Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Google Cloud Certified Professional Cloud Architect (WIP) > IAM > Flashcards

IAM Flashcards

1
Q

Google Account Types

A
  • Personal
  • G Suite Domain
  • Cloud Identity Domain
  • Google Group
  • allAuthenticatedUsers
  • AllUsers (i.e. “public”)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Where are Members set up?

A

Members are not set up in GCP. Create, edit, delete Google accounts in admin.google.com (outside GPC). Give GCP access to Google accounts in GCP IAM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are Service accounts?

A

Belong to an application/server.
Not associated with a person.
Carry out application/server interactions.
Also identified by email address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How does Cloud Identity work?

A

Cloud Identity: Sync with Active Directory. Cloud Identity maps (federates) AD accounts to Cloud
Identity accounts. AD is the single source of truth (one-way sync from AD to Cloud Identity)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the mechanisms to use Cloud Identity? (to sync AD with IAM)

A

Tools:

  • Google Cloud Directory Sync (GCDS) (Google provided)
  • Active Directory Federation Services (ADFS) (MS provided)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the types of “Members” (Who)?

A
  • Google person Members

- Service Accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Role types

A
  • Primitive
  • Predefined
  • Custom
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Primitive Roles

A
  • Broad, original roles available on GCP (before current IAM environment)
  • Applied across the entire project
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Types of Primitive Roles

A
  • Owner: Modify all resources and manage IAM and billing
  • Editor: Modify all resources, no access to manage IAM and billing
  • Viewer: View resources, cannot make changes.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Predefined Roles

A
  • More granular, specific, not across the entire project.
  • Applied to single service.
  • Example; compute.instanceAdmin allows access to modify instances but does not affect any other services.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Custom Roles

A

Even more granular than Predefined Roles. Combine individual permissions when predefined roles are not specific enough.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

IAM policies

A

Grant Members (users, groups, organizations, service accounts) various Roles (primitive -broad-, predefined/custom -granular-) in a hierarchical format (parent overrules child) to GCP resources (all layers of GCP)

Example: john@acme.com is granted Owner role to project ‘Dev Environment’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

CLI to get IAM Policy for Project

A

gcloud projects get-iam-policy

YAML output

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

CLI to update IAM Policy for Project (from file)

A

gcloud projects set-iam-policy .yaml

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

CLI to add single binding to IAM Policy for Project

A

gcloud projects add-iam-policy-binding –member user: –role roles/viewer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What’s the permission format?

A

[service].[resource].[verb] (example: compute.instances.delete)

17
Q

Can you apply permissions directly to members?

A

No

18
Q

What is a Role?

A

A bundle of Permissions that can be assigned to a Member.

19
Q

What IAM Roles do I need to assign a user to be able to create a Project in a specific Organisation?

A
  • Resource Manager -> Organisation Viewer
  • Resource Manager -> Project Creator
  • Billing -> Billing Account User (to be able to associate a Billing Account with the project, otherwise no resources can be created)
20
Q

What is a Service Account

A

A special type of Google account, not attached to a user but to authenticate between application/servers and GCP services. Also represented by an email address.

21
Q

Types of Services Accounts

A
  • Google-managed

- User-managed

22
Q

Google-managed Service Accounts

A
  • Represent different Google services and are automatically granted IAM roles. [PROJECT_NUMBER]@cloudservices.gserviceaccount.com. Generally invisible to the user.
23
Q

User-managed Service Accounts

A

Created for/by you, based on enabled APIs in project. [PROJECT-NUMBER]-compute@developer.gserviceaccount.com, [PROJECT-ID]@appspot.gserviceaccount.com. Both automatically created and user-created.

24
Q

Why can it be said that Service Accounts are both a Member (who) and a Resource?

A
  • Service accounts are granted permissions to a resource (as a “who”)
  • Users (person) are granted the serviceAccountUser role to a Service Account.

Google Cloud Certified Professional Cloud Architect (WIP) (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions