Account Access Identifiers in Google Cloud Platform

In Google Cloud Platform (GCP), a principal can be a Google Account (for end users), a service account (for applications and compute workloads), or a Google group. Each principal has its own identifier, which is typically an email address. Access to resources in GCP is granted to IAM principals.

For more information, visit GCP IAM Principals ↗

Types of GCP Principals used in Bobsled

There are three acceptable types of principals to used within Bobsled:

• Google Account (end users)

• Service Account (applications and compute workloads)

• Google Group (collection of accounts and service accounts)

Google Accounts (easiest route)

A Google account is for a Google end user. Each account has an email address associated with it. Access is authorized for Google accounts using the email address. This is the easiest route; you can add any Gmail or Gmail-powered email address as a Google Account to a share. To find the email associated with a Google Cloud Console, have your customer log in to their console and click on the circle image in the top right of the UI:

Google Groups

A Google group is a collection of google users and service accounts. Each Google group has its own email address associated with it. Access is authorized for all users in the Google group using the group's email address. To learn how to create a Google group or view a group's details, please visit Google Groups in Google Cloud console ↗

Service Accounts (machine access)

A service account is an account that can be used by an application or workload. Service Accounts are the suggested to leverage the shared data in a data pipeline or ongoing process beyond initial testing. Each service account has an email address associated with it. Access is authorized using the email address for the service account. To learn more about service accounts in GCP, please visit Google Service Accounts ↗

The format of a service account is as follows: service-account-name@project-id.iam.gserviceaccount.com

How does Bobsled use GCP IAM Principals?

Google Cloud Storage Source

To configure a GCS source, an IAM role will be created scoped to the permissions that Bobsled requires to read the source bucket. In the GCS source bucket, the Bobsled role will be assigned to a Bobsled Service Account to authorize read access to the source. To learn how to configure a GCS source, please visit Google Cloud Storage source.

Google Cloud Storage Destination

Bobsled will grant read access on the Bobsled-managed destination bucket to the principals that are configured in the destination section of a given share. This permits these identities to read from the destination bucket as well as copy data into their own buckets. To learn how to configure a GCS destination, please visit Google Cloud Storage destination.