Google Cloud Network Admin vs Network User permission gap clarification

1
votes

Maybe a silly question but I can't get out of it. In Google Cloud a Shared VPC supports amongst others the major roles: Shared VPC Admin and Service Project Admin. Furthermore is advisable to define a Network Admin to administer networks in an Host Project:

IAM Roles in Shared VPC

What looks hard to understand for me is that while Google states:

Important: The Network Admin role does not include all of the permissions in the Network User role. IAM > members having only the Network Admin role do not have permission to use the host project or subnets in > its Shared VPC networks.

when I look to the single permissions of Network Admin vs Network User at:

Compute Engine roles

I do not see what permission is relevant to create VMs in a Subnet that the Network Admin does NOT contain whereas the Network User does! Apparently to me it looks like that the Network Admin contains by far more that what Network User does. Any idea?

1
google-cloud-platformgoogle-iam

1 Answers

1
votes

If you look at the compute engine roles you linked, the specific permission you would need compute.instances.create to create VMs at all. So if a user just has Network Admin as a role, they could create and manage network related resources but cannot create VMs, so they would need another role that allows them to do this.

Also, although it seems like Network admin has more permissions over all, there are a few permissions that the Network User has that Network Admin does not.

Hope that answers your question.