Fundamentals - Getting Started Infrastructure Flashcards
What is the main way you organise resources in GCP?
Projects
Describe the GCP hierarchy from the bottom up
Resources -> Projects -> Folders -> Organisation node
Do projects have to be organised into folders?
No - “Optionally, projects may be organized into folders”
Why would you usually group resources under a given project?
The resources are related, usually because they have a common business objective.
Can you define policies on all individual GCP resources?
No - Projects, folders, and organization nodes are all places where the policies can be defined.
Some GCP resources let you put policies on individual resources too, like those cloud storage buckets I mentioned.
Give an example of GCP resource where you can define policies directly at the resource level?
Cloud Storage Bucket
Which levels are policies normally defined?
Org Node
Folders
Project
Does GCP allow you to create a folder within a folder?
Yes - “projects may be organized into folders. Folders can contain other folders.”
Does a folder inherit policies from the project?
No - policies are inherited downwards in the hierarchy where “Org Node” is the top of the hierarchy, followed by Folders, Projects and at the bottom - resources.
Can a GCP resource be attached to a folder?
No - “All Google Cloud Platform resources belong to a project”
Can a resource be assigned to more than one project?
No - “Each project is a separate compartment, and each resource belongs to exactly one.”
What are the three identifying attributes of a project?
Project ID
Project Name
Project Number
Which of the following is assigned by GCP rather than by you: the project id or the project number?
Project Number
Can you re-use the same project id under a different organisation?
No - it has to be globally unique
Is the project name globally unique?
No - it need not be unique.
Can you change the project number after creating it?
No - it is immutable?
Can you change the project id after creating it?
No - it is immutable
Can you change the project name after creating it?
Yes - it is mutable.
Why would you generally refer to the project id rather than the project number?
The project id is usually defined as a human readable string which is much easier to refer to.
You don’t have to assign resources to a folder but what benefit does it present from a policies perspective?
Resources inherit policies from the folder they are under.
Without it, you’d have to duplicate the policies on earch resource.
Give examples of what you might define your folders as?
You can use folders to represent different:
- departments,
- teams,
- applications,
- or environments in your organization.
What is the lowest level of hierachy at which GCP bills?
Projects - Projects can have different owners and users. They’re billed separately,
What service do you use to create an org node?
Google Cloud Identity
What are the 2 paths for getting an organisation node?
You are G Suite customer: “If you have a G Suite domain, GCP projects will automatically belong to your organization node”
Use Google Cloud Identity to create one
If you define a more relaxed policy at the bottom of the hierachy than what is defined at the parent, which policy will take effect?
The one defined at the lower level - even if it is more relaxed.
“There’s one important rule to keep in mind. The policies implemented at a higher level in this hierarchy can’t take away access that’s granted at a lower level.”
What is recommended as a first step when you create a new organisation?
Determine who in your team should be able to create projects and billing accounts and define policies accordingly.
By default, everyone in the domain or the organisation has access to create projects and billing accounts on a new org.
What does IAM stand for?
Identity AND Access Management
Why would you use Google’s Identity and Access Management (IAM) service?
To configure:
+ “who”
+ “can do what”
+ on which “resource”.
When defining an Identity and Access Management (IAM) policy, what can you use to define the “who” part?
- A Google account,
- A Google group,
- A service account,
- An entire G Suite,
- Or a cloud identity domain
What does an IAM role define/set?
A collection of permissions
What do you use/need to define the “can do what” part of an IAM policy?
An IAM role
What are the 3 types of IAM roles?
+ Primitive role
+ Predefined role
+ Custom role
Name the IAM primitive roles?
+ Owner
+ Editor
+ Viewer
+ Billing administrator
What 2 things do you need to be mindful about before using IAM custom roles?
- Creates an additional admin overhead - you have to manage the permissions yourself
- They can only be used at “Organisation” or “Project” level - you cannot assign them to a “folder”
Can you set folder privileges using an IAM custom role?
No - custom roles can only be used against “organisations” or “projects”
What type of account would you use to define permissions of a service rather than a person (e.g.: you want to give permissions to a Compute Engine virtual machine)?
A service account
What do you need to define a service account?
The service account must have:
+ an email address
+ a cryptographic key
Is a service account a resource?
Yes - in addition to being an identity, a service account is also a resource
Can you define IAM policies to administer service accounts you create?
Yes - service accounts as well as being an identity are a resource.
What ways can you interact with GCP?
+ Cloud Platform Console
+ Cloud Shell and Cloud SDK
+ Cloud Console Mobile App
+ REST-based API
What is the Google Cloud Console?
A web‑based
Administrative
Interface
What does the Google Cloud Console enable you to do?
+ View/manage all your projects/resources
+ Enable, disable, and explore the APIs of GCP services.
+ Gives you access to Cloud Shell.
What is Goolge Cloud Shell?
A command-line interface to GCP
What does SDK stand-for?
Software Development Kit
Which interfaces allow you to access Google Cloud’s SDK without having to install it yourself?
Only the Google Cloud Shell.
What is the Google Cloud SDK?
A set of tools you can use to manage your resources and your applications on GCP.
Name 3 Google Cloud SDK tools?
+ gcloud: the main command‑line interface for Google Cloud Platform products and services
+ gsutil: used for Google Cloud Storage
+ bq: used for Big Query
List 3 ways you can access the Google Cloud SDK?
Google Cloud Shell: comes pre-installed on the virtual machine
Self-install on your own computers, your laptop, your on‑premise servers, or virtual machines and other clouds.
As a Docker image
What does API stand for?
Application Programming Interface
What 2 types of API libraries can you choose from in GCP?
Cloud vs. Google API libraries:
+ Cloud Client Libraries
+ Google API Client Library
What are Google’s Cloud Client Libraries?
+ Latest and recommended libraries for its APIs.
+ They adopt the native styles and idioms of each language.
+ But may not yet support the newest services and features
Why would you choose to work with a Google API Client library rather than a Cloud Client library?
The Google API Client Library:
+ gives you access to a new feature that is not yet available in the Cloud Client library
+ is written in the language you want to use for your development/integration
Why might you use the Cloud Console Mobile App?
+ Resource monitoring/management: It lets you examine/manage the resources you’re using in GCP.
+ Dashboarding: It lets you build dashboards so that you can get the information you need at a glance.