Cloud IAM, API Gateway - Security, Privacy, compliance, legal issues

[EXAMTOPIC] Data Pipeline 파트에서 Security, Privacy, compliance, legal issues 관련 내용을 정리합니다.

Data Pipeline - Security, Privacy, compliance, legal issues

• Cloud IAM : Resource access control
• API Gateway : Fully managed API Gateway
• Cloud Endpoints : API management system

Principals & Applications

Principal : an entity, Identity that can be granted access to a resource

2 types of principals supported by Google Cloud APIs user accounts and service accounts

User accounts	Service accounts
Managed as Google Accounts	Managed by IAM
Representing "a developer, administrator or any other person who interacts with Google Cloud".	Representing non-human users.
Authenticating as an end user	Authenticating as a service account

Applications

• Google Cloud APIs only accept requests from registered applications. Requests from anonymous applications are rejected.

  • Registered applications : uniquely identifiable applications that present a credential at the time of the request.

• Application credentials provide the required information about the caller making a request to a Google Cloud API.

  • Valid credential types : API keys, OAuth 2.0 client credentials, Service account keys
    • Service accounts can be used as both an application credential or principal identity ⇒ Uniquelly identifiable.

Authentication strategies

Presenting application credentials in requests to Google Cloud APIs only identifies the caller as a registered application ⇒if authentication is required, the client must also identify the principal running the application : user account or service account,..

Choose application credentials based on What the application needs and Where it runs (runtime env)

Scenarios	Recommened Strategies	Description
Accessing public data anonymously	API key	API key only identifies the application & doesn't require user authentication ⇒ sufficient for accessing public data.
Accessing private data on behalf of an end user	OAuth 2.0 client	An OAuth 2.0 client identifies the application and lets end users authenticate your application with Google ⇒ application to access Google Cloud APIs on behalf of the end user.
Accessing private data on behalf of a service account inside Google Cloud environments	Environment-provided service account	If your application runs inside a Google Cloud environment(Compute Engine/App Engine/GKE/Cloud Run/Cloud Functions) ⇒ Should use the service account provided by the environment. Plus, Google Cloud Client Libraries will automatically find and use the service account credentials.
Accessing private data on behalf of a service account outside Google Cloud environments	Service account key	Create a service account → Download its private key as a JSON file → Pass the file to Google Cloud Client Libraries to let them generate the service account credentials at runtime. Plus, Google Cloud Client Libraries will automatically find and use the service account credentials by using the GOOGLE_APPLICATION_CREDENTIALS environment variable.

• OAuth 2.0 Protocol

  • Google Cloud APIs use the OAuth 2.0 protocol for authenticating both user accounts and service accounts.
    → Determines both the principal and the application.

• API key

  • Most Google Cloud APIs also support anonymous access to public data using API keys.
  • API keys only identify the application, not the principal. ⇒When using API keys, the principal must be authenticated by other means.

• Google Cloud Client Libraries : a variety of authentication flows and runtime environments.

  • General steps to build an application using Google Cloud APIs
    1. Choose and use the provided Google Cloud Client Libraries
    2. Determine the correct authentication flow for your application
    3. Find or create the application credentials needed for your application
    4. Pass the application credentials to the client libraries at application startup time, ideally through Application Default Credentials (ADC)

Cloud IAM

Identity and Access Management

• Grant granular access to specific Google Cloud resources
• Helps prevent access to other resources
• The security principle of least privilege, which states that nobody should have more permissions than they actually need.
• With IAM, every API method across all Google Cloud services is checked to ensure that the account making the API request has the appropriate permission to use the resource.
  • IAM support for Google Cloud services
  • Identity and Access Management (IAM) API | Cloud IAM Documentation

API Gateway*

API Acess control options in API Gateway
API Gateway uses Identity and Access Management (IAM) to control access to your API.

• Making web service requests through API Gateway.

  

• View and grant roles using the permissions panel on the API Gateway > APIs or Gateways detail pages in the Google Cloud Console. Roles can also be granted using the API, or with the gcloud command-line tool.

• Grant IAM Role 3 titles : Service Consumer, API Gateway Viewer, API Gateway Admin

  

Cloud Endpoints

Cloud Endpoints
Endpoints is an API management system that helps you secure, monitor, analyze, and set quotas on your APIs using the same infrastructure Google uses for its own APIs*.

• After you deploy your API to Endpoints, you can use the Cloud Endpoints Portal to create a developer portal, a website that users of your API can access to view documentation and interact with your API.

DUMP Q 49.

You work for an online travel agency that also sells advertising placements on its website to other companies. You have been asked to predict the most relevant web banner that a user should see next. Security is important to your company. The model latency requirements are 300ms, the inventory is thousands of web banners, and your exploratory analysis has shown that navigation context is a good predictor. You want to Implement the simplest solution. How should you configure the prediction pipeline?

• A. Embed the client on the website, and then deploy the model on AI Platform Prediction.
• B. Embed the client on the website, deploy the gateway on App Engine, and then deploy the model on AI Platform Prediction.
• ⭕ C. Embed the client on the website, deploy the gateway on App Engine, deploy the database on Cloud Bigtable for writing and for reading the users navigation context, and then deploy the model on AI Platform Prediction.
• D. Embed the client on the website, deploy the gateway on App Engine, deploy the database on Memorystore for writing and for reading the users navigation context, and then deploy the model on Google Kubernetes Engine.

---

Source : Authentication overview | Google Cloud