GCP Access Elevations

User level permissions for

engineering at Lookout
Agenda

• GCP Roles

• Demonstration Videos
Prerequisites

• Bookout GCP Platform overview presentations completed

• Bookout.com account and Access to Prod Okta
GCP Roles
Bookout Custom Roles
• At Bookout we have created 4 standard roles for GCP
• Read Only
• Editor
• Operator
• Incident
The Read-Only Role
• Every engineer by default has the read-only role
• This role allows for standard visibility for the following:
• All projects
• All networks
• All services
• This role does not allow:
• Reading secrets for non-team projects
• Reading non-team data (in instances, databases, NFS, Cloud
Filestore, etc)
The Editor Role
• Applies to Sandbox, Pre-Production, and Production
• This role allows for additional access to:
• metadata level operations
• some limited commands to facilitate unavoidable manual
maintenance tasks
The Operator Role
• Applies to Sandbox, Pre-Production, and Production
• The operator role is the most privileged role and allows creation,
deletion, and editing of all resources which are available for use by
engineers

• In the Sandbox and Pre-Production environments, elevation to the

operator role is Self-Service

• In the Production environment, elevation to the operator role is done via

JIRA ticket and IRT. The current process of JIRA ticket creation, linked to
a Change Control JIRA ticket, and approved by a manager applies
The Incident Role
• Applies only to Production
• This role has the same permissions as the operator role and is only
applied to a user during a production incident by IRT

• In the Sandbox and Pre-Production environments, elevation to the

operator role is Self-Service and exists for testing purposes only

• In the Production environment, elevation to the incident role is done via

JIRA ticket and IRT. The current process of JIRA ticket creation, linked to
a Change Control JIRA ticket, and approved by a manager applies
Team and Environment Scoped Roles
• Roles are given to a specific team over a specific project
• Each service is its own project
• Each network is its own project, shared to a service
• Each project is owned by a team
• The team is given permissions based on the environment of the
project
Example:
• lke-pprd-nfr-coolapp-abcde is a service owned by team A
• By default, team A has read-only access to the project
• The CD toolset, utilized by team A, has permission to edit this project
(via service accounts)
• Team A needs a self-service elevation to manually edit this project
• Team B is unable to edit the project, even with a self-service elevation
• lke-pprd-nfr-coolapp-abcde utilizes a network shared from the lke-pprd-
nfr-netwk-abcde project
• Team A can only place instances and services in this network
• Team A cannot edit this network, as they do not have operator
permissions on the lke-pprd-nfr-netwk-abcde project which contains
the network
 Model Overview

Name Read-only / Viewer Editor Operator Incident Response

● Only used in production
● Requires JIRA/IRT elevation in
● Requires JIRA/IRT elevation in ● IRT facilitated elevation during
Elevation ● Always available
Prod
●
Prod
Requires self-service elevation in
an incident via the incident
●
req’d? Requires self-service elevation
in sandbox and preprod
sandbox and preprod
●
slack channel
equivalent permissions to the
● ~Equivalent of AWS “priv” roles
operator role

Purpose/ ●
●
Read Project resource metadata
Update some configuration options
● An operator in a service project ● Distinguishable role used
● See organization resources has complete control over during an incident with the
Descriptio ● Allows Console views to work
● Limited command set to facilitate
some currently unavoidable
compute / data resources in the same permissions as the
n maintenance tasks
project operator role
Demonstration Videos
Questions?