Setting up a Cloud

Solutions Environment
ACE Certification
Overview
Agenda
Section 1.1 - Cloud Projects and
Accounts
Section 1.2 - Billing Management

Section 1.3 - Command Line

Interface (CLI)
Google Cloud services are associated with a project

● Track resource and quota usage

● Enable billing
● Manage permissions and credentials
● Enable services and APIs
Creating a Project

Project ID Globally unique Chosen by you Immutable

Project name Need not be unique Chosen by you Mutable

Project number Globally unique Assigned by Google Cloud Immutable

Folders group projects and policies
● You do not have to use folders to
organize your projects, but they example.com
often help.
● Folders group projects under an
organization.
● Folders can contain projects, other
folders, or both. Folder A Folder B

● You can use folders to assign

access policies.

project_1 project_2 project_3 project_4 project_5

Typical roles in an organization

Notable organization roles:

Organization Policy Administrator:

example.com Broad control over all cloud resources
bob@example.com
Organization Admin
Project Creator: Fine-grained control
of project creation

Create

project_1 project_2
alice@example.com
Project Creator
Understanding permission hierarchy
● A policy is set on a resource.

Organization
○ Each policy contains a set of example.com
roles and role members.

Policy Inheritance
● Resources inherit policies from

Project
parent. bookshelf static-assets stream-ingest
○ Resource policies are a union
of parent and resource.

● A less restrictive parent policy Compute App Cloud Cloud Pub/Sub BigQuery

Resources
Engine Engine Storage Storage
overrides a more restrictive
resource policy.

instance_a queue_a bucket_a bucket_b topic_a dataset_a

Understanding roles in Google Cloud
Basic Predefined Custom
IAM basic roles offer fixed, coarse-grained levels
of access

Owner Editor Viewer Billing Administrator

● Invite members ● Deploy applications ● Read-only access ● Manage billing

● Remove members ● Modify code ● Add and remove
● Delete projects ● Configure services administrators
● And... ● And...

A project can have multiple owners, editors, viewers, and billing administrators.
IAM predefined roles define...

Who can do what on which resource

IAM predefined roles are fine-grained permissions on
particular services

Google Group
✔ compute.instances.delete
✔ compute.instances.get
InstanceAdmin ✔ compute.instances.list
Role ✔ compute.instances.setMachineType
✔ compute.instances.start
✔ compute.instances.stop
project_a ...
Why use pre-defined roles?
● Lowers business risk of accidental or deliberate damage to, or misuse of,
vital data and systems.
● Increases overall system and data security.
● Finer granularity on permissions is considered a best practice.
● Using coarse permissions may allow or cause users to violate regulations.
Managing your Google Cloud admin users

Gmail accounts and Users and groups in your Users and groups in your
Google Groups Workspace domain Cloud Identity domain
There are four ways to interact with Google Cloud
resources and services

Cloud Platform Cloud SDK and Cloud Console REST-based API

Console Cloud Shell Mobile App
Web user interface Command-line For iOS and For custom
interface Android applications
Exam Guide: Section 1.1
1.1 Setting up cloud projects and accounts.
Activities include:
● Creating projects.
● Assigning users to pre-defined IAM roles within a project.
● Linking users to Google Workspace identities.
● Enabling APIs within projects.
● Provisioning one or more Cloud Operations accounts.
Google Cloud’s operations suite
● Google Cloud’s operations suite is a multi-cloud
monitoring and management service that aggregates
metrics, logs, and events.
○ Integrated monitoring, logging, diagnostics.
○ Manages across platforms (Google Cloud, AWS,
and on-prem).
● It provides developers, operators, and security
professionals a rich set of observable signals that
speed root-cause analysis and reduce mean time to
resolution (MTTR).
Cloud Monitoring
Many Google Cloud services have Cloud Monitoring integration built in.

App Engine
(flexible and standard BigQuery Datastore
environments)

Google Kubernetes
Pub/Sub Cloud SQL
Engine

And more ...

Cloud Logging
● Cloud Logging stores logs for a limited number of days.
● The number of days depends on the type of log
○ Admin Activity audit logs are kept for 400 days
○ Data Access audit logs are only kept for 30 days.
● You can export logs for analysis or longer storage.

The Google Cloud’s Operations Suite Fundamentals Quest will give you hands on
experience monitoring virtual machines, generating logs and alerts, and creating custom
metrics for application data.
It can be accessed at: https://www.qwiklabs.com/quests/35
Understanding billing
● To manage billing accounts and to add projects to them, you must be a billing
administrator.
● To change the billing account for an existing project, you must be an owner on the
project and a billing administrator on the destination billing account.
● When you create a new project, you're prompted to choose which of your billing
accounts you want to link to the project. If you have only one billing account, that
account is automatically linked to your project.
● If you don't have a billing account, you must create one and enable billing for your
project before you can use many Google Cloud features.
Understanding budgets and alerts
Avoid surprises on your bill by creating budgets to monitor all your Google Cloud
charges in one place. After you've set a budget amount, you set budget alert rules
that are used to trigger notifications, so you can stay informed of how your spend is
tracking against your budget.
● To set a budget alert you must be a billing administrator.
● You can apply budget alerts to either a billing account or a project.
● You can set the budget to an amount you specify or match it to the previous
month's spend.
● Setting a budget does not cap API usage. Your services will continue to
operate and accrue costs, even if a budget alert has been triggered.
Google Cloud Console

● Offers access to Cloud Shell.

○ A temporary virtual machine with the Cloud SDK preinstalled.
Cloud SDK

● Includes command-line tools for Google Cloud products and services.

○ gcloud, gsutil (Cloud Storage), bq (BigQuery)
● Access via the Cloud Shell button in the Cloud Console.
● Can also be installed on local machines.
● Is also available as a Docker image.
Suggested study resources for this section
Google Cloud Overview: https://cloud.google.com/docs/overview/

Cloud Identity: https://cloud.google.com/identity/

Google Cloud Pricing Calculator: https://cloud.google.com/products/calculator/

Google Cloud Billing documentation: https://cloud.google.com/billing/docs/

Google Cloud’s Operations Suite Fundamentals Quest: https://www.qwiklabs.com/quests/35

Cloud SDK installation and quick start: https://cloud.google.com/sdk/#Quick_Start

gcloud tool guide: https://cloud.google.com/sdk/gcloud/

Planning and
Configuring a Cloud
Solution
Agenda
Section 2.1 - Planning and
estimating using the Pricing
Calculator

Section 2.2 - Planning and

configuring Compute resources
Section 2.3 - Planning and
configuring data storage options

Section 2.4 - Planning and

configuring network resources
Google Cloud Pricing Calculator
● Select a product from the scrolling list at the top of the form.
● The variables for that product will then be shown in the form below.
● Fill out the form with your target configuration.
● Submit each section filled out to add it to your overall estimate.

https://cloud.google.com/products/calculator/
Compute options and use cases
Option Use when you need... Typical use cases

Google App Engine ● To just focus on writing code. ● Web sites

Flexible, zero-ops platform for ● Developer velocity. ● Apps (of course!)
building apps. ● To minimize operational ● Gaming back ends
overhead. ● IoT applications

Google Compute Engine ● Complete control. ● Any workload requiring a

Virtual machines running in ● Ability to make OS level changes. specific OS or configuration.
Google’s global data centers. ● To be able to move to the cloud ● On-premises software that
without rewriting your code. you want to run in the cloud.
● To use custom VM images.

Google Kubernetes Engine ● No dependencies on a specific ● Containerized workloads.

Logical infrastructure OS. ● Cloud-native distributed
powered by Kubernetes, the ● Increased velocity and operability. systems.
open source container ● To manage containers in ● Hybrid applications.
orchestration system. production.
 29

Comparing data storage and database options

Relational Non-relational Object Warehouse

Cloud Cloud Cloud Cloud

SQL Datastore BigQuery
Spanner Bigtable Storage

Good for: Good for: Good for: Good for: Good for: Good for:
Web RDBMS+scale, Hierarchical, Heavy read + Binary or object Enterprise data
frameworks HA, HTAP mobile, web write, events data warehouse

Such as: Such as: Such as: Such as: Such as: Such as:
CMS, User metadata, User profiles, AdTech, Images, media Analytics,
eCommerce Ad/Fin/MarTech Game State financial, IoT serving, backups dashboards
Data storage options and use cases
Option Use when you need... Typical use cases

Cloud SQL Fully managed MySQL and PostgreSQL ● Web frameworks

database service. ● Structured data
● OLTP workloads

BigQuery A scalable, fully managed enterprise data ● OLAP workloads up to petabyte scale
warehouse (EDW) with SQL and fast ad-hoc ● Big data exploration and processing
queries.

Cloud Spanner Mission-critical, relational database service ● Adtech

with transactional consistency, global ● Financial services
scale, and high availability. ● Global supply chain
● Retail

Cloud Bigtable A scalable, fully managed NoSQL ● IoT, finance, adtech

wide-column database that is suitable for ● Monitoring
both low-latency single-point lookups and ● Geospatial datasets
precalculated analytics. ● Graphs
Choosing among Cloud Storage classes
Storage Minimum Availability Typical monthly Name for APIs
Use cases
Class duration SLA availability and gsutil
Access data frequently ("hot" data)
>99.99% availability and/or store for brief periods
Multi-region 99.95%
Standard in multi-regions ● Serve website content
None Dual-region 99.95% STANDARD
Storage and dual-regions; ● Stream videos
Region 99.9%
99.99% in regions ● Interactive workloads
● Mobile and gaming apps
Read/modify data ≤ once per month
Nearline ● Data backup
30 days Multi-region 99.9% NEARLINE
Storage ● Serve long-tail multimedia
Dual-region 99.9% content
99.95% availability in
Region 99.0%
multi-regions and
Coldline Read/modify data no more than
90 days dual-regions; COLDLINE
Storage once a quarter
99.9% in regions
Read/modify data < once a year
Archive
365 days None ● Cold data storage ARCHIVE
Storage
● Disaster recovery
Characteristics applicable to all storage classes
● Unlimited storage with no minimum object size.
● Worldwide accessibility and worldwide storage locations.
● Can be used in any multi-region, dual-region, or region.
● Geo-redundancy if the data is stored in a multi-region or dual-region.
● Low latency (time to first byte typically tens of milliseconds).
● High durability (99.999999999% annual durability).
● A uniform experience with Cloud Storage features, security, tools, and APIs.
Google VPC offers a suite of load-balancing options
Global SSL Global TCP Regional
Global HTTP(S) Regional
Proxy Proxy internal
Layer 7 load Layer 4 load Layer 4 load Load balancing of Load balancing of
balancing based balancing of balancing of any traffic (TCP, traffic inside a
on load. non-HTTPS SSL non-SSL TCP UDP). VPC.
traffic based on traffic.
load.

Can route Supported on Supported on Supported on any Use for the

different URLs to specific port specific port port number. internal tiers of
different back numbers. numbers. multi-tier
ends. applications.
Load balancing overview
Deciding on load balancing options
Cloud load balancer considerations can be divided up as follows:
● Global versus regional load balancing
● External versus internal load balancing
● Traffic type

The slides that follow describe the use cases for different types of load balancers.
Deciding on load balancing options
Traffic type is a deciding factor in choosing
a load balancer
The type of traffic you need your load balancer to handle is another factor in
determining which load balancer to use.
● HTTP and HTTPS traffic require global, external load balancing.
● TCP traffic can be handled by global, external load balancing; external,
regional load balancing; or internal, regional load balancing.
● UDP traffic can be handled by external regional load balancing or internal
regional load balancing.
Suggested study resources for this section
Google Cloud pricing overview: https://cloud.google.com/pricing/
Google Cloud Pricing Calculator: https://cloud.google.com/products/calculator/
Compute Engine documentation: https://cloud.google.com/compute/docs/
Choosing the right compute option in Google Cloud:
https://cloud.google.com/blog/products/gcp/choosing-the-right-compute-option-in-gcp-a-
decision-tree
Choosing an application hosting option: https://cloud.google.com/hosting-options
Storage classes: https://cloud.google.com/storage/docs/storage-classes
Cloud Storage products: https://cloud.google.com/products/storage
Load Balancing: https://cloud.google.com/load-balancing/docs/load-balancing-overview
Deploying and
Implementing a
Cloud Solution
Agenda
Section 3.1 - Deploying and
implementing Compute Engine
resources
Section 3.2 - Deploying and
implementing Google Kubernetes
Engine resources
Section 3.3 - Deploying and
implementing App Engine and
Cloud Functions resources
Section 3.4 - Deploying and
implementing data solutions
Section 3.5 - Deploying and
implementing networking
resources
Section 3.6 - Deploying a Solution
using Cloud Marketplace
Section 3.7 - Deploying an
Application using Deployment
Manager
Compute Engine offers managed virtual machines
● No upfront investment.
● Fast and consistent performance.
● Create VMs with the Cloud Console or the
gcloud command-line tool.
● Run images of Linux or Windows Server.
Managed instance groups
Create VMs from instance templates
● Quickly create multiple VMs
from pre-existing
configurations.
● Templates pre-define machine
type, boot disk image, labels
and other properties.
● Create managed instance
groups automatically for
autoscaling.
Creating managed instance groups with templates
What are containers?

App App App

Libs Libs Libs containers

OS / Hardware
What are containers?

App App App

Libs Libs Libs containers

OS / Hardware
implements
container
interfaces
Containers often implement microservices

MS2
MS1 MS3

Host1 Host2 Host3

Host4 Host5 Host6

Kubernetes manages your containers

MS2
MS1 MS3

Kubernetes
Kubernetes manages your containers

$> gcloud container

clusters create k1

GKE

cluster k1

control
plane node node node
Kubernetes pods

Virtual Ethernet
port port

pod
container container

volume A volume B
Kubernetes pods

$> kubectl get pods

API

cluster k1
depl pod
control
plane node node node
App Engine standard environment
● Easily deploy your applications
● Autoscale workloads
● Free daily quota
● Usage-based pricing
● SDKs for development, testing and
deployment
App Engine standard environment
Requirements:
● Specific versions of Java, Python, PHP, and
Go are supported
Sandbox constraints:
● No writing to local files
● All requests time out at 60s
● Limits on third-party software
Example App Engine standard workflow: Web apps
Develop & test the web App Engine automatically App Engine can access
1 3
application locally. scales & reliably serves a variety of services
your web application. using dedicated APIs.

Project
Memcache
App Engine
Task
Use the SDK to deploy to App Servers
queues
2 App Engine. Application
instances Scheduled
tasks
Application
instances Search
Application
instances Logs
Cloud Functions
● Create single-purpose functions that respond to
events without a server or runtime.
○ Event examples: New instance created, file
added to Cloud Storage
● Written in Javascript, Python or Go; execute in
managed Node.js environment on Google Cloud.
Comparing data storage and database options
Relational Non-relational Object Warehouse

Cloud Cloud Cloud Cloud

SQL Datastore BigQuery
Spanner Bigtable Storage

Good for: Good for: Good for: Good for: Good for: Good for:
Web RDBMS+scale, Hierarchical, Heavy read + Binary or object Enterprise data
frameworks HA, HTAP mobile, web write, events data warehouse

Such as: Such as: Such as: Such as: Such as: Such as:
CMS, User metadata, User profiles, AdTech, Images, media Analytics,
eCommerce Ad/Fin/MarTech Game State financial, IoT serving, backups dashboards
Comparing storage options: Technical details
Cloud Cloud
Datastore Bigtable Cloud SQL BigQuery
Storage Spanner

NoSQL NoSQL Relational Relational Relational

Type Blobstore
document wide column SQL for OLTP SQL for OLTP SQL for OLAP

Transactions Yes Single-row No Yes Yes No

Complex
No No No Yes Yes Yes
queries

Capacity Terabytes+ Petabytes+ Petabytes+ Terabytes Petabytes Petabytes+

~10 MB/cell Determined 10,240 MiB/

Unit size 1 MB/entity 5 TB/object 10 MB/row
~100 MB/row by DB engine row
Creating a Cloud SQL instance, step by step
Google Cloud VPC networks are global;
subnets are regional
My VPC

us-east1

my-subnet1 us-east1-b us-east1-c

10.0.0.0/24

10.0.0.2 10.0.0.3
Virtual Private Cloud (VPC) Networking
● Each VPC network is contained in a
Google Cloud project.
● You can provision Google Cloud
resources, connect them to each other,
and isolate them from one another.
Creating an automode VPC network with a subnet
Creating a custom mode VPC network with a subnet
Cloud Marketplace gives quick access to solutions
A solution marketplace containing pre-packaged,
ready-to-deploy solutions.

● Some offered by Google

● Others by third-party vendors
● You pay for the underlying Google Cloud
resource usage.
○ Some solutions also assess third-party
license fees.
Cloud Marketplace catalog
Deployment Manager automates the creation and
management of your Google Cloud resources

● Infrastructure management service.

● Create a .yaml template describing your
environment and use Deployment Manager
to create resources.
● Provides repeatable deployments.
Deploying an application with Deployment Manager
Suggested study resources for this section
Compute Engine: https://cloud.google.com/compute/docs/
Cloud Source Repositories: https://cloud.google.com/source-repositories/docs/
Deployment Manager: https://cloud.google.com/deployment-manager/docs/
Instance groups: https://cloud.google.com/compute/docs/instance-groups/
Autoscaling: https://cloud.google.com/compute/docs/autoscaler/
Instance templates: https://cloud.google.com/compute/docs/instance-templates/
Create VMs from instance template:
https://cloud.google.com/compute/docs/instances/create-vm-from-instance-template
Creating groups of managed instances with templates:
https://cloud.google.com/compute/docs/instance-groups/creating-groups-of-managed-instances
Using VPC networks: https://cloud.google.com/vpc/docs/using-vpc
Deployment Manager fundamentals: https://cloud.google.com/deployment-manager/docs/fundamentals
Ensuring Successful
Operation of a Cloud
Solution
Agenda
Section 4.1 - Managing Compute Section 4.5 - Managing networking
Engine resources resources
Section 4.2 - Managing Google Section 4.6 - Monitoring and
Kubernetes Engine resources logging
Section 4.3 - Managing App Engine
resources

Section 4.4 - Managing data

solutions
VM images overview
Use operating system images to create boot disks for your instances. You can use one of
the following image types:
● Public images are provided and maintained by Google, open-source communities, and
third-party vendors. By default, all projects have access to these images and can use
them to create instances.
● Custom images are available only to your project. You can create a custom image from
boot disks and other images. Then, use the custom image to create an instance.
Creating snapshots
Creating snapshots
Creating custom images
You can create disk images from the
following sources:
● A persistent disk, even while that disk
is attached to an instance.
● A snapshot of a persistent disk.
● Another image in your project.
● An image that is shared from another
project.
● A compressed RAW image in Google
Cloud Storage.
Creating custom images
Kubernetes: Show running pods

$> kubectl get pods

API

cluster k1
depl pod
control
plane node node node
Kubernetes: Make pods publicly available

$> kubectl expose deployments

nginx --port=80 public IP
--type=LoadBalancer
Network
API API Load
Balancer
fixed IP
cluster k1
cluster k1
depl service
depl pod
pod
control control
plane node node node plane node node node
Kubernetes: Adding pods to deployment
apiVersion: v1
kind: Deployment
metadata:
name: nginx
$> kubectl get pods -l labels:
"app=nginx" app: nginx
spec:
replicas: 3
selector:
API matchLabels:
app: nginx
template:
metadata:
cluster k1 labels:
app: nginx
depl service spec:
containers:
pod pod - name: nginx
control image: nginx:1.15.7
plane node node node ports:
- containerPort: 80
Kubernetes: Adding pods to deployment
apiVersion: v1 apiVersion: v1
kind: Deployment kind: Deployment
metadata: metadata:
name: nginx name: nginx
labels: labels:
app: nginx app: nginx
spec: spec:
replicas: 3 replicas: 5
selector: selector:
matchLabels: matchLabels:
app: nginx app: nginx
template: template:
metadata: metadata:
labels: labels:
app: nginx app: nginx
spec: spec:
containers: containers:
- name: nginx - name: nginx
image: nginx:1.15.7 image: nginx:1.10.0
ports: ports:
- containerPort: 80 - containerPort: 80
Kubernetes: Adding pods to deployment

$> kubectl apply -f

nginx-deployment.yaml

API

cluster k1
depl service

pod pod pod

control
plane node node node
App Engine instances overview
App Engine Instances:
● Are the basic building blocks of App
Engine.
● Provide all the resources necessary to
host your application.
● Are the means by which App Engine
scales your application to meet
demand.
● Can be resident or dynamic.
○ Manual scaling uses resident
instances.
○ Basic or automatic scaling uses
dynamic instances.
App Engine instance scaling
● App Engine monitors the incoming traffic
for each instance.
● If using an automated scaling method,
keep in mind new instances can be added
very quickly.
● You can control the rate in the App Engine
task queue.
● Scaling also happens in reverse when
traffic load decreases.
Object lifecycle management
● Lifecycle actions
○ Delete
○ SetStorageCass
Object lifecycle management
● Lifecycle actions
○ Delete
○ SetStorageCass

● Lifecycle conditions
○ Age
○ CreatedBefore
○ isLive
○ MatchesStorageClass
○ NumberOfNewerVersions
Subnet IP management overview
● Each subnet has a primary range, which
does not have to be contiguous with the
secondary range(s).
● All primary and secondary ranges must be
unique.
● You can expand a subnet, but not shrink it,
once it has been created.
● The longest subnet mask you can use is
/29 (eight IP addresses).
Expanding a subnet IP
Built-in monitoring with Cloud Monitoring
Many Google Cloud services have Cloud Monitoring integration built in.

App Engine
(flexible and standard BigQuery Datastore
environments)

Google Kubernetes
Pub/Sub Cloud SQL
Engine

And more ...

Creating custom alerts on Cloud Monitoring
Creating custom alerts on Cloud Monitoring
Suggested study resources for this section
VM Images: https://cloud.google.com/compute/docs/images
Creating, deleting, and deprecating custom images:
https://cloud.google.com/compute/docs/images/create-delete-deprecate-private-images
Creating snapshots: https://cloud.google.com/compute/docs/disks/create-snapshots
How App Engine instances are managed:
https://cloud.google.com/appengine/docs/standard/python/how-instances-are-managed
Object lifecycle management: https://cloud.google.com/storage/docs/lifecycle
Expanding subnets: https://cloud.google.com/vpc/docs/using-vpc#expand-subnet
Introduction to alerting: https://cloud.google.com/monitoring/alerts/
Managing alerting policies: https://cloud.google.com/monitoring/alerts/using-alerting-ui
Configuring Access
and Security
Agenda
Section 5.1 - Managing Identity and
Access Management (IAM)
Section 5.2 - Managing Service
Accounts
Section 5.3 - Viewing audit logs for
Project and Managed Services
Cloud IAM overview
In Cloud IAM, you grant access to members.
Members can be of the following types:
● Google account
● Service account
● Google group
● Google Workspace domain
● Cloud Identity domain
Viewing IAM assignments
Creating custom Cloud IAM roles
To create a custom role, you:
● Must know what permissions are
available for that resource.
● May want to get the role metadata, which
includes the role ID and permissions
contained in the role.
● Must possess iam.roles.create
permission on your account, which
generally means you must be owner of
the project or its organization.
Creating custom Cloud IAM roles
Service accounts...
● Are a special account that belongs to a Virtual Machine (VM) or an application.
● Allow applications and VMs to call on the API of a service without a user being involved.
● Are always associated with a key pair.
● Come in two types: user-managed, and Google-managed.
● Is also a type of resource, which has IAM policies attached to it.
● Make use of both IAM roles, and scopes.
Service account access scopes
● Access scopes are a legacy means of
assigning permissions for your VMs.
● They are no longer required for setting
VM permissions - IAM roles now fill most
of those functions.
● They are still required for configuring
instances to act as service accounts.
Service account access scopes
● Scopes take the form of a URL.
● An example of a scope is:
https://www.googleapis.com/auth/bigqu
ery.insertdata
● The scope consists of the base URL up to
the “auth” section, plus a specific
permission being granted.
● Scope can also be set on the command
line using set-scopes with the gcloud
command.
Example: Service accounts and IAM
project_a project_b
● VMs running component_1 are granted
Editor access to project_b using Service
Account 1.
● VMs running component_2 are granted
objectViewer access to bucket_1 using component_1 Service
Service Account 2. Account 1
Editor
● Service account permissions can be
changed without recreating VMs.

component_2 Service
Account 2
Storage.
objectViewer

bucket_1
Cloud Audit Logs
Three types of audit logs are kept for each of your projects:
● Admin Activity
● System Events
● Data Access
Viewing cloud audit logs in Operations
Cloud audit logs can be viewed
through the Operations interface
from the main Cloud Console
menu.
Viewing Cloud Audit Logs in the Activity menu
You can also access abbreviated versions of your activity logs via the Activity link
on the Home screen.
Suggested study resources for this section
Cloud IAM: https://cloud.google.com/iam/docs/

Security and Identity Fundamentals Quest: https://www.qwiklabs.com/quests/40

Cloud IAM Overview: https://cloud.google.com/iam/docs/overview

Understanding IAM roles: https://cloud.google.com/iam/docs/understanding-roles

Understanding IAM custom roles: https://cloud.google.com/iam/docs/understanding-custom-roles

Granting or changing access in IAM:

https://cloud.google.com/iam/docs/granting-changing-revoking-access

Understanding service accounts: https://cloud.google.com/iam/docs/understanding-service-accounts

Service accounts: https://cloud.google.com/iam/docs/service-accounts

Cloud Audit Logs overview: https://cloud.google.com/logging/docs/audit/

Google services with audit logs: https://cloud.google.com/logging/docs/audit/services