Featured image of post GCP #1: Preparation

GCP #1: Preparation

learning GCP: Prepare account, resource, IAM, etc

Members

member defined as ‘who can do what on which resources’. There are five different types of members:

  • Google Accounts,
    • represents a developer, an administrator, or any other person who interacts with Google Cloud.
    • Any email address that is associated with a Google Account can be an identity, including gmail.com or other domains.
    • New users can sign up for a Google Account by going to the Google account signup page, without receiving mail through Gmail.
  • service accounts,
    • is an account that belongs to your application instead of to an individual end user.
    • provide an identity for carrying out service-to-service interactions
    • are identified by an email address like 123-compute@project.gserviceaccount.com
    • three types of service account
      • user-created (custom)
      • built-in (compute engine and app engine default service accounts)
      • google APIs service account (runs internal Google processes on your behalf)
  • Google groups,
    • A Google group is a named collection of Google Accounts and service accounts.
    • Every group has a unique email address that is associated with the group.
    • Google groups are a convenient way to apply an access policy to a collection of users.
  • Google Workspace domains,
    • represents a virtual group of all the Google Accounts that have been created in an organization’s Google Workspace account.
    • represent your organization’s internet domain name, such as example.com, and when you add a user to your Google Workspace domain, a new Google Account is created for the user inside this virtual group, such as username@example.com.
  • Cloud Identity domains.
    • lets you manage users and groups using the Google Admin console, but you do not pay for or receive Google Workspace collaboration products, such as Gmail, Docs, Drive, and Calendar.

Create Account

There are three ways to create account and use GCP

  1. using free @gmail address but you could not make orgnization,
  2. using google workspace but it costs $6 per user plus a domain name,
  3. using cloud identity, it’s free just prepare a domain name.

For this section we will create account using cloud identity.

Create User

  • go to cloud identity, https://admin.google.com, click Directory > Users
  • on the Users page, click Add new user
  • input the necessary fields, e.g. First name, Last name, and Primary email address

Create Group

  • go to cloud identity and click Directory > Groups
  • on the Groups page, click Create group
  • input the necessary fields, and click Next
  • on the next page, set Access type as Team and Only invited users who can join the group and turn on allow members outside organization.

CLI

  • install gcloud (see https://docs.cloud.google.com/sdk/docs/install-sdk)
  • run gcloud init
  • run gcloud auth login to add new account
  • run gcloud auth list to see list of added account
  • to set active account, run gcloud config set account ACCOUNT
  • to remove account, run gcloud auth revoke

Cloud SDK components

Cloud SDK is a bundle of different components. Some of the important components in Cloud SDK are:

  • gcloud: The main google cloud component.

    • gcloud alpha: Set of commands used for early testing of new features.
    • gcloud beta: Beta release of new commands.
    • bq: Known as BigQuery component

  • gsutil: Used for Cloud storage operations.

  • core: Shared libraries for all the other components.

  • kubectl: Kubectl is used to control the Kubernetes cluster.

You can see the list of components using gcloud components list. Try this command. A table with the list of components will be displayed. At the bottom, there will be a command to install/remove components.

1
2
3
4
5
6

To install or remove components at your current SDK version [504.0.1], run:
  $ gcloud components install COMPONENT_ID
  $ gcloud components remove COMPONENT_ID

To update your SDK installation to the latest version [504.0.1], run:
  $ gcloud components update

Structure of gcloud command

The structure of the gcloud command is as follows:

1

gcloud + release level (optional) + group + sub-group + operation + positional args + flags

release level

Refers to the command’s release status. Example: alpha for alpha commands, beta for beta commands, no release level needed for commands that are released after beta.

group

Component refers to the different Google Cloud services. Example: compute for Compute Engine, app for App Engine, etc.

sub-group

sub-group refers to the plural form of an element or collection of elements under a group. Example: disks, firewalls, images, instances, regions, zones for compute. not all group has sub-group, like projects.

operation

Operation refers to the imperative verb form of the operation to be performed on the entity. Example: Common operations are describe, list, create/update, delete/clear, import, export, copy, remove, add, reset, restart, restore, run, and deploy.

positional args

Positional args refer to the required, order-specific arguments needed to execute the command. Example: <INSTANCE_NAMES> is the required positional argument for gcloud compute instances create <INSTANCE_NAMES>.

flags

Flags refer to the additional arguments, –flag-name(=value), passed in to the command after positional args. Example: --machine-type=<MACHINE_TYPE> and --preemptible are optional flags for gcloud compute instances create.

Using command documentation

In case you forgot some commands or structure, you can access documentation within the terminal itself. --help option can be used with any gcloud command. Try gcloud projects --help. This will list all the documentation regarding projects.

List and Set Region/ZOnes

  • To list region
1

gcloud compute regions list
  • To list zone
1

gcloud compute zone list
  • To set default region
1

gcloud config set compute/region REGION_NAME
  • To set default zone
1

gcloud config set compute/zone ZONE_NAME
  • To list current config
1
2
3
4

gcloud config list
# or for specific item
gcloud config get-value compute/region
gcloud config get-value compute/zone

Organization Policies

  • enforces governance rules on resources
  • centralized control at organization, folder, or project level
  • policies inherit down the hierarchy
  • lower-level resources can enforce stricer rules but cannot weaken policies
  • monitors policy violation
  • uses constraints to enforce setting

Constraints Type

  • boolean for on/off constraints
  • list type to allow or deny specific values
  • organization policy administrator role required

Use Cases

  • standardize machine types
  • enforce network security
  • mandate encryption
  • restrict resource locations
  • limit API access
  • impose labeling standards

Demo

  • create a compute engine, let default configuration
  • go to IAM & Admin > Organization policies
  • filter compute. and find compute.vmExternalIpAccess
  • to edit click Manage policy
  • then under Policy source label click Override parent's policy label
  • under Policy enforcement click Replace
  • click Add rule and choose Deny All and then click Done
  • create another compute engine using default configuration
  • compare the external IP between the two VMs.

Managing IAM

Top 5 IAM Roles

  1. Organization Administrator
    • label resourcemanager.organizationAdmin
    • function: full control over the organization, including policies, billing, and IAM
  2. Folder Administrator
    • label resourcemanager.folderAdmin
    • function: manages folders within the organization, including IAM permissions
  3. Project Creator
    • label resourcemanager.projectCreator
    • function: grant permission to create new projects
  4. Security Admin
    • label iam.securityAdmin
    • function: controls IAM policies and security-related configuration
  5. Billing Administrator
    • label billing.admin
    • function: manages billing accounts, budgets, and expenditures

Top 4 Project-level roles

  • Owner
  • Editor
  • Viewer
  • Service Account Admin

Granting Roles Best Principles

  • Follow the principle of least privilege
  • using IAM groups for easier management
  • assign roles at the right level
  • use predefined roles over primitive roles
  • create custom roles when necessary
  • regularly review and audit IAM policies
  • apply conditional role bindings

Task

  • create group via google console instead of via cloud identity

Billing Account

What should you know:

  • track and manage costs of GCP resources
  • linked to a payment profile, which is either self-serve (automatic) or invoiced
  • billing account administrator role needed to create and manage accounts
  • billing account are linked at the project level
  • Budget Settings:
    • Scope: budgets can target the entire billing account, or specific projects, services, or labels
    • budget amount: choose between a fixed value or dynamic value based on past spending
    • threshold: identify the percentage of the budget amount to trigger the alert
    • alert options: specify email addresses to alert or pub/sub to automate a response
  • three ways monitoring budgets: dashboards, budget report and budget API

Task

  • create a budget from menu Billing/ Budgets and Allerts
  • try apply to Folders & Organizations
  • try apply to Projects
  • exporting billing data to bigquery from menu Billing / Billing export
Gcp
Licensed under CC BY-NC-SA 4.0
comments powered by Disqus