How to prevent access to google cloud admin console.

[Gabriel Alexander]

I want to only allow access to google cloud from my internal network and block out other networks. 

[pralove]

Hello,

Seems like you can limit whole Google Cloud Console and gcloud SDK access by IP range by using BeyondCrop Enterprise (Context-aware access)[0] [1].

The steps are as follows:

-> Create basic access level[2] in Access Context Manager, which is your allowed IP range.

   You can create an access level condition that allows access only from a specifired range of IP addresses ( for example, those within a corporate network)[3].

-> Create a group of users that should be bound by context-aware restrictions[4].

-> Grant the IAM permissions tat the organization level that is required to create Access Context Manager access bindings[5]

-> Create an access binding, which is a mapping between the group of users you created earlier and the Access Context Manager access level you defined for accessing the Cloud Console and Google Cloud APIs[6].

For example, if you created an access level with an IP range, and bounded to all users and once any of the users access the Google Cloud Console or gcloud SDK outside the IP range, they'll only see the You don't have access error message shown on Google Cloud Console, access_denied on gcloud SDK[1].

I hope this helps. 

Thank you. 

[0] https://cloud.google.com/beyondcorp-enterprise/docs/securing-console-and-apis

[1] https://stackoverflow.com/a/65989710/12264562

[2] https://cloud.google.com/access-context-manager/docs/create-basic-access-level

[3] https://cloud.google.com/access-context-manager/docs/create-basic-access-level#corporate-network-example

[4] https://cloud.google.com/beyondcorp-enterprise/docs/securing-console-and-apis#create-user-groups

[5] https://cloud.google.com/beyondcorp-enterprise/docs/securing-console-and-apis#getting-iam-permissions

[6] https://cloud.google.com/beyondcorp-enterprise/docs/securing-console-and-apis#creating_an_access_binding

[Gabriel Alexander]

Thank you Pralove, 

I began reading the document and hit several stops. I'm unable to see or create context based rules. 

After some research I believe the reason why is because my subscription is not enterprise. 

I currently have Cloud Identity Free, It doesn't provide me and I have superadmin role. I was read that you need to have enterprise subscription to have the capability of enabling. 

Is this correct? 

Thank you in advance. 

[Hasanul Murad]

Cloud Identity Free edition includes core identity and endpoint management services. It provides managed Google Accounts to users who don’t need certain Google Workspace services, such as Gmail and Google Calendar. However, users can access Google Drive, Docs, Sheets, Slides, Keep, and Meet. You can use Cloud Identity accounts with other Google services, such as Google Cloud, Chrome, Android enterprise, and many third-party applications.

You can Compare Cloud Identity features includes the complete list of Cloud Identity Premium and Free edition features.

Optionally, you can also explore Deploying Endpoint Verification.

[Gabriel Alexander]

Hello, I finally got around to deploying this and testing it. 

I enabled under this feature under Context Access Manager, and for testing purpose I only choose the only Option I have which is Basic and set the value to true and selected the United States of America.

I waited 24hrs and connected to it via a private vpn with an IP outside the USA. During my test I was able to access the GCP from outside the USA. 

Is this not enough for testing. Thanks in advance. 

[Ruben (Google Cloud Support)]

Hello,

Could you please list in more detail the steps that you followed?

Have a nice day!

[Gabriel Alexander]

Hi Ruben , definitely. Thanks in advance. 

So under google cloud console. 

I selected the security pin and then Access Context Manager. 

Within here I choose the Organization to be in focus as it requires you to select an item. 

Under Access context Manager, I created a context access rule , Give it a name and selected basic Mode for the conditions. 

It also provides Advance Mode but this option is not available to me because it requires me to upgrade to BeyondCorp Enterprise premium. 

Condition was set to true and only to allowed regions; the "USA".  I saved it and later tested it but I was still able to access GCP. 

Must I add specifically the ip subnet of the region I want to allow? 

[Md Sadik Masoud]

Hi,

Thank you for providing us additional information. After researching further, it seems to me that it might not be possible to block access of gcloud admin console with free tier. I also found a couple of discussion threads [1][2] online about blocking access to cloud consoles. However, you can also look for this workaround for Google Workspace [3] to limit the access of Google cloud platform in your organization. Please note that as well,  Google Groups is a place for non-technical how-to questions (where you're likely to find information like service status updates and release notes, and ranging from book recommendations to creative shortcuts) [4]. You may consider posting your requirements in Stack Exchange sites [5] (e.g. Server Fault [6] or Stack Overflow [7]) where Google also participates that can help you find  more answers or other recommendation. Hope this helps you!

[1] https://www.reddit.com/r/googlecloud/comments/dbmths/restrict_console_access/

[2] https://stackoverflow.com/questions/51108923/restrict-login-access-to-gcp-console-for-enterprise

[3] https://support.google.com/a/answer/9197205

[4] https://cloud.google.com/support/docs/community#discussions_google_groups

[5] Ask Technical Questions on Stack Exchange Sites: https://cloud.google.com/support/docs/stackexchange

[6] Server Fault (A question and answer site for deploying and managing IT platforms): https://serverfault.com/questions/tagged/google-cloud-platform

[7] Stack Overflow (a question and answer site for programmers): https://stackoverflow.com/questions/tagged/google-cloud-platform