[OrvalWintermute]

In reading through this on the surface, it appears as though there is a mix of trust relationships that pre-exist, and credential issuances that occur on the fly. Also, it also appears there is no privilege tiering aka, enterprise access model, applied to the example. Did I see this wrong?

I'd be interested in seeing what credentials in toto are there, and which ones are ephemeral, and susceptibility to lateral traversal.

Could you respond on the merits of the critique?

[CaliforniaKarl]

For Linux systems at least, IAP doesn’t deal with privilege tiering. Instead, OS Login handles mapping a user’s Google account to a local account. There is also a program that queries a user’s SSH key from OS Login, and passes it to sshd when asked.

OS Login defines two IAM roles, one for “Can I log in?” and one for “Can I sudo?”. Those are implemented on the system via PAM, so you can add whatever additional restrictions you’d like.

Fetching of user information via OS Login is implemented via a NSS module. POSIX attributes can be customized via the Google Directory API. And I believe Google Groups can be mapped to POSIX supplemental groups, but I’m not certain.