Requirements
I use IAM Conditions to restricted edit some firewall rules.
example:
-
Alice can change firewall whose name starts with “fw-sys-a”, like “fw-sys-a-deny-all”
-
Bob can change firewall whose name starts with “fw-sys-b”, like “fw-sys-b-allow-ssh”
in this case, I made custom role which has permission as below. -
compute.firewalls.get
-
compute.firewalls.update
-
compute.networks.list
-
IAM Condition is
- For Alice: resource.name.startsWith(“projects/my-project/global/firewalls/fw-sys-a”)
- For Bob: resource.name.startsWith(“projects/my-project/global/firewalls/fw-sys-b”)
As is
When operating from Cloud Shell, it worked as I expected
- Alice can edit firewall fw-sys-a-deny-all, and cannot edit firewall fw-sys-b-allow-ssh with message "Required ‘compute.firewalls.update’ permission
- Bob can edit firewall fw-sys-b-allow-ssh, and cannot edit firewall fw-sys-a-deny-all with message "Required ‘compute.firewalls.update’ permission
But, when operating from Console ( Web UI), the behavior is not same. - Alice cannot edit neither firewall fw-sys-a-deny-all,nor firewall fw-sys-b-allow-ssh. [edit] button is inactive and it shows “Required ‘compute.firewalls.update’ permission” when hovering
- Bob cannot edit neither firewall fw-sys-a-deny-all,nor firewall fw-sys-b-allow-ssh. [edit] button is inactive and it shows “Required ‘compute.firewalls.update’ permission” when hovering
What I expect
Not only from Cloud Shell but also Console(Web UI), it must work same; Alice can edit only fw-sys-a-deny-all and Bob can edit only firewall fw-sys-b-allow-ssh.
I wonder if someone has faced with simillar issue.
Thank you for your kindly help