Proprietary + Confidential

02 Resources and
Access in the Cloud
 Proprietary + Confidential

Resources and Access in the Cloud

01 Google Cloud resource hierarchy

02 Identity and Access Management (IAM)

03 IAM roles

04 Service accounts

05 Cloud Identity

06 Interacting with Google Cloud

 Proprietary + Confidential

Resources are hierarchical

Folders

Organization
node
Projects

Resources
 Proprietary + Confidential

Resource hierarchy determines policies

Organization
Node Policy

Other Policies
 Proprietary + Confidential

Projects are the basis for using Cloud services

01
Projects are separate entities under
the Organization node

02
Projects hold resources, each of which
belongs to just one Project

03
Projects can have different owners
and users

04 Projects are billed separately

 Proprietary + Confidential

Project attributes vary in uniqueness and immutability

Project ID Project name Project number

Globally unique Need not be unique Globally unique

Assigned by Google Cloud Assigned by

Chosen by you
but mutable during creation Google Cloud

Immutable after creation Mutable Immutable

 Proprietary + Confidential

Resource Manager manages projects

Gather a list of projects

Resource Manager tool

Create new projects

Update existing projects

Delete projects

Recover previously deleted projects

Access through RPC API and REST API

 Proprietary + Confidential

Folders can contain subfolders and projects

The resources inherit

policies and permissions
assigned to folders
 Proprietary + Confidential

Folders group projects

Folders allow you

to group resources on
a per-department basis
 Proprietary + Confidential

Folders facilitate policy inheritance

The projects
inherit policies
assigned to a folder
 Proprietary + Confidential

Organization node is the topmost resource

Everything attached to Organization

the account goes under Node

the organization node

 Proprietary + Confidential

Special roles are associated with the Organization Node

Organization
Node

Organization policy Project creator

administrator
 Proprietary + Confidential

Google Workspace customer

Google Cloud projects will

automatically belong to your
organization node

Non-Google Workspace
New Organization Node
customer

Use Cloud Identity to

create organization node
 Proprietary + Confidential

Resources and Access in the Cloud

01 Google Cloud resource hierarchy

02 Identity and Access Management (IAM)

03 IAM roles

04 Service accounts

05 Cloud Identity

06 Interacting with Google Cloud

 Proprietary + Confidential

Identity and Access Management applies policies

Administrators can
apply policies that define
who can do what on
which resources
 Proprietary + Confidential

Policies are managed and applied by IAM

Organization

Project
Policy
Inheritance

Compute App Cloud Cloud

Pub/Sub BigQuery
Engine Engine Storage Storage
Resources

instance_a queue_a bucket_a bucket_b topic_a dataset_a

 Proprietary + Confidential

Deny policies prevent specific IAM permissions

A deny policy overrides

any existing allow policy
regardless of the IAM role
granted
 Proprietary + Confidential

Resources and Access in the Cloud

01 Google Cloud resource hierarchy

02 Identity and Access Management (IAM)

03 IAM roles

04 Service accounts

05 Cloud Identity

06 Interacting with Google Cloud

 Proprietary + Confidential

There are three kinds of IAM roles

Basic Predefined Custom

IAM role IAM role IAM role
 Proprietary + Confidential

Basic IAM roles are broad in scope

Basic
IAM role
 Proprietary + Confidential

Predefined roles match job needs

Predefined
IAM role
instanceAdmin

predefined actions

compute.instances.delete
compute.instances.get Compute Engine
compute.instances.list
compute.instances.setMachineType
compute.instances.start
compute.instances.stop instance_a instance_b
 Proprietary + Confidential

Custom roles are more specific and flexible

Custom
IAM role
instanceOperator

predefined actions

compute.instances.get
compute.instances.list Compute Engine
compute.instances.start
compute.instances.stop

instance_a instance_b
 Proprietary + Confidential

Custom roles are created at the project or organization

level using IAM

Custom
IAM role
Permissions need to be managed

Can be applied to project or organization level

 Proprietary + Confidential

Resources and Access in the Cloud

01 Google Cloud resource hierarchy

02 Identity and Access Management (IAM)

03 IAM roles

04 Service accounts

05 Cloud Identity

06 Interacting with Google Cloud

 Proprietary + Confidential

Service accounts are assigned roles

Service account

Cloud
Storage
Virtual machine
Create a service
account to authenticate
the VM to Cloud Storage
 Proprietary + Confidential

Service accounts are identified with email addresses

Service account Compute Engine Role actions

Instance Admin role
 Proprietary + Confidential

Service accounts are also managed by IAM

Alice Bob
(Editor) (Viewer)
 Proprietary + Confidential

Resources and Access in the Cloud

01 Google Cloud resource hierarchy

02 Identity and Access Management (IAM)

03 IAM roles

04 Service accounts

05 Cloud Identity

06 Interacting with Google Cloud

 Proprietary + Confidential

Cloud Identity manages team and organization access

Gmail account Google Cloud Google Groups

console
 Proprietary + Confidential

Cloud Identity defines user and group policies

With Cloud Identity, organizations

can define policies and manage their
users and groups using the Google
Admin console
Google
Admin console
 Proprietary + Confidential

Log in and manage resources using the same

credentials used in existing Active Directory or
LDAP systems

Google Admin console can be used to disable

user accounts and remove them from groups
when they leave

Available in free and premium editions

Cloud Identity Already available to Google Workspace

customers in the Google Admin console
 Proprietary + Confidential

Resources and Access in the Cloud

01 Google Cloud resource hierarchy

02 Identity and Access Management (IAM)

03 IAM roles

04 Service accounts

05 Cloud Identity

06 Interacting with Google Cloud

 Proprietary + Confidential

You can interact with Google Cloud in four ways

01 02 03 04

Google Cloud Cloud SDK and APIs Google Cloud

console Cloud Shell App
 Proprietary + Confidential

Google Cloud console provides web-based interaction

Simple web-based graphical user interface

Easily find resources, check their health,

have full management control over them,
and set budgets

Provides a search facility to quickly find

resources and connect to instances
via SSH in the browser
 Proprietary + Confidential

Cloud SDK is a collection of command line tools

Set of tools to manage resources and

applications hosted on Google Cloud

Includes:

Google Cloud CLI - Provides the main

command-line interface for Google Cloud
products and services

bq - A command-line tool for BigQuery

 Proprietary + Confidential

Cloud Shell provides command line access to resources

Provides command-line access to cloud

resources directly from a browser

Debian-based virtual machine with a persistent

5-GB home directory

The Cloud SDK gcloud command and

other utilities are always installed, available,
up to date, and fully authenticated
 Proprietary + Confidential

APIs allow code to control your Cloud resources

Google Cloud services offer APIs that allow

code to be written to control them

The Google APIs Explorer shows what APIs

are available, and in what versions

Google provides Cloud Client and Google API

Client libraries

Languages currently represented:

Java, Python, PHP, C#, Go, Node.js,
Ruby and C++
 Proprietary + Confidential

Manage your resources with the Google Cloud App

Start, stop, and use SSH to connect into

Compute Engine instances, and see logs

Stop and start Cloud SQL instances

Administer applications deployed on App Engine

Up-to-date billing information for projects and

alerts for those going over budget

Customizable graphs showing key metrics

Alerts and incident management

cloud.google.com/app