I’ve set up a Shared VPC with a host project and attached a service project. Despite configuring individual subnet access during attachment, I can still see and use all subnets within the service project. Could my Editor role at the folder level be the reason for this broader access?
Hi @G00GL3DEV,
Once roles/compute.networkUser is granted, service owners can use VPC networks and subnets that belong to the host project. For example, a network user can create a VM instance that belongs to a host project network but they cannot delete or create new networks in the host project. This role provides access to a shared VPC network. See Compute Engine IAM roles and permissions
Just like with the statement here: A Shared VPC Admin can assign an IAM principal from a service project to be a Service Project Admin with access to all subnets in the host project. Service Project Admins of this type are granted the role of compute.networkUser for the whole host project. This means that they have access to all of the defined and future subnets in the host project.
To have the restrictions, you can set a policy to allow or deny access to specific subnets in the host project:
Organization Policy Service gives you centralized, programmatic control over your organization’s resources. You can use the following organization policies to restrict how users are allowed to set up Shared VPC deployments:
-
Restrict Shared VPC host projects - lets you restrict the Shared VPC host projects that a resource can attach to
-
Restrict Shared VPC subnetworks - this constraint limits the subnets that a principal can use when creating resources in the service projects
Since IAM policies inherit down the resource hierarchy, your folder-level Editor role grants you Editor access on the host project itself. This effectively gives you direct permission to use all subnets in the host project.