Getting Started with

Google Cloud
Cloud security requires collaboration
● Google is responsible Responsibility On-
premises
Infrastructure
as a Service
Platform as a
Service
Managed
services
for managing its
Content
infrastructure security. Access policies

Usage
● You are responsible Deployment

for securing your data. Web application security

Identity

● Google helps you with Operations

best practices, Access and authentication

templates, products, Network security

OS, data, and content

and solutions.
Audit logging

Network
Customer-managed
Storage and encryption

Google-managed Hardware
Resource hierarchy levels define trust boundaries
● Group your resources according Org Node Company

to your organization structure.

● Levels of the hierarchy provide Dept X Dept Y Shared
infra
trust boundaries and resource
isolation. Folders
Team A Team B

Product 1 Product 2

Test Prod
Projects
Cloud Cloud
Project Project

Resources
VMs Storage
All Google Cloud services you
use are associated with a project

● Track resource and quota usage

● Enable billing
● Manage permissions and
credentials
● Enable services and APIs
Projects have three identifying attributes

Project ID Globally unique Chosen by you Immutable

Project name Need not be unique Chosen by you Mutable

Assigned by Google
Project number Globally unique Immutable
Cloud
Folders offer flexible management
● Folders group projects under an
organization. example.com
● Folders can contain projects, other
folders, or both.
● Use folders to assign policies.
Folder A Folder B

project_1 project_2 project_3 project_4 project_5

Folders offer flexible management
● Folders group projects under an
organization. example.com
● Folders can contain projects, other
folders, or both.
● Use folders to assign policies.
Folder A Folder B

project_1 project_2 project_3 project_4 project_5

The organization node organizes projects

The organization node is

the root node for Google
Cloud resources.
[email protected] example.com
Organization Admin

Create

[email protected] project_1 project_2

Project Creator
The organization node organizes projects

Notable organization
roles:

[email protected] example.com
Organization Policy
Organization Admin
Administrator: Broad
control over all cloud
resources
Create
Project Creator:
Fine-grained control of
[email protected] project_1 project_2 project creation
Project Creator
An example IAM resource hierarchy
● A policy is set on a resource.

Organization
○ Each policy contains a set example.com
of roles and role members.
● Resources inherit policies

Policy Inheritance
Project
from parent.
bookshelf bookshelf bookshelf
○ Resource policies are a
union of parent and
resource.
Compute App Cloud Cloud Cloud
● A less restrictive parent

Resources
BigQuery
Engine Engine Storage Storage Pub/Sub

policy overrides a more

restrictive resource policy.
instance_a queue_a bucket_a bucket_b topic_a dataset_a
Google Cloud and Azure billing have different levels of
flexibility
Google Cloud billing by project Azure billing by subscription
contract contract

Google An organization is created by a A Management Group is created by a

contract with Google Sales Azure contract with Microsoft Sales
Cloud

Google Cloud
Management Groups
Organization

Folders Subscriptions

Projects Resource Groups

Resources Resources
Google Cloud and Azure billing have different levels of
flexibility
Google Cloud billing by project Azure billing by subscription
contract contract

Google An organization is created by a A Management Group is created by a

contract with Google Sales Azure contract with Microsoft Sales
Cloud

Google Cloud
Management Groups
Organization

Folders Subscriptions

Projects Resource Groups

Resources Resources
Google Cloud and Azure billing have different levels of
flexibility
Google Cloud billing by project Azure billing by subscription
contract contract

Google An organization is created by a A Management Group is created by a

contract with Google Sales Azure contract with Microsoft Sales
Cloud

Google Cloud
Management Groups
Organization

Folders Subscriptions

Projects Resource Groups

Resources Resources
Google Cloud and Azure billing have different levels of
flexibility
Google Cloud billing by project Azure billing by subscription
contract contract

Google An organization is created by a A Management Group is created by a

contract with Google Sales Azure contract with Microsoft Sales
Cloud

Google Cloud
Management Groups
Organization

Folders Subscriptions

Projects Resource Groups

Resources Resources
Google Cloud and Azure billing have different levels of
flexibility
Google Cloud billing by project Azure billing by subscription
contract contract

Google An organization is created by a A Management Group is created by a

contract with Google Sales Azure contract with Microsoft Sales
Cloud

Google Cloud
Management Groups
Organization

Folders Subscriptions

Projects Resource Groups

Resources Resources
Google Cloud and Azure billing have different levels of
flexibility
Google Cloud billing by project Azure billing by subscription
contract contract

Google An organization is created by a A Management Group is created by a

contract with Google Sales Azure contract with Microsoft Sales
Cloud

Google Cloud
Management Groups
Organization

Folders Subscriptions

Projects Resource Groups

Resources Resources
Google Cloud and Azure billing have different levels of
flexibility
Google Cloud billing by project Azure billing by subscription
contract contract

Google An organization is created by a A Management Group is created by a

contract with Google Sales Azure contract with Microsoft Sales
Cloud

Google Cloud
Management Groups
Organization

Folders Subscriptions

Projects Resource Groups

Resources Resources
Summary of resource hierarchy differences
Summary of resource hierarchy differences
Google Cloud term Azure term
Billing
Many per account One per account
accounts
Summary of resource hierarchy differences
Google Cloud term Azure term
Billing
Many per account One per account
accounts

Billing roll-up Projects Subscriptions

Summary of resource hierarchy differences
Google Cloud term Azure term
Billing
Many per account One per account
accounts

Billing roll-up Projects Subscriptions

Management groups,
Account, org, folder,
Policy levels subscriptions, Resource
project
groups
Summary of resource hierarchy differences
Google Cloud term Azure term
Billing
Many per account One per account
accounts

Billing roll-up Projects Subscriptions

Management groups,
Account, org, folder,
Policy levels subscriptions, Resource
project
groups

Global Admin, Billing Admin,

Admins Google users or Groups
User Access Admin
Summary of resource hierarchy differences
Google Cloud term Azure term
Billing
Many per account One per account
accounts

Billing roll-up Projects Subscriptions

Management groups,
Account, org, folder,
Policy levels subscriptions, Resource
project
groups

Global Admin, Billing Admin,

Admins Google users or Groups
User Access Admin

Gmail user or G Suite

Account admin Root user (Global admin)
super user
Google Cloud Identity and Access Management defines...

Who can do what on which resource

IAM policies can apply to any of four types of principals

Google account or Cloud Identity user

[email protected] [email protected]

Service account
test@project_id.iam.gserviceaccount.com

Google group
Who [email protected]

Cloud Identity or G Suite domain

example.com
There are three types of IAM roles

Primitive Predefined Custom

IAM primitive roles apply across all Google Cloud services in a
project

can do what on all resources

IAM primitive roles offer fixed, coarse-grained levels of access

Owner Editor Viewer Billing administrator

● Invite members ● Deploy applications ● Read-only access ● Manage billing

● Remove members ● Modify code ● Add and remove
● Delete projects ● Configure services administrators
● And... ● And...

A project can have multiple owners, editors, viewers, and billing administrators
IAM predefined roles apply to a particular Google Cloud
service in a project

on Compute Engine resources

can do what in this project, or folder, or org
IAM predefined roles offer more fine-grained permissions on
particular services

Google
Group ✔ compute.instances.delete
✔ compute.instances.get
InstanceAdmin ✔ compute.instances.list
Role ✔ compute.instances.setMachineType
✔ compute.instances.start
✔ compute.instances.stop
...
project_a
IAM custom roles let you define a precise set of permissions

Google
Group
✔ compute.instances.get
✔ compute.instances.list
InstanceOperator
Role ✔ compute.instances.start
✔ compute.instances.stop
...

project_a
Service Accounts control server-to-server interactions
● Provide an identity for carrying out server-to-server interactions in a project
● Used to authenticate from one service to another
● Used to control privileges used by resources
○ So that applications can perform actions on behalf of authenticated end
users
● Identified with an email address:
[email protected]
[email protected]
Service Accounts and IAM
● Service accounts authenticate using keys.
○ Google manages keys for Compute Engine and App Engine.
● You can assign a predefined or custom IAM role to the service account.

Identity IAM Role Resource

Service Account InstanceAdmin Role Compute Instances

Example: Service Accounts and IAM
project_a project_b
● VMs running component_1 are
granted Editor access to project_b
using Service Account 1.
● VMs running component_2 are
component_1 Service
granted objectViewer access to Account 1
Editor
bucket_1 using Service Account 2.
● Service account permissions can
be changed without recreating
VMs.
component_1 Service
Account 1
Storage.
objectViewer

bucket_1
Key differences between Google Cloud and Azure for access
management
IAM concept Google Cloud Azure

Programmatic Cloud IAM service account Azure RBAC

identity
Key differences between Google Cloud and Azure for access
management
IAM concept Google Cloud Azure

Programmatic Cloud IAM service account Azure RBAC

identity

User identity Managed outside Cloud IAM. Managed via Active Directory.
Identity federated to external Identity federated to external
identity management system. identity management system.
Key differences between Google Cloud and Azure for access
management
IAM concept Google Cloud Azure

Programmatic Cloud IAM service account Azure RBAC

identity

User identity Managed outside Cloud IAM. Managed via Active Directory.
Identity federated to external Identity federated to external
identity management system. identity management system.

Policy A list of bindings. A binding A list of policies. A policy

binds a list of members to a binds a list of members to a
role. role.
Key differences between Google Cloud and Azure for access
management
IAM concept Google Cloud Azure

Programmatic Cloud IAM service account Azure RBAC

identity

User identity Managed outside Cloud IAM. Managed via Active Directory.
Identity federated to external Identity federated to external
identity management system. identity management system.

Policy A list of bindings. A binding A list of policies. A policy

binds a list of members to a binds a list of members to a
role. role.

Permission Role Role

collection
Key differences between Google Cloud and Azure for access
management
IAM concept Google Cloud Azure

Programmatic Cloud IAM service account Azure RBAC

identity

User identity Managed outside Cloud IAM. Managed via Active Directory.
Identity federated to external Identity federated to external
identity management system. identity management system.

Policy A list of bindings. A binding A list of policies. A policy

binds a list of members to a binds a list of members to a
role. role.

Permission Role Role

collection

Predefined set of Predefined roles Role definition

permissions
There are four ways to interact with
Google Cloud

Cloud Platform Cloud Shell and Cloud Console REST-based API

Console Cloud SDK Mobile App
For custom
Web user interface Command-line For iOS and Android applications
interface

>_
Google Cloud Console

● Web-based administrative user

interface
Google Cloud Console

● Manage and create projects

Google Cloud Console

● Access to Google Cloud APIs

Google Cloud Console

● Offers access to Cloud Shell

○ A temporary virtual machine with
Google Cloud SDK preinstalled
Google Cloud SDK

● Includes command-line tools for

Cloud Platform products and
services
○ gcloud, gsutil (Cloud Storage), bq
(BigQuery)
Google Cloud SDK

● Available via Cloud Shell

Google Cloud SDK

● Available as Docker image

RESTful APIs
● Programmatic access to products and services
○ Typically use JSON as an interchange format
○ Use OAuth 2.0 for authentication and authorization
● Enabled through the Google Cloud Console
RESTful APIs
● Most APIs include daily quotas and rates (limits) that can be raised
by request
○ Important to plan ahead to manage your required capacity
● Experiment with APIs Explorer
Use APIs Explorer to help you write your code
● The APIs Explorer is an interactive tool that lets you easily try Google APIs
using a browser.
● With the APIs Explorer, you can:
○ Browse quickly through available APIs and versions.
○ See methods available for each API and what parameters they support
along with inline documentation.
○ Execute requests for any method and see responses in real time.
○ Easily make authenticated and authorized API calls.
Use client libraries to control GCP resources from within
your code
● Cloud Client Libraries
○ Community-owned, hand-crafted client libraries
● Google API Client Libraries
○ Open source, generated
○ Support various languages
■ Java, Python, JavaScript, PHP, .NET, Go, Node.js, Ruby, Objective-C,
Dart
Cloud Console Mobile App

● Manage virtual machines and

database instances
● Manage apps in Google App
Engine
● Manage your billing
● Visualize your projects with a
customizable dashboard
Cloud Marketplace gives quick
access to solutions

● A solution marketplace containing

pre-packaged, ready-to-deploy
solutions
○ Some offered by Google
○ Others by third-party vendors
Cloud Marketplace gives quick
access to solutions

● You pay for the underlying Google

Cloud resource usage.
○ Some solutions also assess
third-party license fees.
 Lab
Deploy a virtual
development
environment using Cloud
Marketplace.
Lab Objectives
● Deploy a Wordpress instance to
Compute Engine using Cloud
Marketplace.

● Verify the deployment.