Author: examcert

As mentioned in the previous section, a resource such as a Compute Engine VM can use a service account to interact with a Google Cloud API. Note that it is also possible to attach a service account to a resource that is deployed in a different project. When a VM is created, it uses a…

A service account is an identity that an application or a Compute Engine VM uses to run authorized API calls to Google Cloud services such as Google Cloud Storage, BigQuery, and so on. Contrary to a user account, this account type is not created in the Google Admin console as a Cloud Identity, but in…

One of the additional benefits of building a resource hierarchy is the ability to centrally set constraints on what users can configure on a Google Cloud service. Applying organization policies to a resource hierarchy at the root level helps to comply with a company’s security policies across all projects. Let’s look at the following example….

Now that we have learned how to create accounts, build a resource hierarchy, and set up roles, we will look into IAM policies that connect all of those items to allow users to access resources in a fine-grained way within a hierarchy. In IAM, Cloud Identity users, Cloud Identity groups, service accounts, and, for some…

In Google Cloud, permissions are not assigned to users and groups directly. Instead, users have roles assigned to them. Roles are a collection of permissions. Permissions usually match API methods that describe which operations are allowed on a resource and have the following form: <service>.<resource>.<action>. Figure 12.12 – Example of a role, which is a…

In the Google Cloud resource hierarchy, an organization is provisioned automatically and it is the top-level node above all other folders, projects, and resources. Any policies or restrictions set at the organization level will apply to the folders, projects, and resources that fall under it. The hierarchy helps to manage access to resources, so there…

You can create accounts for each user to be managed by Cloud Identity manually in the Users tab in the Directory section of the Google Admin console by selecting Add new user as shown in Figure 12.7. Alternatively, you can upload user accounts via a CSV file, sync users with your existing LDAP directory, such…

In the previous chapters, topics such as roles, users, and service accounts often appeared in the context of what permissions are needed to access or configure a specific Google Cloud service. This chapter will provide more visibility on identity and access in Google Cloud. In addition, we will focus on the security aspter and learn…

When working with Google Cloud’s operations suite products described in this section (Debugger, Profiler, and Trace, but also Logging and Monitoring, which were presented earlier in this chapter), it is essential to know what the permissions model looks like. For example, what role can be assigned to a user that wants only to view dashboards?…

It is possible to diagnose an issue caused by a code in your application using Cloud Monitoring alone. Still, you will have to somehow go from metrics to the request and logs that generated that metric’s data point. Also, examining logs from a web service in Logs Explorer to track the most common errors would…