/tags-overview
https://cloud.google.com/iam/docs/conditions-overview
https://cloud.google.com/resource-manager/docs/access-control-org
Summary
With IAM conditions and Tags you can apply to principle of Least Privilege to the Organization Policy Administration Tasks implementing a Delegation Model with full traceability. Even this Delegation Model can be used for other Roles that are currently only available at the organization level within GCP.