Transcript

00:00 IAM lets administrators authorize who can take

action on specific resources.
00:05 An IAM policy has a "who" part, a "can do what"
part, and an "on which resource" part.
00:12 The "who" part names the user or users you're
talking about.
00:16 The "who" part of an IAM policy can be defined
either by a Google account, a Google group, a Service
account, an entire G Suite, or a Cloud Identity domain.
00:27 The "can do what" part is defined by an IAM role.
00:31 An IAM role is a collection of permissions.
00:33 Most of the time, to do any meaningful
operations, you need more than one permission.
00:39 For example, to manage instances in a project,
you need to create, delete, start, stop, and change an
instance.
00:46 So the permissions are grouped together into a
role that makes them easier to manage.
00:52 The "who" part of an IAM policy can be a Google
account, a Google group, a Service account, or an
entire G Suite, or Cloud Identity domain.
01:02 There are three kinds of roles in Cloud IAM.
01:05 Let's talk about each in turn.
01:07 Primitive roles are broad.
01:09 You apply them to a GCP project and they affect
all resources in that project.
01:15 These are the owner, editor, and viewer roles.
01:20 If you're a viewer on a given resource, you can
examine it but not change its state.
01:25 If you're an editor, you can do everything a
viewer can do, plus change its state.
01:30 And if you are an owner, you can do everything
an editor can do, plus manage rolls and permissions on
the resource.
01:38 The owner role on a project also lets you do one
more thing: set up billing.
01:44 Often, companies want someone to be able to
control the billing for a project without the right to
change the resources in the project.
01:53 And that's why you can grant someone the
billing administrator role.
01:58 Be careful, if you have several people working
together on a project that contains sensitive data,
primitive roles are probably too coarse.
02:09 Fortunately, GCP IAM provides a finer grained
types of roles.
02:14 GCP services offer their own sets of predefined
roles and they define where those roles can be applied.
02:22 For example, later in this course, we'll talk about
Compute Engine, which offers virtual machines as a
service.
02:29 Compute Engine offers a set of predefined roles,
and you can apply them to Compute Engine resources
in a given project, a given folder, or in an entire
organization.
02:40 Another example.
02:41 Consider Cloud Bigtable, which is a managed
database service.
02:46 Cloud Bigtable offers roles that can apply across
an entire organization to a particular project or even to
individual Bigtable database instances.

Transcript
00:00 Compute Engines InstantAdmin Role lets
whoever has that role perform a certain set of actions
on virtual machines.
00:08 The actions are: listing them, reading and
changing their configurations, and starting and
stopping them.
00:15 And which virtual machines?
00:17 Well, that depends on where the roles apply.
00:20 In this example, all the users of a certain Google
Group have the role, and they have it on all the virtual
machines in project_a.
00:29 If you need something even finer-grained, there
are custom roles.
00:33 A lot of companies have a least-privileged model
in which each person in your organization has the
minimum amount of privilege needed to do his or her
job.
00:44 So, for example, maybe I want to define an
InstanceOperator Role to allow some users to start and
stop Compute Engine and virtual machines, but not
reconfigure them.
00:55 Custom roles allow me to do that.
00:58 A couple cautions about custom roles.
01:01 First, you have to decide to use custom roles.
01:05 You'll need to manage their permissions.
01:08 Some companies decide they'd rather stick with
the predefined roles.
01:13 Second, custom roles can only be used at the
project or organization levels.
01:19 They can't be used at the folder level.
01:22 What if you want to give permissions to a
Compute Engine virtual machine, rather than to a
person?
01:28 Then you would use a service account.
01:30 For instance, maybe you have an application
running in a virtual machine that needs to store data in
Google Cloud Storage, but you don't want to let just
anyone on the Internet have access to that data, only
that virtual machine.
01:45 So, you'd create a service account to
authenticate your VM to cloud storage.
01:52 Service accounts are named with an email
address.
01:55 But instead of passwords, they use cryptographic
keys to access resources.
02:01 In this simple example, a service account has
been granted Compute Engine's InstanceAdmin Role.
02:08 This would allow an application running in a VM
with that service account to create, modify, and delete
other VMs.
02:17 Incidentally, service accounts need to be
managed, too.
02:20 For example, maybe Alice needs to manage what
can be act as a given service account, while Bob just
needs to be able to view them.
02:29 Fortunately, in addition to being an identity, a
service account is also a resource.
02:34 So it can have IAM policies on its own attached
to it.
02:38 For instance, Alice can have an editor role in a
service account and Bob can have the viewer role.
02:44 This is just like granting roles for any other GCP
resource.
02:48 You can grant different groups of VMs in your
project different identities.
02:53 This makes it easier to manage different
permissions for each group.
02:57 You can also change the permissions of the
service accounts without having to recreate the VMs.
03:03 Here's a more complex example.
03:05 Say you have an application that's implemented
across a group of Compute Engine virtual machines.
03:12 One component of your application needs to
have an editor role on another project, but another
component doesn't.
03:19 So you would create two different service
accounts, one for each subgroup of virtual machines.
03:26 Only the first service account has privilege on the
other project.
03:31 That reduces the potential impact of a miscoded
application or a compromised virtual machine.
Transcript
00:00 there are four ways you can interact with google
cloud platform and we'll talk about each in turn the
console the sdk and cloud shell the mobile app and the
apis the gcp console is a web-based administrative
interface if you build an application in gcp you'll use it
although the end users of your
00:22 application won't it lets you view and manage all
your projects and all the resources they use it also lets
you enable disable and explore the apis of gcp services
and it gives you access to cloud shell that's a command
line interface to gcp that's easily accessed from your
browser from cloud
00:46 shell you can use the tools provided by the
google cloud software development kit sdk without
having to first install them somewhere what's the
software development kit we'll talk about that next the
google cloud sdk is a set of tools that you can use to
manage your resources and your applications on gcp
these
01:08 include the gcloud tool which provides the main
command line interface for google cloud platform
products and services there's also gsutil which is for
google cloud storage and bq which is for bigquery the
easiest way to get to the sdk commands is to click the
cloud shell button on the gcp console you get a
command
01:32 line in your web browser on a virtual machine
with all these commands already installed you can also
install the sdk on your own computers your laptop your
on-premise servers or virtual machines and other
clouds the sdk is also available as a docker image which
is a really easy and clean way to
01:53 work with it the services that make up gcp offer
application programming interfaces so that the code
you write can control them these apis are what's called
restful in other words they follow the representational
state transfer paradigm we don't need to go into much
detail of what that means here
02:15 basically it means that your code can use google
services in much the same way that web browsers talk
to web servers the apis name resources and gcp with
urls your code can pass information to the apis using
json which is a very popular way of passing textual
information over the web
02:38 and there's an open system for user login and
access control the gcp console lets you turn on and off
apis many apis are off by default and many are
associated with quotas and limits these restrictions
help protect you from using resources inadvertently
you can enable only those apis you need
03:03 and you can request increases in quotas when
you need more resources for example if you're writing
an application that needs to control gcp resources
you'll need to get your use of the apis just right and to
do that you'll use api's explorer the gcp console
includes a tool called
03:23 the apis explorer that helps you learn about the
apis interactively it lets you see what apis are available
and in what versions these apis expect parameters and
documentation on them is built-in you can try the apis
interactively even with user authentication suppose
you explored an api and you're ready to build an
application
03:50 that uses it do you have to start coding from
scratch no google provides client libraries that take a
lot of the drudgery out of the task of calling gcp from
your code there are two kinds of libraries the cloud
client libraries are google cloud's latest and
recommended libraries for its apis
04:11 they adopt the native styles and idioms of each
language on the other hand sometimes a cloud client
library doesn't support the newest services and
features in that case you can use the google api client
library for your desired languages these libraries are
designed for generality and completeness finally one
more tool that's of interest
04:37 to everyone not just developers there's a mobile
app for android and ios that lets you examine and
manage the resources you're using in gcp it lets you
build dashboards so that you can get the information
you need at a glance
Transcript
00:00 say you want a quick way to get started with gcp
with minimal effort that's what google cloud launcher
provides it's a tool for quickly deploying functional
software packages on google cloud platform there's no
need to manually configure the software virtual
machine instances storage or network settings
although you
00:22 can modify many of them before you launch if
you like most software packages in cloud launcher are
at no additional charge beyond the normal usage fees
for gcp resources some cloud launcher images charge
usage fees particularly those published by third parties
with commercially licensed software but they all show
you estimates of their
00:48 monthly charges before you launch them be
aware that these estimates are just that estimates and
in particular they don't attempt to estimate networking
costs since those will vary based on how you use the
applications a second node of caution gcp updates the
base images for these software packages to fix
01:13 critical issues and vulnerabilities but it doesn't
update the software after it's been deployed
fortunately you'll have access to the deployed systems
so you can maintain them