Google Cloud’s Identity and Access Management (IAM) service lets us create and manage permissions for Google Cloud resources. Cloud IAM unifies access control for Google Cloud services into a single system and provides a consistent set of operations.

In this lab, we will learn how to use Identity and Access Management (IAM) to grant limited access to employees and external advisors. In addition, we will create a service account for a proof of concept virtual machine, assign it the appropriate permissions, and start a new virtual machine with it.

Objectives

In this lab, we will learn how to perform the following tasks:

• Use Cloud IAM to manage access control
• Grant access to employees and external users
• Create a service account and assign it to a virtual machine

Task 1: Grant access to users

1. In the Cloud Console, on the Navigation menu > click IAM & admin.

The main IAM page displays all members who have access to your Project and their assigned roles. You can filter the table to help you quickly find what you are looking for.

2. Click Filter table and select Type > User.

3. In the action bar, click Add. Type “@qwiklabs.net” and choose any user from the list.

Because the lab environment belongs to the qwiklabs.net domain, you can choose a demo user from our directory. After you register your domain with Google, the members list in your Projects is populated with your own domain users.

4. Click Select a role.

The available roles — Browser, Editor, Owner, and Viewer — are known as primitive roles in Google Cloud. Primitive roles set project-level permissions and, unless otherwise specified, control access and management to all Google Cloud services in your Project.

It is worth considering the security implication of granting a primitive role to a user. Because primitive roles are very broad and provide access to all resources in a Project, it is generally better practice to grant more specific IAM permissions

5. Click Type to filer, type Compute, select Compute Admin, and click Save

we granted a new user permissions to manage Compute Engine VMs in our project. The user will not have access to anything else. This follows a security best practice called Least Privilege, which recommends granting the minimal permission possible to any given user or machine to limit the attack surface or potential for accidents.

Task 2: Grant access to an external advisor

Imagine that our company hired an external advisor. Instead of creating a user for the advisor in your domain’s directory, we can use their Gmail Google account.

1. In the Cloud Console, on the Navigation menu > click IAM & admin.

2. In the action bar, click Add.

3. Type a Gmail Google account address; it can be our own or “some.external.company@gmail.com”

4. Click Select a role, then select Editor and click Save.

5. Now the external user can log in and work on your project.

Task 3: Create a service account

Service accounts are a special type of Google account that grant permissions to virtual machines instead of end users. Service accounts are primarily used to ensure safe, managed connections to APIs and Google Cloud services.

Creating a service account is similar to adding a member to your Google Cloud Project, but the service account belongs to your applications instead of to an individual end user.

1. On the IAM page, in the left pane, click Service accounts.

You can see the compute@developer.gserviceaccount.com service account that is created with every project.

This account is managed by Google, which means that Google stores both the public and private portion of the key, rotates them regularly, and always holds the private key in escrow, where it is never directly accessible. The service account also has the Project Editor role permissions, which are very broad and do not follow the principle of least privilege.

It is a best practice to create a service account for each application and grant it only the permissions necessary to do its job.

We will create a service account for a proof-of-concept virtual machine. The application reads images from a Cloud Storage bucket, which is an object-based storage service, and presents it to users. Cloud Storage will be covered in detail later in the course.

2. In the action bar, click Create service account.

3. For Service account name, type proof of concept app, and then click Create.

4. To grant the service account permissions, click Select a role.

5. For Type to filter, type Storage view, and then select Storage Object Viewer. This role will enable the service account to read objects, such as images, stored in Cloud Storage, which is an object-based storage service.

6. Click Continue.

7. Click Done.

Task 4: Create a virtual machine with a custom service account

A Compute Engine virtual machine may run as a service account, and that account can be given permissions to access only the resources it needs. This way the service account is the identity of the service, and the service account’s permissions control which resources the service can access.

Now that we have created a service account for a proof-of-concept application and granted it the appropriate permissions it needs, we can create a virtual machine with that service account.

1. In the Cloud Console, on the Navigation menu > click Compute Engine.

2. Click Create.

For now we will only focus on assigning the right service account to a machine

3. For Name, Type poc-app

4. For Service Account, select proof of concept app.

5. Click Create.

Any application that runs on this virtual machine will have only read access to storage buckets in this Project, and any actions performed by this machine will be logged as the ‘proof of concept app’ service account.

Happy Learning !!!