Google Maps API is now only available through Google Cloud Platform. I am working on a small project and I'm not sure what would be sensible for me to do in terms of security. I am the developer and my client, who is not very technical, is the owner of the GCP account controlling the billing.
I have tried to understand the way IAM is set up in GCP from the docs, done searches and read several chapters of books on O'Reilly, but I'm still unclear what would be good practice (without getting too complicated, and ideally just using the Console) to protect the two GCP accounts we need.
What I have done is:
- Set up a new Google user account for myself specifically for GCP because my main Google account is tied to so many other services which I think potentially makes security weaker for GCP;
- Secured the two user accounts for GCP with 2 factor authentication;
- Created a project - for which I then became the
owner (which I understand is not ideal because it gives very broad access to resources);
- Invited my client to sign up to GCP initially as the
owner;
- Changed my client's roles to
ApiGateway Admin and Project Billing Manager.
I am proposing to change my roles to include Project IAM Admin and ApiGateway Admin, and afterwards to remove owner. Then I think I should be able to manage Google Maps APIs and also add new roles to the project if I want to.
My questions
Would those proposed roles be sufficient for me to manage Google Maps APIs for the project? I haven't got as far as managing API keys, but I will follow the official guidance on Google Maps pages for that.
Is there anything else I can advise my client to do to protect his GCP account from someone who might gain access to his account and try to add other services? For instance, would it help if he or I set up an organization or a folder structure?
New tag google-cloud-iam included
Looking at Google support for IAM, I was advised to post with this tag on StackOverflow, which I did. My question was then marked 'off topic' and I was advised to post on Super User. It was marked 'off topic' there too, so I am now trying to post it here. google-cloud-iam appears to be Google's recommended tag; please would someone from the community with more authority add it (I only found google-iam here).
