Cloud IAM

Question 1

What is Cloud IAM?

Answer 1

Identity and access management - allows fine-grained access control to cloud resources with users, roles and privileges

Question 2

What types of roles are there?

Answer 2

1. Primitive
2. Predefined
3. Custom

Question 3

Key points of Cloud IAM roles?

Answer 3

1. a role is a collection of permissions
2. permissions cannot be assigned to users, only roles
3. roles are assigned to users

Question 4

What are primitive roles?

Answer 4

Three types:

1. viewer - read only
2. editor - viewer plus can modify an entity
3. owner - editor plus can manage roles and permissions on an entity and can set up billing for a project

Question 5

What are predefined roles?

Answer 5

1. they provide granular access to GCP resources

2. they are specific to GCP products

Question 6

What are custom roles?

Answer 6

1. Allow cloud admin to create and administer their own roles
2. Created using permissions defined in IAM
3. Some permissions are not available in custom roles

Question 7

Best practices for IAM roles?

Answer 7

1. Assign least privilege - grant smallest set of permissions to allow someone to do their job
2. Separation of duties - user would not be able to perform multiple sensitive operations that together could present a risk

Question 8

How do you see a list of users assigned to a role via shell?

Answer 8

gcloud projects get-iam-policy [PROJECT NAME]

Question 9

How do you see the fine-grained permissions are associated with a role?

Answer 9

gcloud iam roles describe [ROLE ID]

Question 10

How do you assign a role via shell?

Answer 10

gcloud projects add-aim-policy-binding [RESOURCE NAME] –member user:[USER EMAIL] –role [ROLE ID]

Question 11

How to create a custom IAM role via shell?

Answer 11

gcloud iam roles create [ROLE ID] –project [PROJECT ID] –title [ROLE NAME] –description [ROLE DESCRIPTION] –permissions [PERMISSIONS LIST] –state [LAUNCH STATE]

Question 12

What is a Service Account?

Answer 12

An account used to provide identities independent of users. It can be granted roles and is assigned to a VM.

Question 13

What is a scope?

Answer 13

A permission granted to a VM to perform some operation.

Question 14

Key points of scopes?

Answer 14

1. Scopes authorize the access to API methods
2. To configure access controls for a VM you will need to configure both IAM roles and scopes
3. A scope is specified by a URL that starts with https://www.googleapis.com/auth and is followed by permission on a resource. For example: https://www.googleapis.com/auth/bigquery.insertdata
4. An instance can only perform operations allowed by both IAM roles assigned to the service and scopes defined on the instance

Question 15

How do you add scopes to a service account via shell?

Answer 15

gcloud compute instances set-service-account [INSTANCE NAME] [–service account [SERVICE_ACCOUNT_EMAIL] ] | [–noservice-account] [–no-scopes | –scopes [SCOPES,…]]

Question 16

How do you assign a service account to a VM?

Answer 16

gcloud compute instances create [INSTANCE NAME] –service-account [SERVICE ACCOUNT EMAIL]