Skip to content
Related Articles

Related Articles

Access Control for Disaster Avoidance in Google Cloud IoT Core using IAM Policy
  • Difficulty Level : Hard
  • Last Updated : 03 Mar, 2021
GeeksforGeeks - Summer Carnival Banner

Internet of Things(IoT) is today’s one of the most used technologies to establish the network between physical devices. In the case of the Cloud IoT, the cloud technology has added extra value by providing massive support to the modern IoT automation to make it more secure, managed, scalable and so forth without any doubt, this Cloud IoT is now the new definition of IoT mass-operations especially for remote access & management.

In terms of the Google Cloud IoT Core is a fully managed service that can connect securely & can easily ingest data from millions of devices around the world. This assures that you don’t need to do auto-scaling, database partitioning, pre-provisioning of resources. There are more advantages like:

  1. The Cloud administrator doesn’t need to determine the location of devices,
  2. No need for replications of IoT configuration for each area, instead the data will be published to the Cloud Pub/Sub and easily accessible from anywhere.
  3. The Device Manager will allow controlling & updating the system from time to time for maintaining the data security.

Google Cloud IoT Core with Identity & Access Management 

Device Connecting registration to Google Cloud IoT:

Registration of Devices to connect with IoT Cloud needs to be registered in the Device Manager first. The Device Manager helps users to build and configure Device Registries. According to Google’s Cloud (GCP) Documentations, the Device Registry means “A container of devices with shared properties. You register a device with a service (like Cloud IoT Core) so that you can manage it”. You can get access to the app manager via Google Cloud Platform Console, the Google cloud shell commands, or the REST-style API.

Device Registry: 

As previously mentioned, Device Registry is a container where multiple devices can be connected via Cloud IoT core or via any managing services in which we can choose the protocols such as HTTP (Hypertext Transfer Protocol) or MQTT (Message Queuing Telemetry Transport). At the time when we build a Device Registry, we can add those protocols in it as per our requirement of proceeding. The onlyEach Device Registry is usually built in a specific cloud-region & belongs to the ongoing cloud project. For example, in the Google Cloud’s cloudiot.googleapis.com service, the Registry is defined as its full name (below)

projects/{project-id}/locations/{cloud-region}/registry-id} 

Therefore, the system registry can be configured by adding more Cloud Pub / Sub topics to which telemetry events for all the devices in that system registry are released. But in the case of a single topic, it may be used for data collection in all regions. For every registry, the stack driver monitoring is activated automatically. 



Identity and Access Management (IAM) for Cloud IoT Core:

Now IAM is used here to monitor all the access permissions as well as allows the users to display, receive, or manage devices in full. For each project, Cloud IoT Core automatically grants the position of cloudiot.serviceAgent to the corresponding service account to allow publishing to Pub / Subtopics. 

IAM can grant access at the registry level without the necessity of individual access control. The table below consists of the Google Cloud IoT Core IAM Roles and their permissions accordingly.

IAM Roles Permission Table

IAM RolesDescriptionsPermissions 
roles/cloudiot.viewer Read-only
  1. cloudiot.registries.get
  2. cloudiot.registries.list
  3. cloudiot.devices.get
  4. cloudiot.devices.list
roles/cloudiot.deviceControllerOnly access to update the requirements for devices in the registry but not to create or delete.

All the above commands + the below points:

  1. cloudiot.devices.updateConfig
  2. cloudiot.devices.sendCommand
roles/cloudiot.provisionerAccess to the registry to create or delete the devices from it but not for any kind of modification.

All the above commands + the below points:

  1. cloudiot.devices.create
  2. cloudiot.devices.delete
  3. cloudiot.devices.update
roles/cloudiot.editorBoth Read and Write access to all the cloud resources,

All the above commands + the points below:

  1. cloudiot.registries.create
  2. cloudiot.registries.delete
  3. cloudiot.registries.update
roles/cloudiot.adminFull access & control of all Cloud IoT resources and permissions 

All the above commands + the points below:

  1. cloudiot.registries.getIamPolicy
  2. cloudiot.registries.setIamPolicy

Device Registry Permission Table

Device registry permission nameDescription
cloudiot.registries.createIt creates a new registry in a project.
cloudiot.registries.deleteIt deletes a registry.
cloudiot.registries.getIt reads registry details, excluding ACLs.
cloudiot.registries.getIAMPolicyIt reads registry ACLs.
cloudiot.registries.listIt lists the registries in a project.
cloudiot.registries.setIAMPolicyIt updates registry ACLs.
cloudiot.registries.updateIt updates registry details, excluding ACLs.
cloudiot.devices.sendCommandIt sends the commands (per registry, not per device).

Device Permissions Table

Device Permission nameDescription
cloudiot.devices.createIt adds a new device to a registry.
cloudiot.devices.deleteIt deletes a device.
cloudiot.devices.getIt reads device details, excluding ACLs.
cloudiot.devices.listIt lists devices in a registry.
cloudiot.devices.updateIt updates device details, excluding ACLs.
cloudiot.devices.updateConfigIt updates the device configuration.
cloudiot.devices.bindGatewayIt binds a device to a gateway.
cloudiot.devices.unbindGatewayIt unbinds a device from a gateway.

Table Data/Commands Sources: Google Cloud Documentation

Through the above permission modules, you can set up your all initial level privileges to access the storage of received IoT sensor signal’s data and then to the advanced level of remote access to manage and secure your Cloud IoT Core database from anywhere including the control over Google Big Query, BI Solutions, Google Machine Learning etc. And this is the way about how you can manage and control Google Cloud IoT Core with the help of Identity and Access Management (IAM) for any kind of security risk assessment or for disaster avoidance. 

References: 

Attention reader! Don’t stop learning now. Get hold of all the important DSA concepts with the DSA Self Paced Course at a student-friendly price and become industry ready.

My Personal Notes arrow_drop_up
Recommended Articles
Page :