GCP IAM

Question 1

What is IAM?

Answer 1

Who can do what and what resourc. It is GCP’s identity and access manage.

Question 2

In GCP IAM what is a member?

Answer 2

A member is a ‘who’, this can be a person or a service account.
Service account = Application access
People =
- Google account
- Google group
- G Suite Domain
- Google identity domain

Question 3

Can a GCP IAM member be a google account?

Answer 3

Yes

Question 4

Can a GCP IAM Service account be a google account?

Answer 4

No, an application can be a service account

Question 5

What is a google account?

Answer 5

It is a person interaction with Google and can be a Gmail account or can be a non-google account associated with a google account.

Question 6

What is a google group?

Answer 6

It is a collection of google accounts

Question 7

What is a G Suit Domain

Answer 7

Is a virtual group of domain users, it can not be used for individual identity but you can set permissions.

Question 8

In GCP IAM, what is the hierarchy structure?

Answer 8

Organizations
Folders
Projets
Resoiurces

Question 9

In GCP IAM, what is the main structure of IAS objects

Answer 9

Permissions -> Roles -> Policies

Question 10

What is a GCP IAM permission?

Answer 10

It is a resource based permission, compute.instanceAdmin.v1

Question 11

What is a GCP IAM role?

Answer 11

A role is a collection of permissions, 100% completely different than AWS role.

Question 12

What is a GCP IAM policy?

Answer 12

It is a collection of roles and it is where a member (users) can become

Question 13

When using GCP IAS, how can we think of IAS applied to an organization or an organization child?

Answer 13

Who
What they can do
Resources they can do it on

Question 14

How can we think of GCP IAM?

Answer 14

Members (who) are granted permissions and roles to GCP services (resource)

Question 15

In GCP IAM what is a service account?

Answer 15

It is a software application or service calling GCP, software application uses the service account to call GCP.

Question 16

In GCP ISA what is the permission format?

Answer 16

service.resource.action
compute.instance.delete

Question 17

In GCP IAM can you give me an example of a permission?

Answer 17

compute.rinstance.delete

Question 18

Can you asign a permission direct to a member?

Answer 18

No, permissions are applied a role.

Question 19

What is a GCP IAM primitive role?

Answer 19

Includes owner, editor and viewer roles and existed before Cloud IAM. These roles (owner, editor and viewer) apply only to the project level.

Question 20

What is a GCP IAM role?

Answer 20

provide granular access servcies in GCP

Question 21

What is a GCP IAM custom role?

Answer 21

You cna build a custum role with your own permissions.

Question 22

What will the GCP prinitive role ‘Viewer’ allow you to do?

Answer 22

Read only and view resources

Question 23

What will the GCP prinitive role ‘Editior’ allow you to do?

Answer 23

Edit resources

Question 24

What will the GCP prinitive role ‘Owner’ allow you to do?

Answer 24

All editor permissions and,
- Manage roles and permissions
- Setup billing

Question 25

Can a member/user be granted multipal roles?

Answer 25

Yes

Question 26

In GCP IAM, give an example of a predefined role?

Answer 26

roles/appEngine.appAdmin

Question 27

In the following GCP IAM) role ‘roles/appEngine.appAdmin’, what will role enable you to do?

Answer 27

This role will give you admin permissions to theGCP App Engine.

Question 28

What is a GCP IAM Policy?

Answer 28

An GCP IAM policy is a coletcion of GCP roles, a GCP IAM policy is not the same as a AWS policy

Question 29

What you set a policy at the orgnizational level of GCP, will projects and resources inherate this policy?

Answer 29

Yes, as the orgnization is at the higest level all child resources inherate this policy. Resources inheriat from it parent.

Question 30

If i give admin access at the orgnizational level and then give less rights at the project or resource level, will the user have less rights or admin rights?

Answer 30

Admin rights, the rights at the more pareent level will apply.

Question 31

What are the 3 roles used in GCP IAM?

Answer 31

Primitive, Predefined, Custom?

Question 32

What is a member?

Answer 32

People
-Google account
-Google group
-Cloud identity domain
-G Suit domain

Question 33

What is a Role?

Answer 33

It is a collection of permissions.

Question 34

What is a permission?

Answer 34

It defines if you have access to a resource or not.

Question 35

What is a Cloud identity domain?

Answer 35

It is an orgnizatiuonal level domian, at root.

Question 36

What is the format of a permission

Answer 36

-service.resource.verb
-compute.instance.delete

Question 37

I need to asign permission directly to a user, can I do this?

Answer 37

No, permissions are asigned to roles

Question 38

What are the 3 GCP IAM role types?

Answer 38

-Primitive
-Predefined
-Custom

Question 39

What is a predefined GCP IAM role?

Answer 39

It is a more granular role then primitive role and has more granularity.

Question 40

What is a primitive GCP IAM role?

Answer 40

It is an Owner, View, Editor role, no granular permissions.

Question 41

What is a GCP IAM custom role?

Answer 41

It is a role you can create with you own permissions.

Question 42

What is a GCP IAM service account?

Answer 42

It is an account attached to an application.

Question 43

What is ba GCP IAM policy?

Answer 43

A policy is a collection of roles, the policy is asigned to a member.

Question 44

Can a pareent policy overule a child policy?

Answer 44

Yes, 100%

Question 45

I have a perant and child GCP IAM policies, whitch policy has final say?

Answer 45

Parent, fi there was deny rule in parent then there permission would be denied.

Question 46

Do child policies inherate from parent?

Answer 46

Yes, 100%

Question 47

Can I have a more restrictive Parent policy overide permisisons in child policy?

Answer 47

Yes, 100%

Question 48

What is a custom GCP role?

Answer 48

It is a collection of permissions?

Question 49

I need to give a group of users a set of permissions, what do I need to create?

Answer 49

A role and assign a policy

Question 50

What is a GCP IAM Object?

Answer 50

All users, resources, etc are IAM objects.

Question 51

Do all members in the organization role have access to the resources allowed by the role?

Answer 51

The organization role has permissions that enable every member the is part of the organizational role to access a resource.

Question 52

I need to give everyone in my organization access to a resource, how can I enable this?

Answer 52

Create a custom role with the set of permissions you need and assign the role to the org..

Question 53

I need to give everyone in my organization access to a resource, how can I enable this?

Answer 53

Create a custom role with the set of permissions you need and assign the role to the domain member automatically created that refers to everyone in the organization.

Question 54

By default everyone can create projects in an organization, how can we fix this so an admin is the only one that can create projects?

Answer 54

Remove the automatically created org member.

Question 55

What are the two types of GCP service accounts available?

Answer 55

-Google-Managed
–Represent Google services and are automatically granted an IAM role
–Most times invisible to the user.
-User-Managed
–Created by you and based on enabled API’s
Both automatic created and user created.

Question 56

How is User-managed service account authenticated by google?

Answer 56

API Key

Question 57

What is a service account?

Answer 57

A service account is a special google account that belongs to your application or instance (VM). The application or the VM assumes the identity so users are not involved.
-Service accounts can have zero or more key pairs to authenticate with Google.

Question 58

I need to access an Cloud Storage bucket file form the bash CLI in a Compute instance, this will involve both read and write. How can I enable this access?

Answer 58

When you create an instance (VM) you are automatically assigned a service account. This service account has a set of scopes that enable it to access the GCP API’s. The instance (VM) assumes this service account identity and can access the Cloud Storage bucket provided the scope has been set with the corretc read/write/full permissions.

Question 59

Should I use primitive or predefined roles?

Answer 59

Use predefined roles, this way you only give them the least access as possible.

Question 60

When I create a microservice with two services (app componets), should I give each one the same service account?

Answer 60

No, it is important to ensure you use the least privilege and give each of the services in the microservice a separate service account with only the access they need.

Question 61

Can a child policy overrule a parent policy?

Answer 61

No a child policy can not overrule a child policy.

Question 62

When assigning service account scope, what should I be doing for least privilege?

Answer 62

Allowing access for only API’s needed to perform job function.

Question 63

What IAM role is used when creating a service account

Answer 63

Service Account Admin

Question 64

What do I need to do regularly to ensure service account security is maintained for user managed keys?

Answer 64

Rotate the service keys

Question 65

Do I need to rotate GCP managed service account keys?

Answer 65

No

Question 66

Can you assign a policy to a folder?

Answer 66

Yes

Question 67

Are IAM Policies inherited down or up?

Answer 67

Down Org -> Folders -> Project -> Resource

Question 68

For an organization level, what is the role that can change policies?

Answer 68

Organization policy administrator
The Identity and Access Management role roles/orgpolicy.policyAdmin enables an administrator to manage organization policies. Users must be organization policy administrators to change or override organization policies.

To set, change, or delete an organization policy, you must have the Organization Policy Administrator role.

Question 69

What is the role of Organization policy administrator?

Answer 69

Responsible for admin policies.

Question 70

What can an owner do?

Answer 70

Manage members (invite, delete, etc)
Manage projects
Deploy applications
Modify code
Configure services
BUT CAN NOT DO BILLING RELATED ACTIVITIES LIKE A BILLING ADMIN CAN.

Question 71

What can a editor do?

Answer 71

Deploy applications
Modify code
Configure services

Question 72

Can I use custom roles at the folder level?

Answer 72

No, you can only use custom roles at the project or org level

Question 73

Can I apply different roles to a service account?

Answer 73

Yes, this enables you to restrict the service account to only access what is needed.

Question 74

Can I deny access to a project resource through IAM when I have give the permission at the ORG level?

Answer 74

No, you cannot deny permissions lo down in hierarchy when you have give them high up.

Question 75

I have an Owner role applied at the organization level, will the owner role have any effect?

Answer 75

No, Owner roles will only have an effect the the project level as the owner role has no permissions at levels above project.

Question 76

Should I use primitive or predefined rules?

Answer 76

I should use predefined rules where possible as they are more granular.

Question 77

What is an organization policy used for?

Answer 77

• Centralize control to configure restrictions on how your organization’s resources can be used.
• Define and establish guardrails for your development teams to stay within compliance boundaries.

-Help project owners and their teams move quickly without worry of breaking compliance.

Question 78

Do descendants policies inherit from parents?

Answer 78

Yes