Google Associate Cloud Engineer – Authentication and Authorization in Google Cloud with Cloud IAM Part 3

8. Step 06 – Getting Started with Service Accounts

Come back in this step. Let’s talk about service accounts. Service account is one of the types of members. What is service account? Why do we need it? That’s what we’ll look at in this specific step. Let’s consider a scenario. An application on a VM needs access to cloud storage. You don’t want to use personal credentials to allow access. You don’t want to create an email ID or something and then use that that to give access to the VM. To access cloud storage, the required approach is to use service accounts. A service account is identified by an email address. For example Idcompute at developer Gserviceaccount. com if you go to service accounts under Im and Admin. So service accounts under Im admin. You can see a few example service accounts which are present in here.

I’m inside the my first project which we used earlier to create our Compute engine and the App Engine services. And when we created a Compute Engine and App Engine services there were a couple of service accounts which are automatically created for us. So these service accounts are present in here. You can see glowing furnace, the ID and At AppSpot Gsevice account and there is another one which is present in here. So app engine default service account or compute engine default service account? Whenever we create a virtual machine using the Google Compute engine, by default it would be assigned the Google Compute Engine default service account and whatever permissions this service account has.

All the applications on the Compute engine can make use of thing about a service account is there is no password associated with it. A service account makes use of a public and private RSA key pair. Earlier we talked about asymmetric cryptography. Your service account also makes use of that. You make use of a private key and a public key. You cannot use a service account to log in via browser or a cookie. You have to assign it to a machine or something and then the machine would make use of the service account to make a call to the appropriate service. There are a few types of service accounts. Number one is the default service account. This is automatically created when some services are used. So what we are looking at in here are default service accounts.

The default service account is not typically recommended because it has editor role by default. The next type of service accounts are user managed. You can create your own service accounts as well. These are recommended because these provide fine grained access control. So over here I can go and create my own service account. These are user managed service accounts. So I can say this is my service account for Compute and I can say create next you can actually give it access. So this service account let’s say I would want to manage Compute instances, so I would actually give Compute. You can go in and assign the specific permissions they would need to have. I’ll take the easy option and I’ll say Compute Admin and let’s say I want to actually give him permissions to even access cloud Storage.

So I can say cloud storage. I can say storage. Oops, storage object admin. I want him to be able to manage objects in a bucket so let’s assign that to him as well. Now over here you can also add conditions. So you can go and say conditions and you can add conditions based on a lot of things. You can only say I want to allow access on a specific day of the week or a specific hour of the day. Or you can also say I would want to expire the access on a specific date and time. Or you can say I would only want to allow access on a specific set of resources. So I can say resource type or resource service or resource name. For now I’m not going to add a condition, I’ll just say cancel. So we added in Compute Admin and Storage Object Admin for the Service account and let’s go in and say continue.

Once you have the Service account created you can assign it to your services. What I would do in here is done and I would go in inside the same project. Let’s say I would want to create a virtual machine. So I’ll go to VM instances, I’ll open it up in a new tab and over here I can say Create instance and where do we assign the Service account? Now if you scroll down a little you’d be able to see the service account in Identity and API Access. You would see that you can set this service account applications running on the VM use the Service account to call Google Cloud APIs, use permissions on the console menu to create a service account or use the Default Service account until we have been using Default Service Account.

Now you can also use the service account that we created earlier. So I can use the my service account for Compute. If I need any permissions for my application which is going to deploy in Compute, I can assign them to this my service account for Compute and the VM can get those permissions through the service account. So that’s user managed service accounts either you can use the default service account, which is not really recommended, or you can actually create your own user managed service accounts. The third one is Google managed service accounts. These are created and managed by Google. These are used to perform operations on users behalf and ideally we don’t really need to worry about it.

The only two practical service account types that we’ll be making use of are default and the user managed ones. In the step we looked at Service Accounts whenever an application on a VM needs access to any resource inside GCP, the way you can provide it access is through a Service account. A service account is identified by an email address and it does not have any password associated with it. The two majorly used types of service accounts are default service accounts, which are created by default in certain services, and you can also create and assign user managed service accounts. I’ll see you in the next.

9. Step 06a – Demo – Playing with Service Accounts

In this up. Let’s play around with service accounts. Let’s take a simple use case. Let’s say you have an application which is running on a virtual machine and from that virtual machine I would want to give it access to a cloud storage bucket. I would want to be able to create a cloud storage bucket from the virtual machine. Let’s look at that use case right now what else back with doing is I’ll create a service account. So I’ll create a service account and I’ll call this Compute Engine Service account with bucket creation. So I would want to be able to use this role to create buckets. I would take the default service account ID which is being suggested and I’ll say create and what I would want to do is for starting off, I’ll not assign the storage permissions, all that I would give it permissions to is Compute instances so I’ll make it Compute Instance admin.

So there’s a role in beta in here that should be fine. So let’s use the Compute Instance beta role if you don’t see a beta role and if you see a Compute Instance admin you can choose that as well. So this gives you full control of Compute Engine Instance resources. So this service account can launch Compute Engine instances, delete them and do things like that. So let’s go and pick that up and I’ll say continue again, the next thing that we need to configure is who has access to this service account. Now this is very important you can grant users access to this service account you can grant access to users or groups that need to perform actions as this service account there are two types of roles users role and admins role.

What is the difference between these two? We would want to be able to create virtual machines to which we want to assign the Service account. And to be able to do that, you need to be having a Service account users role. So if you want to be able to create virtual machines which use the Service account, you need to have the Service account users role. If you want to manage the permissions and everything related to the Service account, you need to have the Service Account admins role. At a bare minimum, if you want somebody to be able to create VMs using the Service account, you need to provide them with Service account users role.

We are using the free trial account which has owner permissions and therefore we don’t really need to assign the role in here. But if somebody else is actually creating the virtual machines for you and you would want them to be able to use the service account, you need to actually add them in here but I’ll not worry about it and I’ll say done. And that would create the role. The Service account which we have just created is Compute Engine Service account and what we want to do now is to create a virtual machine using this service account. So I’ll type in VM and I’ll pick up add VM instance and open it up in new tab. I’ll have one tab where we have the service account details present. In the other tab is where we would go ahead and launch a quick Compute Engine instance.

Okay, over here I’ll call this my VM instance that talks to cloud storage. Very descriptive name. And I don’t want to assign a specific service account by default. You can see that in here we are making use of Compute Engine default service account. However, what we want to do is we don’t want to use the default service account. We want to use the one which we have just created, which is Compute Engine service account with bucket creation. So let’s go in there. I’ll take the defaults for the rest of the things and I’ll say create. This will create the VM instance for us. So this is the instance that we have just launched up my VM instance that talks to cloud storage and I would want SSH into it. So let’s try and SSH into it.

Pop up window blocked. Let’s enable pop ups and this would launch up an SSH connection. Now, what do you want to be able to do from the VM instance? We’d want to be able to create a bucket. And how can we create a bucket? We can make use of gsutil. So google Cloud Storage util So gsutil we would want to do a bucket. So make bucket and you can type in GS and give the name of the bucket. Let’s say I would want to create a bucket with a name bucket in 28 minutes. One, you need to create a different name to the bucket because the bucket name is globally unique. But anyway, you’ll get an error. Right now. Let’s press enter. What’s the error that we’ll get? Access denied exception.

It’s saying 403. It’s saying the Compute Engine Service account that we have assigned does not have storage buckets. Dot create access to the Google Cloud project. It’s saying you cannot create buckets. How do we fix that? The way we can fix this is giving the right permissions to Compute Engine service account. Let’s go to the Compute Engine Service account with bucket creation. This is the service account which we created earlier. I’ll go to IAM. This is where we can manage the roles which are assigned to your service accounts. So I’m going back to IAM and the one which we are looking for is Compute Engine Service account. And I’ll go ahead and edit this number. You can see that this one already has a Compute Engine admin role. However, this does not have any permissions on the storage.

So I’ll give it permissions. So I’ll call this storage admin. So I’ll make this user a storage admin. So if you actually scroll down a little, you’ll be able to see Storage Admin full control of GCs resources. Make sure that you are not choosing storage object admin or storage transfer admin. Make sure that you are choosing Storage Admin. Full control of GCs resources. Google cloud storage resources. So let’s select that and let’s now say save. So what we are doing is we are updating the service account with additional permissions. The VM instance we have already launched with the service account. Let’s see if the changes are instantaneous. Let’s try and create the bucket NAV creating and you can see that the bucket creation is now successful. If you want actually you can actually go in and check if you have a bucket with that.

So you can go to cloud storage. I’ll open this up in new tab and you’d see that there would be a bucket present with the name that I have assigned bucket in 28 minutes one. Let’s see if we have a bucket. Cool. There is a bucket with the name buckets in 28 minutes one. That’s the one which we have just created. So whenever you have a VM and you want to assign permissions to the VM, the way you do that is by attaching a service account to it. Whatever permissions you’d want for an application which is running on the VM, you will provide it to the service account. As you can see in here, there are no passwords involved at all and that’s the biggest advantage of going for a service account. I’m sure you’re having an interesting time and I’ll see you in the next.

• Category: Uncategorized