Featured image of post GCP #1: Preparation

GCP #1: Preparation

learning GCP: Prepare account, resource, IAM, etc

Create Account

There are three ways to use GCP

  1. using free @gmail address but you could not make orgnization,
  2. using google workspace but it costs $6 per user plus a domain name,
  3. using cloud identity, it’s free just prepare a domain name.

read this documentation, https://docs.cloud.google.com/identity/docs/how-to/set-up-cloud-identity-admin, for more information.

Create User

  • go to cloud identity, https://admin.google.com, click Directory > Users
  • on the Users page, click Add new user
  • input the necessary fields, e.g. First name, Last name, and Primary email address

Create Group

  • go to cloud identity and click Directory > Groups
  • on the Groups page, click Create group
  • input the necessary fields, and click Next
  • on the next page, set Access type as Team and Only invited users who can join the group and turn on allow members outside organization.

Using CLI

  • install gcloud (see https://docs.cloud.google.com/sdk/docs/install-sdk)
  • run gcloud init
  • run gcloud auth login to add new account
  • run gcloud auth list to see list of added account
  • to set active account, run gcloud config set account ACCOUNT
  • to remove account, run gcloud auth revoke

Cloud SDK components

Cloud SDK is a bundle of different components. Some of the important components in Cloud SDK are:

  • gcloud: The main google cloud component.

    • gcloud alpha: Set of commands used for early testing of new features.
    • gcloud beta: Beta release of new commands.
    • bq: Known as BigQuery component

  • gsutil: Used for Cloud storage operations.

  • core: Shared libraries for all the other components.

  • kubectl: Kubectl is used to control the Kubernetes cluster.

You can see the list of components using gcloud components list. Try this command. A table with the list of components will be displayed. At the bottom, there will be a command to install/remove components.

1
2
3
4
5
6

To install or remove components at your current SDK version [504.0.1], run:
  $ gcloud components install COMPONENT_ID
  $ gcloud components remove COMPONENT_ID

To update your SDK installation to the latest version [504.0.1], run:
  $ gcloud components update

Structure of gcloud command

The structure of the gcloud command is as follows:

1

gcloud + release level (optional) + group + sub-group + operation + positional args + flags

release level

Refers to the command’s release status. Example: alpha for alpha commands, beta for beta commands, no release level needed for commands that are released after beta.

group

Component refers to the different Google Cloud services. Example: compute for Compute Engine, app for App Engine, etc.

sub-group

sub-group refers to the plural form of an element or collection of elements under a group. Example: disks, firewalls, images, instances, regions, zones for compute. not all group has sub-group, like projects.

operation

Operation refers to the imperative verb form of the operation to be performed on the entity. Example: Common operations are describe, list, create/update, delete/clear, import, export, copy, remove, add, reset, restart, restore, run, and deploy.

positional args

Positional args refer to the required, order-specific arguments needed to execute the command. Example: <INSTANCE_NAMES> is the required positional argument for gcloud compute instances create <INSTANCE_NAMES>.

flags

Flags refer to the additional arguments, –flag-name(=value), passed in to the command after positional args. Example: --machine-type=<MACHINE_TYPE> and --preemptible are optional flags for gcloud compute instances create.

Using command documentation

In case you forgot some commands or structure, you can access documentation within the terminal itself. --help option can be used with any gcloud command. Try gcloud projects --help. This will list all the documentation regarding projects.

Organization Policies

  • enforces governance rules on resources
  • centralized control at organization, folder, or project level
  • policies inherit down the hierarchy
  • lower-level resources can enforce stricer rules but cannot weaken policies
  • monitors policy violation
  • uses constraints to enforce setting

Constraints Type

  • boolean for on/off constraints
  • list type to allow or deny specific values
  • organization policy administrator role required

Use Cases

  • standardize machine types
  • enforce network security
  • mandate encryption
  • restrict resource locations
  • limit API access
  • impose labeling standards

Demo

  • create a compute engine, let default configuration
  • go to IAM & Admin > Organization policies
  • filter compute. and find compute.vmExternalIpAccess
  • to edit click Manage policy
  • then under Policy source label click Override parent's policy label
  • under Policy enforcement click Replace
  • click Add rule and choose Deny All and then click Done
  • create another compute engine using default configuration
  • compare the external IP between the two VMs.

Managing IAM

Top 5 IAM Roles

  1. Organization Administrator
    • label resourcemanager.organizationAdmin
    • function: full control over the organization, including policies, billing, and IAM
  2. Folder Administrator
    • label resourcemanager.folderAdmin
    • function: manages folders within the organization, including IAM permissions
  3. Project Creator
    • label resourcemanager.projectCreator
    • function: grant permission to create new projects
  4. Security Admin
    • label iam.securityAdmin
    • function: controls IAM policies and security-related configuration
  5. Billing Administrator
    • label billing.admin
    • function: manages billing accounts, budgets, and expenditures

Top 4 Project-level roles

  • Owner
  • Editor
  • Viewer
  • Service Account Admin

Granting Roles Best Principles

  • Follow the principle of least privilege
  • using IAM groups for easier management
  • assign roles at the right level
  • use predefined roles over primitive roles
  • create custom roles when necessary
  • regularly review and audit IAM policies
  • apply conditional role bindings

Task

  • create group via google console instead of via cloud identity

Billing Account

What should you know:

  • track and manage costs of GCP resources
  • linked to a payment profile, which is either self-serve (automatic) or invoiced
  • billing account administrator role needed to create and manage accounts
  • billing account are linked at the project level
  • Budget Settings:
    • Scope: budgets can target the entire billing account, or specific projects, services, or labels
    • budget amount: choose between a fixed value or dynamic value based on past spending
    • threshold: identify the percentage of the budget amount to trigger the alert
    • alert options: specify email addresses to alert or pub/sub to automate a response
  • three ways monitoring budgets: dashboards, budget report and budget API

Task

  • create a budget from menu Billing/ Budgets and Allerts
  • try apply to Folders & Organizations
  • try apply to Projects
  • exporting billing data to bigquery from menu Billing / Billing export
Gcp
Licensed under CC BY-NC-SA 4.0
comments powered by Disqus