Google Associate Cloud Engineer – Authentication and Authorization in Google Cloud with Cloud IAM Part 2

6. Step 05a – Demo – Playing with IAM

Welcome back in the step. Let’s play with IAM. If you type in IAM and pick up this option I am an admin. This is where you’d land up and this is where you can see all the members and you can see all the roles which are assigned to those members. You’ll be able to see all the service accounts that are created as well as you’ll be able to see your own owner account account which is present in here. This is where you can add any members you’d want to add. So if you want to actually add a member, you can go in here, add a member. Let’s say I would want to add in a member so I can say oh, he can enter the email ID. Let’s say I would want to add in Ranga in 28 minutes and I would want to provide him a specific role. Then I can actually go in here and I can give him whatever access that we would want to give him.

So let’s say I would want to make it compute instance admin so I can go and say compute instance admin and pick it up and give it to him. So this is how you can actually create users and once they log into Cloud Google. com with this specific ID, they’ll be able to access the resources from this specific project. So what we are giving in here is access to my first project, so they’ll be able to access the resources which we allow with this specific role. So whatever resources are allowed by this specific role, they’ll be able to access with this specific Gmail ID. If you want, you can also send a notification email. I don’t really want to create this, so let’s do a cancel. So this is where you can actually manage the members and you can also manage the roles which are assigned to your members.

If you want to pick up any of the existing members, you can actually even change the roles that are assigned to them. So you can click this icon which is present in here edit member and you can go and add more roles. This is already having an owner role, so you don’t really need to add any other roles. If the user did not have sufficient permission and you want to add more permissions, you can add additional roles to the member. I’ll do a cancel in here. Now, one interesting feature in here is something called a policy troubleshooter. So you can use policy troubleshooter to find out if there is a problem with anybody’s access. If somebody says they are not able to access something, then you can use policy troubleshooter to troubleshoot it.

For example, I’ll enter the owner ID and over here I can check the permissions against it. That’s why I want to check my own permissions. This is the owner, so they’ll definitely have the permission, but let’s just check that. So my first project is going furnace 304608. So I’ll pick up that in here my first project growing Furnace 304608. That’s the one which we are interested in. And inside that I would want to check permissions. Let’s say I would want to check if he has access to compute engine. So let’s type in Compute. Let’s say we want to check if he can create instance. So compute instances create we are checking for a permission against a specific resource, for a specific ID. If you want you can actually add more pairs, more permissions that you’d want to check on resources. I’m happy with one.

So let’s go ahead and say check API call and once you click check API call and over here you can see that access granted for API call for this green checkmark here says yep, that’s fine. If you look at the bindings that are present in here, all the first three bindings are for other accounts. And the account that we are checking against is this account. And this account has the role roles slash Owner and the permission that we are checking for is present in this specific role. And that’s why this is appearing as green. If somebody comes to you and says they are having problems with accessing something, you can come over here to policy troubleshooter and try and find out why they are having problems. I’m sure you’re having a wonderful time and I’ll see you on the next step.

7. Step 05b – Demo – Playing with IAM – Command Line

Welcome back. Let’s continue playing with IAM. In this specific step. Let’s use Gcloud to play with IAM. So if I do want to get the current project information, what would I do? I can do something of this kind. G Cloud Compute Project info Describe I am connected to Cloud Shell and let’s first set the project that I would want to make use of. Gcloud config Set Project and let’s make use of the my first project which is present in here. My First Project loading furnace 304608 let’s copy that over and set the ID. Once I have a project set, I can actually authorize it. We are setting the core project property and now I can do a project info describe what would happen if I do a project info describe. Gcloud compute Project info describe it would display the information about that specific project.

You’d be able to see the default service account which is making use of what is the default network tire and also all the quotas around it. We already looked at a few more commands. Gcloud auth Login It will help you to log in into the Google Cloud platform. Gcloud auth revoke. If you want to log out from your local machine, if you want to disconnect from your Google cloud account, you can say Gcloud author revoke. And if you do a G cloud Auth list, it would list the active accounts I’m already authenticated when it comes to cloud shell. And if I type in Gcloud auth list, what would I see? I would see that I am authenticated with this specific account. Ruth Tutorials@gmail. com so we have project information and we have the authentication to Google Cloud. The next step is IAM.

This is where we’d be talking about roles and binding the roles to a specific user. And the way we would bind roles in Google Cloud is by using a policy. A policy is where we would actually bind a user to a role and the policy is configured at multiple levels. The level at which we are looking at right now is the project level. If you actually go and use this command gcloud projects get IAM Policy this is a great way to get a good understanding of how IAM works in Google Cloud. I’ll do a clear in here and I’ll type this in g Cloud projects get IAM policy we’ll get an error. Let’s see what the error is. It says okay, give me the project ID where you want to get the Im policy for. So I’d go and copy this project and I am saying I would want to get the IAM policy first specific project.

So at the project level we would want to get the IAM policy which is configured so G Cloud projects get Im policy and a specific project. What does it return back? You can see that this returns back a number of bindings. And what do these bindings have? These bindings have the link between a member and a role. So you’d see that there are a number of bindings which are returned back. So if you look at the response of this specific command, you’d see members and role, this service account, this is the role, this service account, this is the role, this service account, this is the role. So in a project IAM policy if when I do a get im policy on a project, I would get a list of bindings.

It’s not just one binding, it’s actually all the bindings related to that specific project. What are the service accounts that are part of that particular project and what are the roles that are assigned to that specific service account. If you scroll down a little bit, you’d also see the users. This is the super admin. That’s the account I use to create the vita account. And you can see that this is a member in here and it has a role of roles owner. If you added any additional users to this specific account, you’d be able to see that in here as well. So the important takeaway from this specific command which is gcloud projects get im policy is that im policy is a list of bindings. What we are looking at is the im policy at the project level. IAM policy at the project level contains all the service accounts and the users. At that project level it contains the user and the binding to a specific role.

The command add im policy binding is used to add im policy binding for a specific user. So let’s say I would want to add a new user to this specific project. How can I do that? I can say gcloud project gcloud projects add IAM policy binding and I can add a binding to a specific user. The first thing that I would need to specify is which project. So as usual, this is the project. So I’ll say this is the project and you can go and type in enter. You’ll get an error, that’s fine. Let’s see what are the things it’s asking for? It says you would need to specify a member and a role. Those are mandatory. So I would want to add a binding to this specific project and the member. There are different types of members, users, groups, service accounts. I would want to actually create a user. I can say user colon and give an email ID of somebody I would want to add to this specific project.

I can say I want to add in 28 minutes@gmail. com for example, and I would want to give him a specific role. Let’s say I would want to make him storage object admin. So I can say I would want to give this specific role. So hyphen hyphen role is equal to and you can paste the role in role slash storage object admin. Let’s press enter. What would happen now you can see that it says updated im policy for project this and it’s showing the updated policy. And if you now look at the bindings which are present in here, at the end you can see an additional binding. You can see that to this role role slash storage object admin. There are now two things which are bound. One is a user and the other one is a service account. So two members are now bound to the same role which is storage dot object admin.

Similar to the way we created, similar to the way we added an Im policy binding. You can actually delete it as well. What I’m giving in is object admin role and it’s a very very privileged role. I don’t really want to leave it there for that specific ID. So what I would do is I would say remove IAM policy binding. What does it do? It would remove the IAM policy binding from that specific role and nuff the result. You can see it in here that this role nuff has only the service account binding. It does not have the user binding. So whatever we are looking at until NAV are the im policies. Im policy is nothing but a binding from a role to a set of members. The members can be a user, a group or service account. We saw add im policy binding is used to add a binding to a specific project and remove im policy is to remove a specific binding from a member to a role from a specific project.

Set im policy is used very very rarely. Set im policy would override the entire existing policy and set the new policy binding that you are providing. Typically whenever you look at projects, we would either use an ad or a remote to add or remove the policy bindings. Very rarely you would want to set the entire policy at a single point in time. The next command is gcloud projects delete. If you’d want to shut down a project, this is the command gcloud projects delete. I don’t really want to shut down the project so I don’t want to execute that right enough. Let’s look at the other set of commands which are important when it comes to IAM g Cloud IAM gcloud IAM roles describe. This would be used to describe an Im role. Let’s try and execute that. So Gcloud im roles describe and let’s say pick up the storage admin roles.

I would want to see what are all the details that are associated with this specific role. The command structure is good and we are able to see the details of that specific role. You can see that the description is full control of GCs Google cloud storage objects and you can see all the permissions which are included. So you can do a get and list on the project and most of the things that you would want to do on the objects. You can see the name, you can see that the stage is general availability. That means anybody can go ahead and use this role. The other two stages we talked about earlier are alpha and beta. Alpha is when you are creating the first version of the role, you’d want to try it. Beta is the second version. And once you are confident the role is really good, I can go and put it into the general availability stage.

You can also create your own IAM roles. You can say gcloud IAM roles create and give the role a name. And you can also assign the permissions that you want to assign to a specific role. It is very, very important to remember that in addition to creating a role, you also have the option of copying an existing role. A lot of times what we can do is we can copy an existing role and change the permissions to it. That is easier than creating a new role from scratch. And that’s the reason why it’s very important to remember the command gcloud IAM roles copy. So if you want to copy a role, this is how you can actually do that. So let’s say I would want to copy the storage admin role. So let’s pick this up from here. Oops, let me get that right. Yeah, copy this. Oops, I need to actually have a N at the end.

Okay, it says unrecognized arguments role slash storage object admin. The reason why it’s giving me a problem is because the syntax is a little different. So g cloud IAM roles copy you need to specify a few things. The source role is this. So source role is role storageobject admin. The next thing I would need to configure is the destination. What is the role that we want to create? So I’ll say destination is equal to my custom role. So I’m creating a custom role using this specific storage object admin. And after that, I need to specify also what is the destination project? Which project do you want to create this role for? I would want the my custom role to be created in. Where do you want to create it in? In the same project. So I can say this. So this im roles copy can be used to copy a role within the same project.

Or you can use it to copy a role from one project to another project. If you have a dev project, you have set up the roles. Everything is working fine. You want to copy the roll over to a stage project or a production project. You can use gcloud I am roles copy and copy the roles over. So let’s try this. Fingers crossed. Will it work? Looks like yes. It took long to execute, but you can see that it really worked. So it’s now actually created. You can see that the default stage in which it is created is alpha. So the stage initial stage is alpha and then you can slowly play with it. Make sure that you are okay with the permissions which are assigned, and then you can actually make it a general availability.

In this long step, we played around a lot with IAM. The important takeaways from this step are you would use Get Im Policy to get the Im Policy which is configured on a project. IAM Policy is nothing but a set of bindings. Which role is mapped to which members. You can add a binding using add IAM policy binding. You can remove a binding by using Remove Im Am policy binding. Other than that, you can also play with roles gcloud IAM Roles describe, Create and Copy. Instead of creating a new role each of the time, you can copy from an existing role. This is useful when you want to create a new role in the same project or you’d want to copy an existing role to other projects. I’m sure you had a wonderful time in this.

• Category: Uncategorized