Microsoft recommending IAP DesktopMicrosoft might not be the premier source of information about Google Cloud, but their cloud security benchmark (MCSB) turns out to provide some sound advice. Continue »
Multi-party approval with JIT Access 1.2With the latest version of Just-in-Time access, we can now demand that users seek approval from a peer before they can activate certain roles. Continue »
JIT Access 1.1 now supports inherited roles and has a new UIWith Just-in-Time Access, we can implement just-in-time privileged access management on Google Cloud by allowing users to temporarily elevate their access to certain projects. But a key limitation of the initial release of JIT Access was that it didn’t support inherited role bindings. Version 1.1 removes this limitation and features a new UI. Continue »
Remotely joining VM instances to Active Directory using IAP Desktop 2.31The first thing we often do after creating a new Windows VM on Google Cloud is join the VM to Active Directory. With the latest IAP Desktop release, that got a little easier. Continue »
Retroactively analyzing more than 90 days of VM and sole-tenant node usageWhen we run License Tracker for the first time, the tool analyzes the last 90 days of audit logs to determine how many VMs and physical servers we’ve been using. Going back 90 days in history is useful, but can we go back further? Continue »
Tracking VM and sole-tenant node usage for license reportingWhen we bring our own Windows licenses to Google Cloud, we must keep track of the number of physical servers that we’re using those licenses on. By using sole-tenant nodes, we can control which nodes our VMs run on, but nodes aren’t the same as physical servers. Continue »
Best practices for using service accounts in deployment pipelinesTo deploy software or infrastructure automatically, many deployment pipelines need access to Google Cloud, so we let the pipelines use a service account. The more we rely on deployment pipelines and their service accounts, the more extensive and privileged their access to Google Cloud can become. And that creates new risks. Continue »
Enabling just-in-time access to Google Cloud resourcesThe principle of least privilege states that we should grant users just enough access to carry out everyday activities, but no more. But what about the occasional case where a user does need privileged access, maybe to handle an incident or perform a rare configuration change? This is where just-in-time access can help. Continue »
Keeping track of SSH keys using IAP Desktop 2.26When we allow users to use SSH to connect to Linux VMs on Google Cloud, we need to keep track of their public keys, and which VMs they have access to. The latest version of IAP Desktop makes that a little easier. Continue »
Docking and floating RDP windows in IAP Desktop 2.25IAP Desktop uses a UI that’s similar to Visual Studio – we can dock tool windows, let them auto-hide when we don’t need them, or let them float as separate windows. But that flexibility didn’t apply to RDP windows… until now. Continue »
Using ECDSA keys for SSH public key authentication in IAP Desktop 2.23By default, IAP Desktop uses the rsa-ssh public key signature algorithm when authenticating to a Linux VM. That can be a problem in certain situations, which is why the latest version now adds support for ECDSA.
Continue »
Best practices for using workload identity federationWorkload identity federation lets us impersonate a Google Cloud service account by using credentials from an external identity provider. That’s a useful and powerful feature, but there are some things to watch out for. Continue »
Managing IAP Desktop by using group policiesIAP Desktop 2.20 now lets you use group policies to ensure all users in your organization use consistent settings. Continue »
Best practices for managing service account keysService accounts play a key role in Google Cloud IAM, and there are multiple ways how service accounts can authenticate. One of them is by using a service account key – but service account keys turn into a security risk if they aren’t managed carefully. Continue »
Image creation on Google Cloud, part 2: Build processGoogle Cloud provides public images for a range of Windows Server versions, but in some situations, it’s necessary to build your own image. In this second part of the series, let’s look at how the build process works. Continue »
Image creation on Google Cloud, part 1: Windows SetupGoogle Cloud provides public images for a range of Windows Server versions, but in some situations, it’s necessary to build your own image. In this first part of the series, let’s review of how Windows Setup works. Continue »
IAP Desktop 2.16 improves the Project Explorer and lets you customize fontsRelease 2.16 is out, and it contains multiple improvements to the Project Explorer tool window as well as the ability to customize your SSH terminal better. Continue »
Limit metadata server access to specific Windows users or processesBy default, access to the Compute Engine metadata server is not limited to specific processes or users on a VM, even low-privilege processes can request service account credentials. Can we limit metadata server access to specific Windows users or processes? Continue »
Best practices for using, managing, and securing service accounts on Google CloudService accounts play a key role in Google Cloud IAM, but they are easy to get wrong. If you’re not careful, you quickly end up with over-permissioned service accounts, accounts that are used across multiple applications, and service account keys being spread all across your environment. Continue »
Using libssh2 on Windows: lessons learntDocumentation is not where libssh2 shines most. Continue »