Google Associate Cloud Engineer – Authentication and Authorization in Google Cloud with Cloud IAM Part 1

1. Step 01 – Getting started with Cloud IAM

Welcome back. Welcome to this section on IAM identity and Access Management. In this section let’s understand what is IAM and why we need IAM. Let’s get started with the typical identity management in the cloud. You have a number of resources in the cloud. You are creating a virtual server, a database and a lot of other resources in the cloud. And you have identities. The identities can be human people who want to access the specific service. The identities can also be nonhuman, an application which needs to talk to a database. So you have identities that need to access these resources and perform a lot of actions on them. For example, I would want to start a virtual server. I would want to stop it.So you have resources and you have identities. How do you identify users in the cloud? How do you configure resources they can access.

How do you configure what actions are allowed in Google Cloud platform? Identity and Access management. Cloud IAM provides this service. Cloud identity and access. Management is all about authentication. Is it the right user and authorization? Do they have the right access? Identities can be of a variety of types. A GCP user, so a Google account who is already authenticated or externally authenticated user. It can also be a group of GCP users. Generally, groups are recommended because having groups makes managing identities easier. So if you have a developer’s group, you manage the permissions at the developer group level and as new team members come in, you just need to add them to the developer group. The identities can also be an application which is running inside GCP.

So let’s say I am running an application on a virtual machine which is present in GCP. Or it can also be an application that is running in your data center. So you have an application which is running in your data center and it needs to access something. In GCP. There can also be unauthenticated users. Sometimes you want to make something public in that kind of situations. You want to allow access even to unauthenticated users. Cloud Am provides you with granular control. You can limit a single user to perform a specific action on a specific specific resource from a specific IP address during a specific time window. In this quick step we got a 10,000ft overview on IAM. IAM is all about authentication, authorization and providing granular control.

2. Step 02 – Exploring Cloud IAM with an Example

Welcome back. In this step, let’s look at an example for cloud IAM. I want to provide access to manage a specific cloud storage bucket to a colleague of mine. Let’s look at a few general concepts from the perspective of IAM. What is the member in here? Who are we talking about? A colleague of mine. My colleague is the member. What is the resource that we have thing to in here? It’s a specific cloud storage bucket. And what is the action? Let’s say by management we meant uploading deleting objects. So the action which we want to allow is upload and delete objects. Whichever cloud you work with, these concepts are very generic. You have a member, you have a resource and you have an action. However, there are a few Google Cloud IAM specific concepts as well.

You have a concept of role in Google Cloud IAM. A role is a set of permissions to perform specific actions on specific resources. Important thing roles have no idea about members. They don’t know who they will be assigned to. All that roles contain are just the permissions. If you are coming from AWS background, then I would recommend you to forget about AWS roles immediately. Roles in AWS are very very different to roles in Google Cloud. As far as the member, resource and action are concerned, they are very similar. However, when it comes to assigning roles and assigning permissions, google Cloud is very very different from other cloud platforms. So roles only represent a set of permissions. They don’t know anything about members at all. Now, how do you assign permissions to a member? That’s where you create something called a policy.

A policy is something you would use to assign a role to a member. If you are using Google Cloud terminology, then you are binding a role with a member. A policy allows you to bind a role to a member. Now that we understood the generic concepts which are involved, let’s look at the specific steps which we need to do to achieve this goal. I would want to provide access to a colleague of mine to manage a specific cloud storage bucket. The first thing is to identify the right role with the right permissions. There are a number of predefined roles with a set of permissions assigned to them which are already present in Google Cloud. A good example is storage object admin. So if you have a role called Storage Object Admin, then you would be able to manage the entire cloud storage bucket.

Once you choose the right role with the right permissions, you can actually create a policy binding the member that’s your friend with the role. That is basically the specific role which gives you the permissions. As we discussed earlier, I am in AWS is very very different from GCP. So forget AWS im and start fresh. As far as cloud IAM is concerned. In this step we looked at the important concepts related to cloud IAM member is your colleague resource is what resource? What actions do you want to allow on a specific resource? In Google, cloud IAM, roles are a set of permissions and to assign a role to a member. What we do is we create a policy. A policy helps you to bind a role to a member. I’m sure you’re having an interesting time and I’ll see you in the next step.

3. Step 03 – Exploring Cloud IAM – Roles

Come back in step, let’s discuss a little bit more about roles. Roles are permissions perform a set of actions on a set of resources. There are three types of roles in Google Cloud basic roles or primitive roles. These are Owner Editor, Viewer so these are primitive roles which gives you a wide set of permissions. So if you have a viewer role which is Roles Viewer, then you can do read only actions on all the resources which are present in Google Cloud. Editor role gives you Viewer plus edit actions on all resources owner Role Editor plus you can manage roles and permissions. So you can create new roles, new permissions you can actually assign permissions to different members and you can also handle billing, so you can take care of billing account and you can assign billing accounts to projects and all that fun stuff.

So the basic roles are the Owner, Editor Viewer which gives you a wide range of permissions. The basic roles are the earliest version. Even before the existence of im, the basic roles existed and basic roles are not recommended. Do not use basic roles in production unless you would want to give a wide range of permissions. Let’s say you would want to give view only access to an auditor to all the resources in your project. In that kind of scenario you can go for Viewer, but in general do not use basic roles in production. The other set of roles which are present are predefined roles. Predefined roles are fine grained roles, predefined and managed by Google inside every service. GCP has created a number of roles so different roles for different purposes.

Example storage Admin storage Object Admin storage Object Viewer storage Object Creator so a storage admin can manage buckets and Storage admin can also manage all the objects inside the buckets. Storage Object Admin can manage objects within a bucket, he cannot create new buckets and things like that. Storage Object Viewer can view objects, but he cannot edit objects. Storage Object Creator can create objects as well. Do not worry about the specifics of these roles, we will discuss them a little later in depth. But for now the important thing to remember is that the predefined roles give you a wide range of variety and you can assign them to the right person based on the specific role they are performing in a project.

The last option is custom roles. Sometimes the predefined roles are not sufficient and in those kind of situations you can create your own custom roles. In this step we got started with roles. Roles are permissions and we talked about the three types of roles basic roles which give you a wide variety of permissions but which are not recommended for production use predefined roles which are typically recommended for production and these give you with different roles for different purposes. You can also create custom roles when the predefined roles are not sufficient for your purposes. I’m sure you are having a wonderful time and I’ll see you in the next step.

4. Step 04 – Playing with IAM Roles – Predefined, Basic and Custom Roles

Welcome back in the step, let’s play with Roles. I’ll search for Roles and it takes me to Roles I am and Admin. So let’s go there. It’s taking a little while to load and it loads a huge list of roles. Let’s get started with the basic roles first. So Roles Viewer so I’ll go in here and over here I’d say Name oops, let’s filter by name and Roles slash Viewer. So this is the role we are looking for. So Roles Viewer you can see that it’s enabled and if you open it up so I’m opening up the Viewer. You’ll see that it has a lot of permissions and you’d see that all these permissions are either Get or List. So get list get im policy list. Get so the Role viewer has access to all resources. What access? It has read access to all resources and it has about 1661 assigned permissions.

I would recommend you to actually spend some time looking at these roles specifically for the services that we have talked about earlier. Now, you can also look up other roles as well. So if I type in Name oops, let’s select Name from here and Roles. The other role you can look up Editor or Owner. I’ll say Owner and go in and click Owner. This would open up the owner role and you can see this has 3801 permissions. Let’s just look at App engine. So if you just type in App Engine you can see what all permissions are present on App Engine. So App Engine applications, create applications, get applications, update instances, delete instances, get List so you can see that there are a wide range of permissions so applications instances you can even add a cache to App Engine.

There are a lot of operations that you can perform. You can delete services, get list, update services and you can create versions, delete versions. So you can see that there are a wide range of permissions that are present for the owner role. Similarly, I recommend you to select a few of the roles and explore. For example Roles Editor there are also predefined roles which are present in here. Let’s say I would pick up Storage Admin so let’s go back and let’s say I would want to look at Storage Admin. So if you type in Storage admin, you should see Storage admin come in here. So the second one is storage. Admin let’s pick that up and let’s open it up.

So you can see that Storage Admin has permissions both on buckets and objects. So Storage Buckets create delete get im Policy List set Im Policy Update and he has also permissions on the objects so he can create delete, get List and update objects. Let’s pick up Storage Object admin and see what permissions are present for him. I’d go back and type in storage object admin. So Storage Object Admin is what we are looking for and if you would want you can even open it up in a new window. So this would open up the Storage Object Admin role in a new window. So over here you can see that he can do all the things with objects. However, he will not be able to do anything with a bucket.

You can also try in storage object viewer. So Storage Object Viewer open up in a new tab. You would see that he will only have Get and list permissions on the objects. So you can see storage objects. Get storage objects. List. Almost everybody almost every role will also have the Resource Manager projects get and resource manager projects list. Now I’ll figure the Uly Open tabs and over here you can also create the custom role. So I can say Create role and this would be a custom role. So I’ll say my custom role. One important thing to note when we are creating a role is make sure that you give it a good ID because this is the ID you’d be using to bind the role to a user in a policy.

And also you can see that there are multiple launch stages for a role. So. Alpha Beta general availability and disabled. You can disable a role or you can say I’m just playing with it. This is the first version, then it’s Alpha. This is the second version, then you can make it Beta. And then you can make the role available at General Availability. Anybody can use it. So when I’m playing with the role for the first time, maybe I would put it at Alpha. And you can also add permissions to the role. So you can say I would want to give a specific set of permissions. You can actually take the permissions from here or you can go in here and filter by role. So let’s say I would want to let’s get that right.

So let’s say I would want to add in permissions by let’s say I want to filter permissions by a specific role. So I’ll say app engine. I would want to look at the permissions for App Engine admin. So App Engine admin permissions will be listed in here. From these permissions I can select which ones I would want to assign to my custom role. Let’s say I’m selecting five of these and I can say Add and you can see that these five permissions would be added in to the custom role that we are creating in right now. And you can go in and say Create and this would create the role. So the custom role will now be created and it would be the first one which should appear in here. Let’s look at a few example predefined roles as well. So, Storage Admin has permissions to do everything with buckets and objects. Storage Object Admin on the other hand, only objects. He cannot do anything with buckets. Storage object theater can create objects. Storage object viewer can view. So he can do a get and a list and all the four have these permissions. Manager projects get and projects list. Typically, most of the roles will give you permissions to see the list of projects. Depending on the permissions that a specific user needs on cloud storage, you can assign him this specific role. In this app, we took a hands on approach to learn a little bit more about roles. I’m sure you’re having interesting time and I’ll.

5. Step 05 – Exploring Cloud IAM – Members, Role and Policy

Back in this step, let’s review some of the most important concepts in I am remember is who roles is all about permissions, what actions, what resources. So oh, here you can see that we have different permissions. Compute instances delete Compute instances. Get Compute instances. List. We group all of them and we assign them to a role. So a role is just a set of permissions in a policy you would assign permissions to members. How do you do that? You do that by mapping roles, members and conditions. You define what actions can be performed on which resource, by whom, and under what conditions. You can specify a time condition, you can specify a list of IP addresses. So all that kind of things are specified as part of your policy.

An important thing to remember is that permissions are not directly assigned to member. Permissions are represented by a role. So you create a role first with the list of permissions and then you bind the role to the member using a policy. Member gets permissions through the role, not directly. And as we discussed, role can have multiple permissions and you can assign multiple roles to a single member. So a single policy can have multiple bindings to the same member to different roles. Let’s quickly look at the policy. Roles are assigned to users through Im Policy documents. This is represented by a policy object. Policy Object has a list of bindings. A binding binds a role to a list of members.

There can be a variety of members who are assigned roles in a policy. How do you identify a member type? You identify it by using a prefix. A member type can be either a user we’ll look at service accounts a little later as well. Let’s say I’m running our application in the virtual machine which needs access to cloud storage. In that kind of situation there is no person involved in those kind of situations. What we would do is we would create a service account for the virtual machine and to the service account we would assign permissions to access the cloud storage. So the member type can be User Service account. It can be a group of users or group of service accounts, or it can also be a specific domain and this is identified by a prefix in the policy.

Let’s look at a quick example for the Im policy. Over here you can see that this Role Storage Object admin is being assigned to a number of members. So binding is all about binding roles to members. You can see that there are two different bindings which are present in here. This is binding one and this is binding two. And in here we have Role and Members. This role is assigned to a specific user, a specific service account, a specific group and a specific domain. So every user who is part of this domain will get this specific role. In the second binding we have roles, members and conditions as well.

So you can say this permission is allowed only up to a specific timestamp. So the condition which is specified in here is limited time access. So the way I am works is you create a role. A role contains number of permissions. Then you would create an im policy with a binding. The binding maps a role to who all can acquire that role. These people are called members. So you are binding role to members in a policy. In a policy you can have multiple bindings. In this step we reviewed some of the most important concepts of IAM in Google cloud platform. I’m sure you’re having a wonderful time and I’ll see you in the next.

• Category: Uncategorized