0_GCP Fundamentals

Question 1

Resource Hierarchy

• Resource Hierarchy levels define trust boundaries
• Group your resources according to your organization structure
• Levels of the hierarchy provide trust boundaries and resource isolation

Question 2

Projects

• All GCP services you use are associated with a project
• Track resource and quota usage
• Managed permissions and credentials
• Enable services and APIs

Question 3

Folders

• Folders offer flexible management
• Folders group projects under an organization
• Folders can contain projects, other folders or both
• Use folders to assigne policies

Question 4

Organization node

Question 5

Example IAM resource hierarchy

• A policy is set on a resource.
  
  • Each policy contains a set of roles and role members.
• Resources inherit policies from parent.
  
  • Resource policies are a union of parent and resource.
• A less restrictive parent policy overrides a more restrictive resource policy.
  
  • The more generous policy is the one that takes effect.

Question 6

IAM principals

Question 7

IAM Roles

3 types of IAM roles:

• Basic roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of IAM (formerly called primitives roles).
• Predefined roles, which provide granular access for a specific service and are managed by Google Cloud.
• Custom roles, which provide granular access according to a user-specified list of permissions.

Question 8

IAM Basic Roles

• There are several basic roles that existed prior to the introduction of IAM:
  
  • Viewer: Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
  • Editor: All viewer permissions, plus permissions for actions that modify state, such as changing existing resources.
  • Owner: All editor permissions and permissions for the following actions:
    
    • Manage roles and permissions for a project and all resources within the project.
    • Set up billing for a project.
• Basic roles include thousands of permissions across all Google Cloud services. In production environments, do not grant basic roles unless there is no alternative. Instead, grant the most limited predefined roles or custom roles that meet your needs.
• You can apply basic roles at the project or service resource levels

Question 9

IAM Predefined Roles

• IAM predefined roles apply to a particular GCP service in a project.
  
  • Example: BigQuery Admin, Data Editor, Data Owner, Data Viewer, User
• Offer more fine grained permissions on particular services than Basic roles.
• GCP services offer their own sets of predefined roles and they define where those roles can be applied.
• It is best practice to use predefined roles over custom roles with associated policies when they match your requirements.

Question 10

IAM Custom Roles

• IAM Custom Roles let you define a custom set of permissions.
• Can only be use at project or organization level (cannot be used at a folder level).

Question 11

Service Accounts

• Service accounts control server-to-server interactions
• Provide an identity for carrying out server-to-server interactions in a project
• Used to authenticate from one service to another
• Used to control privileges used by resources
  
  • So that applications can perform actions on behalf of authenticated end users
• Identified with an email address:
  
  • PROJECT_NUMBER-computer@developer.gserviceaccount.com
  • PROJECT_ID@appshot.gserviceaccount.com
• Service accounts authenticate using keys.
  
  • Google manages keys for Compute Engine and App Engine.
• You can assign a predefined or custom IAM role to the service account

Question 12

Service Account Example

• VMs running component_1 are granted Editor access to project_b using Service Account 1.
• VMs running component_2 are granted objectViewer access to bucket_1 using Service Account 2.
• Service account permissions can be changed without recreating VMs.

Question 13

Anthos

• Anthos is Google’s modern solution for hybrid and multi-cloud systems and services management.
• Kubernetes and GKE On-Prem create the foundation.
  
  • GKE On-Prem is turn-key production-grade Kubernetes.
• On-premises and Cloud environments stay in sync.
  
  • Service Meshes make apps more secure & observable.
  • Stackdriver Logging and Monitoring watches all sides.
  • Configuration Manager is the single source of truth.
• A rich set of tools is provided for:
  
  • Managing services on-premises and in the Cloud.
  • Monitoring systems and services.
  • Migrating applications from VMs into your clusters.
  • Maintaining consistent policies across all clusters, whether on-premises or in the Cloud.

cloud.google.com/anthos

Question 14

Strackdriver

Stackdriver offers capabilities in six areas:

• Monitoring
  
  • Platform, system and application metrics
  • Uptime/health checks
  • Dashboards and alerts
• Logging
  
  • Platform, system and application logs
  • Log search, view filter and export
  • Log-based metrics
  • Stackdriver Logging agent requires the fluentd plugin to be configured to read logs
• Trace
  
  • Latency reporting and sampling
  • Per-URL latency and statistics
• Error Reporting
  
  • Error notifications
  • Error dashboard
• Debugger
  
  • Debug applications
• Profiler
  
  • Continuous profiling of CPU and memory consumption

Question 15

Encryption of VM disks and Cloud Storage buckets