Prepare IAM permissions

This document explains how to prepare your Identity and Access Management (IAM) permissions to effectively manage subnets in Google Distributed Cloud (GDC) air-gapped.

GDC uses IAM for granular access to specific resources. This model helps prevent unauthorized access to other resources.

A role is a collection of permissions that let you perform specific actions on resources. You assign roles to subjects, such as users, groups, or service accounts. To manage subnets in GDC, you must have the required IAM roles.

This document is for network administrators within the platform administrator group who are responsible for managing networking requirements within their organization. For more information, see Audiences for GDC air-gapped documentation.

IAM roles for subnets

GDC supports the following IAM roles for managing subnets:

  • Subnet Org Admin (subnet-global-org-admin): Manages multiple zone subnets within the organization. This is a global permission.
  • Subnet Org Admin (subnet-org-admin): Manages zonal subnets within the organization. This is a zonal permission.
  • Subnet Project Admin (subnet-global-project-admin): Manages multiple zone subnets within a project. This is a global permission.
  • Subnet Project Admin (subnet-project-admin): Manages zonal subnets within a project. This is a zonal permission.
    • This role includes permission to read all subnets in the project namespace and to create, update, or delete most subnets in the project namespace.
    • This role doesn't grant permission to create, update, or delete root-type subnets (subnet.Spec.Type == Root).
  • Subnet Project Operator (subnet-project-operator): Manages leaf type auto-allocated subnets within projects.
    • This role has permission to read all subnets in the project and to create, update, or delete only the auto-allocated leaf subnets in the project namespaces.
    • This role doesn't grant permission to create, update, or delete the following subnets:
      • Root or branch type subnets (subnet.Spec.Type == Root or subnet.Spec.Type == Branch)
      • Network subnets (subnet.Spec.NetworkSpec != nil)
      • Subnets with dedicated CIDR blocks (subnet.Spec.Ipv4Request.CIDR != nil or subnet.Spec.Ipv6Request.CIDR != nil)
  • Subnet Platform Viewer (subnet-platform-viewer): Lists subnets in the platform namespace.
  • Shared Subnet User (shared-subnet-user): Uses a shared subnet in the platform namespace as a parent to allocate a subnet inside the project.
  • SUBNET_NAME User (SUBNET_NAME-user): Uses specific subnets in the platform namespace.
    • To grant a dedicated subnet in the platform namespace for use as a parent to allocate a subnet inside the project, the Subnet Org Admin must create or update a subnet and set the "ipam.gdc.goog/subnet-delegation-role": auto annotation for it.
    • To enable a subnet group within the platform namespace for project-internal subnet allocation, the Subnet Org Admin must set the "ipam.gdc.goog/subnet-delegation-role": auto annotation on all subnets in the group.

What's next