IAM based authentication for GCP HTTPS Load Balancers
I have an internal HTTPS load balancer in GCP and I need to attach IAM policy to it to restrict the ingress requests from other compute instances. I'm rather confused by GCP IAM and wonder if it's possible to set up IAM policy for my load balancer to only allow the traffic from certain compute instances/service accounts.
For example, I have 2 instances running with service account A (A@developer.gserviceaccount.com) and B (B@developer.gserviceaccount.com) respectively, I need to set the IAM policy for my load balancer to only accept requests from VM that runs with service account A.
So I have run gcloud cli on my load balancer's backend using the following policy:
gcloud compute backend-services set-iam-policy https-backend policy.json
Content of policy.json
{
"bindings": [
{
"role": "roles/compute.loadBalancerAdmin",
"members": ["serviceAccount:A@developer.gserviceaccount.com"]
}
]
}
I thought this policy would effectively only allow service account A to access the load balancer as compute.loadBalanceAdmin but apparently I can still hit the load balancer from VM that runs with service account B.
You are close, but it's not exactly that.
When you create an internal Load Balancer, you have an IP address (you can set it ephemeral, but it's better to have a static one.)
Therefore, if you want to grant, or to deny traffic between your VMs and the load balancer, you have to use firewall rules.
One of the cool feature of firewall rules is that you can use a service account as the source of the traffic. Like that, you can grant the A and B service account to access the load balancer through firewall filtering.
- oauth 2 parameters can only have a single value: scope
- Correct use of gcloud --sort-by combined with --limit
- App attestation failed with Firebase App check in release on Android
- Why doesn't the offline cloud firestore documentation have code for offline query indexes for flutter?
- _CHANGE_TYPE not working when streaming Google Big Query rows from Pub/Sub
- Migrating from legacy Google FCM to HTTP v1 for push notifications
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Can we update a field due to its value without reading it in firebase?
- Use process.env variables inside next.config.js
- What is the best practice for decoding Firestore documents in a listener for Swift 5?
- How to install Google Cloud SDK app-engine-python on Debian 12?
- Bigquery service account restricted to a dataset
- Gcloud Pub/Sub: Total timeout of API google.pubsub.v1.Publisher exceeded 60000 milliseconds before any response was received
- Keep getting the error Google Sign-In Error: PlatformException(sign_in_failed, com.google.android.gms.common.api.ApiException: 10: , null, null)
- Error 400 invalid JSON Payload Unknown name generationConfig on an AI API Curl command
- How to access cloud run environment variables in Dockerfile
- Error 400: Invalid JSON payload received when calling Google Generative Language API
- GCP Bucket Permissions by Prefix
- database connection URI string for GCP cloudsql postgres database?
- Who control Google Cloud platform filtering?
- gcloud cli command create eventarc errors
- Is there a way to block HTTP on GCP AppEngine
- How to generate GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET without a domain?
- How to change the source GitHub repository for a deployed project on Google Cloud Run?
- Not able to access Nexus console on my Ubuntu VM instance in GCP
- VertexAI Tabular AutoML rejecting rows containing nulls
- How to access Google Cloud Speech-to-text v2 API through HTTP/REST
- Importing a Model with Scikit Learn on Vertex
- Is there a simple way to host a JSON document you can read and update in Google Cloud Platform?
- how can I get my gcloud user creds into a container securely and use them to impersonate a service account when testing locally?