Secure Onboarding to Google Cloud with IAM and CTO.ai Configs

When teams and organizations work together, one of the critical aspects of working with cloud resources is ensuring that the right people have the right access to the correct resources. This article will explore how to use Google's Identity and Access Management (IAM) and CTO.ai's configs management tool for a secure and efficient onboarding process.

Google Cloud IAM

Google Cloud IAM is a unified credential and access policy management system that offers access controls and visibility for centrally managing cloud resources. With IAM, you can set permissions on specific resources, helping enforce consistent access controls across your environment.

Features of Google Cloud IAM

  • Role-Based Access Control (RBAC): Pre-defined roles or custom roles can be assigned to users, groups, or service accounts, giving you flexibility and control.
  • Policy Inheritance: Policies can be set at the organizational level and then inherited by projects, providing consistency and ease of management.
  • Audit Logging: You can review who did what, where, and when across Google Cloud in your organization.
  • Integration with External Identities: IAM can be integrated with external identity providers like Active Directory.

CTO.ai Configs

CTO.ai provides a configuration store for managing non-sensitive data that is required for your automation. The CTO.ai Configuration Management feature complements our Secrets Store (for sensitive information) and enables your team to build a scalable, maintainable, and secure workflow automation system. Combining CTO.ai Configs with IAM, you can create a consistent, secure onboarding process.

Using the Configuration Store can also be a powerful way to chain your automation and enable them to feed input with each other. For example, you can build a workflow that creates a new environment for your engineering team, saving all of the relevant configuration post-creation into the configuration store.

To create Configs on the UI, Click on Settings and select Configs

  • Next, add your Config Key and Config Value. Your Config Key can be from your staging, development, or production environments.

  • Next, reference the Configs value of your key in your `ops.yml` file in your application directory.
  • Here is a sample example of how we specified configs in our AWS ECS Fargate ops.yml file
version: "1"
commands:
# setup aws ecs fargate infrastructure
  - name: setup-aws-ecs-fargate:0.3.0
    run: ./node_modules/.bin/ts-node /ops/src/setup.ts
    description: "setup an environment"
    # environment variables 
    env:
    # add static env vars
      static:
        - STACK_TYPE=aws-ecs-fargate
        - AWS_REGION=us-west-1
        - JSII_DEPRECATED=quiet
      # add and store aws secrets
      secrets:
        - AWS_ACCESS_KEY_ID
        - AWS_SECRET_ACCESS_KEY
        - AWS_ACCOUNT_NUMBER
      # pass environment host and database configurations
      configs:
        - DEV_AWS_ECS_FARGATE_STATE
        - STG_AWS_ECS_FARGATE_STATE
        - PRD_AWS_ECS_FARGATE_STATE
        - DEV_AWS_ECS_FARGATE_CLUSTER_VAULT_ARN
        - STG_AWS_ECS_FARGATE_CLUSTER_VAULT_ARN
        - PRD_AWS_ECS_FARGATE_CLUSTER_VAULT_ARN
        - DEV_AWS_ECS_FARGATE_SERVICE_VAULT_ARN
        - STG_AWS_ECS_FARGATE_SERVICE_VAULT_ARN
        - PRD_AWS_ECS_FARGATE_SERVICE_VAULT_ARN
  # deploy environment on aws ecs fargate workflow
  - name: deploy-aws-ecs-fargate:0.3.0
    run: ./node_modules/.bin/ts-node /ops/src/deploy.ts
    description: "deploy to an environment"
    env:
    # add static env vars
      static:
        - STACK_TYPE=aws-ecs-fargate
        - AWS_REGION=us-west-1
        - JSII_DEPRECATED=quiet
    # add and store aws secrets
      secrets:
        - AWS_ACCESS_KEY_ID
        - AWS_SECRET_ACCESS_KEY
        - AWS_ACCOUNT_NUMBER
    # pass environment host, resource, and database connections
      configs:
        - DEV_AWS_ECS_FARGATE_STATE
        - STG_AWS_ECS_FARGATE_STATE
        - PRD_AWS_ECS_FARGATE_STATE
        - DEV_AWS_ECS_FARGATE_CLUSTER_VAULT_ARN
        - STG_AWS_ECS_FARGATE_CLUSTER_VAULT_ARN
        - PRD_AWS_ECS_FARGATE_CLUSTER_VAULT_ARN
        - DEV_AWS_ECS_FARGATE_SERVICE_VAULT_ARN
        - STG_AWS_ECS_FARGATE_SERVICE_VAULT_ARN
        - PRD_AWS_ECS_FARGATE_SERVICE_VAULT_ARN
    # destroy aws ecs fargate infrastructure 
  - name: destroy-aws-ecs-fargate:0.1.0
    run: ./node_modules/.bin/ts-node /ops/src/destroy.ts
    description: "destroy an environment"
    env:
    # add static env vars
      static:
        - STACK_TYPE=aws-ecs-fargate
        - AWS_REGION=us-west-1
    # add and store aws secrets
      secrets:
        - AWS_ACCESS_KEY_ID
        - AWS_SECRET_ACCESS_KEY
        - AWS_ACCOUNT_NUMBER
    help:
      usage: ops run vault <sub-cmd> <--key> <--value>
      arguments: 
        init: 'init the environments vault'
        set: 'set a key in the enviroment vault'
        ls: 'list keys in the environment vault'
        rm: ' remove a specific key in the environment vault'
        destroy: 'destroy the environment vault'

Features of CTO.ai Configs

  • Automated Workflows: You can set up automation to streamline onboarding, ensuring every new user has the appropriate access and configurations.
  • Enforce Security Policies: By using configurations, you can set up required security measures for each role or user, making sure that every onboarded member meets the security guidelines.

Conclusion

By using Google Cloud's IAM for role-based access control and CTO.ai's configuration management for standardization and automation, organizations can create a robust, efficient, and secure onboarding process. Regular monitoring and auditing further ensure that the system remains compliant and resilient to potential threats.

CTO.ai Configs not only enhances security but also facilitates the efficient onboarding of new team members, allowing organizations to scale and adapt quickly in an ever-changing technological environment.

Ready to unlock the power of CTO.ai for your team? Schedule your consultation now with one of our experts today!