Cloud IAM Flashcards

1
Q

What is Cloud IAM?

A

Identity and access management - allows fine-grained access control to cloud resources with users, roles and privileges

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What types of roles are there?

A
  1. Primitive
  2. Predefined
  3. Custom
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Key points of Cloud IAM roles?

A
  1. a role is a collection of permissions
  2. permissions cannot be assigned to users, only roles
  3. roles are assigned to users
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are primitive roles?

A

Three types:

  1. viewer - read only
  2. editor - viewer plus can modify an entity
  3. owner - editor plus can manage roles and permissions on an entity and can set up billing for a project
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are predefined roles?

A
  1. they provide granular access to GCP resources

2. they are specific to GCP products

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are custom roles?

A
  1. Allow cloud admin to create and administer their own roles
  2. Created using permissions defined in IAM
  3. Some permissions are not available in custom roles
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Best practices for IAM roles?

A
  1. Assign least privilege - grant smallest set of permissions to allow someone to do their job
  2. Separation of duties - user would not be able to perform multiple sensitive operations that together could present a risk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How do you see a list of users assigned to a role via shell?

A

gcloud projects get-iam-policy [PROJECT NAME]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How do you see the fine-grained permissions are associated with a role?

A

gcloud iam roles describe [ROLE ID]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How do you assign a role via shell?

A

gcloud projects add-aim-policy-binding [RESOURCE NAME] –member user:[USER EMAIL] –role [ROLE ID]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How to create a custom IAM role via shell?

A

gcloud iam roles create [ROLE ID] –project [PROJECT ID] –title [ROLE NAME] –description [ROLE DESCRIPTION] –permissions [PERMISSIONS LIST] –state [LAUNCH STATE]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a Service Account?

A

An account used to provide identities independent of users. It can be granted roles and is assigned to a VM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a scope?

A

A permission granted to a VM to perform some operation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Key points of scopes?

A
  1. Scopes authorize the access to API methods
  2. To configure access controls for a VM you will need to configure both IAM roles and scopes
  3. A scope is specified by a URL that starts with https://www.googleapis.com/auth and is followed by permission on a resource. For example: https://www.googleapis.com/auth/bigquery.insertdata
  4. An instance can only perform operations allowed by both IAM roles assigned to the service and scopes defined on the instance
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How do you add scopes to a service account via shell?

A

gcloud compute instances set-service-account [INSTANCE NAME] [–service account [SERVICE_ACCOUNT_EMAIL] ] | [–noservice-account] [–no-scopes | –scopes [SCOPES,…]]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How do you assign a service account to a VM?

A

gcloud compute instances create [INSTANCE NAME] –service-account [SERVICE ACCOUNT EMAIL]