Identity, end to end, on Google Cloud
Authentication, authorization, and identity management for a security-focused online learning platform.
What changed, plainly.
How it actually went.
The problem
A security-focused online learning platform with three distinct identity surfaces — developers, internal staff, end-users — and an existing IDP that was costing too much and starting to wobble at scale.
Reworking auth late is expensive and ugly, and it lands in due-diligence packs the moment you raise money. The brief was to rebuild it correctly the first time.
Developer & administrator access
GCP's IAM is the cleanest in the industry: one place to grant, revoke, and audit. We leaned on it instead of bolting on a third-party identity layer.
No developer needed standing access to production. We replaced that with an automated CI/CD path — Prow plus Flux — so engineers ship by merging, not by clicking around in a console.
For development resources, we used Skaffold against GKE. Engineers work in a real cluster with real secrets, but the secrets live with us. Rotate at will, no Slack thread.
Internal business users
They were already a Google customer, so the org structure was in place. We put Identity-Aware Proxy in front of internal cloud resources — less configuration, less surface area, fewer mistakes during offboarding.
When someone leaves Workspace, they leave everything. That sounds obvious. It is rare.
End users
The existing IDP was hitting its ceiling on cost and scale. Migration to Google Identity Platform happened with zero downtime, and the new platform handled the corporate-customer SAML asks the old one couldn't.
What you take away
Choose IAM that grows with you. Stop reissuing prod access. Use the identity stack you're already paying for before adding another vendor.