gcpa-core-infrastructure

a02-Getting-Started-With-GCP

IAM

IAM: Google Cloud’s Identity and Access Management.
It has 3 parts:

  • Who:
    can be defined by google account, google group, service account
  • Can do what: can be defined by an IAM role which is a collection of permissions
    • There are 3 kinds of roles:
      • Primitive role
      • Predefined role
      • Custom role: can only be defined in organization or project, but not in folders
  • On which resource

GCP resource hierarchy

polices can define in organization, folder, project, they are inherited in the hierarchy.

Projects are the main way you organise your gcp resources.

Each project has

  • Project ID: immutable (assigned by you)
  • Project Name: mutable (assigned by you)
  • Project number: immutable (assigned by GCP)

Policies defined in organisation level can be inherited to all children.

GCP use least privilege in managing any kind of compute infrastructure.

The policies implemented at a higher level in this hierarchy can’t take away access that’s granted at a lower level
Eg: if you grant Editor role to Organisation and Viewer role to the folder, then the folder is granted the Editor role.

Projects can have different owners and users - they are built separately and managed separately.

Service Account

For example: If you want to give permissions to a Compute Engine rather than a person, you would use service account.
A service account is also a resource, so you can give a role to it.

There are 4 ways to interact with GCP’s management layer:

  • GCP console
    • Manage and create projects
    • Access to GCP APIs
    • Offers access to Cloud Shell
  • Cloud shell and Cloud SDK
    • Includes command line tools: gcloud, gsutil(Cloud storage), bq(BigQuery)
  • API
    • Enabled through GCP console
    • APIs Explorer is an interface tool that let you easily try GCP APIs using a browser
    • Use libraries within your code
      • Cloud Client Libraries
        (Latest and recommended libraries)
      • Google API Client Libraries
  • Cloud Console Mobile App

When using GCP, it handles most of the lower security layer, the upper layers remain the customer’s responsibility

Cloud MarketPlace( formerly Cloud Launcher)

It’s a tool for quickly deploying functional software packages on GCP