Fundamentals - Getting Started Infrastructure

Question 1

What is the main way you organise resources in GCP?

Answer 1

Projects

Question 2

Describe the GCP hierarchy from the bottom up

Answer 2

Resources -> Projects -> Folders -> Organisation node

Question 3

Do projects have to be organised into folders?

Answer 3

No - “Optionally, projects may be organized into folders”

Question 4

Why would you usually group resources under a given project?

Answer 4

The resources are related, usually because they have a common business objective.

Question 5

Can you define policies on all individual GCP resources?

Answer 5

No - Projects, folders, and organization nodes are all places where the policies can be defined.
Some GCP resources let you put policies on individual resources too, like those cloud storage buckets I mentioned.

Question 6

Give an example of GCP resource where you can define policies directly at the resource level?

Answer 6

Cloud Storage Bucket

Question 7

Which levels are policies normally defined?

Answer 7

Org Node
Folders
Project

Question 8

Does GCP allow you to create a folder within a folder?

Answer 8

Yes - “projects may be organized into folders. Folders can contain other folders.”

Question 9

Does a folder inherit policies from the project?

Answer 9

No - policies are inherited downwards in the hierarchy where “Org Node” is the top of the hierarchy, followed by Folders, Projects and at the bottom - resources.

Question 10

Can a GCP resource be attached to a folder?

Answer 10

No - “All Google Cloud Platform resources belong to a project”

Question 11

Can a resource be assigned to more than one project?

Answer 11

No - “Each project is a separate compartment, and each resource belongs to exactly one.”

Question 12

What are the three identifying attributes of a project?

Answer 12

Project ID
Project Name
Project Number

Question 13

Which of the following is assigned by GCP rather than by you: the project id or the project number?

Answer 13

Project Number

Question 14

Can you re-use the same project id under a different organisation?

Answer 14

No - it has to be globally unique

Question 15

Is the project name globally unique?

Answer 15

No - it need not be unique.

Question 16

Can you change the project number after creating it?

Answer 16

No - it is immutable?

Question 17

Can you change the project id after creating it?

Answer 17

No - it is immutable

Question 18

Can you change the project name after creating it?

Answer 18

Yes - it is mutable.

Question 19

Why would you generally refer to the project id rather than the project number?

Answer 19

The project id is usually defined as a human readable string which is much easier to refer to.

Question 20

You don’t have to assign resources to a folder but what benefit does it present from a policies perspective?

Answer 20

Resources inherit policies from the folder they are under.

Without it, you’d have to duplicate the policies on earch resource.

Question 21

Give examples of what you might define your folders as?

Answer 21

You can use folders to represent different:

• departments,
• teams,
• applications,
• or environments in your organization.

Question 22

What is the lowest level of hierachy at which GCP bills?

Answer 22

Projects - Projects can have different owners and users. They’re billed separately,

Question 23

What service do you use to create an org node?

Answer 23

Google Cloud Identity

Question 24

What are the 2 paths for getting an organisation node?

Answer 24

You are G Suite customer: “If you have a G Suite domain, GCP projects will automatically belong to your organization node”
Use Google Cloud Identity to create one

Question 25

If you define a more relaxed policy at the bottom of the hierachy than what is defined at the parent, which policy will take effect?

Answer 25

The one defined at the lower level - even if it is more relaxed.
“There’s one important rule to keep in mind. The policies implemented at a higher level in this hierarchy can’t take away access that’s granted at a lower level.”

Question 26

What is recommended as a first step when you create a new organisation?

Answer 26

Determine who in your team should be able to create projects and billing accounts and define policies accordingly.
By default, everyone in the domain or the organisation has access to create projects and billing accounts on a new org.

Question 27

What does IAM stand for?

Answer 27

Identity AND Access Management

Question 28

Why would you use Google’s Identity and Access Management (IAM) service?

Answer 28

To configure:
+ “who”
+ “can do what”
+ on which “resource”.

Question 29

When defining an Identity and Access Management (IAM) policy, what can you use to define the “who” part?

Answer 29

• A Google account,
• A Google group,
• A service account,
• An entire G Suite,
• Or a cloud identity domain

Question 30

What does an IAM role define/set?

Answer 30

A collection of permissions

Question 31

What do you use/need to define the “can do what” part of an IAM policy?

Answer 31

An IAM role

Question 32

What are the 3 types of IAM roles?

Answer 32

+ Primitive role
+ Predefined role
+ Custom role

Question 33

Name the IAM primitive roles?

Answer 33

+ Owner
+ Editor
+ Viewer
+ Billing administrator

Question 34

What 2 things do you need to be mindful about before using IAM custom roles?

Answer 34

1. Creates an additional admin overhead - you have to manage the permissions yourself
2. They can only be used at “Organisation” or “Project” level - you cannot assign them to a “folder”

Question 35

Can you set folder privileges using an IAM custom role?

Answer 35

No - custom roles can only be used against “organisations” or “projects”

Question 36

What type of account would you use to define permissions of a service rather than a person (e.g.: you want to give permissions to a Compute Engine virtual machine)?

Answer 36

A service account

Question 37

What do you need to define a service account?

Answer 37

The service account must have:
+ an email address
+ a cryptographic key

Question 38

Is a service account a resource?

Answer 38

Yes - in addition to being an identity, a service account is also a resource

Question 39

Can you define IAM policies to administer service accounts you create?

Answer 39

Yes - service accounts as well as being an identity are a resource.

Question 40

What ways can you interact with GCP?

Answer 40

+ Cloud Platform Console
+ Cloud Shell and Cloud SDK
+ Cloud Console Mobile App
+ REST-based API

Question 41

What is the Google Cloud Console?

Answer 41

A web‑based
Administrative
Interface

Question 42

What does the Google Cloud Console enable you to do?

Answer 42

+ View/manage all your projects/resources
+ Enable, disable, and explore the APIs of GCP services.
+ Gives you access to Cloud Shell.

Question 43

What is Goolge Cloud Shell?

Answer 43

A command-line interface to GCP

Question 44

What does SDK stand-for?

Answer 44

Software Development Kit

Question 45

Which interfaces allow you to access Google Cloud’s SDK without having to install it yourself?

Answer 45

Only the Google Cloud Shell.

Question 46

What is the Google Cloud SDK?

Answer 46

A set of tools you can use to manage your resources and your applications on GCP.

Question 47

Name 3 Google Cloud SDK tools?

Answer 47

+ gcloud: the main command‑line interface for Google Cloud Platform products and services
+ gsutil: used for Google Cloud Storage
+ bq: used for Big Query

Question 48

List 3 ways you can access the Google Cloud SDK?

Answer 48

Google Cloud Shell: comes pre-installed on the virtual machine
Self-install on your own computers, your laptop, your on‑premise servers, or virtual machines and other clouds.
As a Docker image

Question 49

What does API stand for?

Answer 49

Application Programming Interface

Question 50

What 2 types of API libraries can you choose from in GCP?

Answer 50

Cloud vs. Google API libraries:
+ Cloud Client Libraries
+ Google API Client Library

Question 51

What are Google’s Cloud Client Libraries?

Answer 51

+ Latest and recommended libraries for its APIs.
+ They adopt the native styles and idioms of each language.
+ But may not yet support the newest services and features

Question 52

Why would you choose to work with a Google API Client library rather than a Cloud Client library?

Answer 52

The Google API Client Library:
+ gives you access to a new feature that is not yet available in the Cloud Client library
+ is written in the language you want to use for your development/integration

Question 53

Why might you use the Cloud Console Mobile App?

Answer 53

+ Resource monitoring/management: It lets you examine/manage the resources you’re using in GCP.
+ Dashboarding: It lets you build dashboards so that you can get the information you need at a glance.