This content demonstrates practical Google Cloud Platform (GCP) use cases for managing identity and access management (IAM), focusing on automating permissions at the organization and project levels, and configuring service accounts and public storage buckets.
Mind Map
Zum Vergrößern klicken
Klicke, um die vollständige interaktive Mind Map zu öffnen
foreign [Music]
Ty roles resources we also did an
extensive use case
as promised in this video we are gonna
do a remaining four use cases which will
help you to work on any real world use
cases while you're working with Google
[Music]
in use case 2 you need to enable devops
group to be automatically added as a
viewer wherever any new project is
created in organization as they need to monitor
monitor
so any project created anywhere devops
team need to be added as a viewer that's
the ask
for this we need to add devops script
over the organization layer how let's go
and check it out do gcp console
we need to select the organization why
because we want all further upcoming
projects should also have access to
devops engineers
first thing
is that in the first use case what we
did we give permission on the data
science to data science group and devops
to devops
for this I'm gonna go to ionization
let's copy the group of devops Engineers
I copied it and let's click on Grant access
access
resource is called screen.in identity is
your group for this viewer submitted
once you add this identity attach this
IM policy
let's check that now if a devops
Engineers have access to data science
projects as well or not because earlier
they had no access now we have added an
org level which means that every project
by default
devops Engineers will be added John
Miller is from devopsy engineer let's
try to log in as John and see if John
has permission to data science projects
or not
let's open the projects clearly you can
see now John can see devops and data
science projects together
that's how you manage
resources that's how you manage our
identity and that's how you manage roles
now I want to create one more project
and showcase that you know upcoming
projects will also have the same role
applicable I'll create the billing
account creating a project once you
create a project
this is by default created under the
organization the name is test project
you can see it's out of the folder it's
not even in the folder and now go back
to John's dashboard and see if John can
see the new project or not yes John can
see test project which means the
permission which we set at the org level
is working for existing project plus
upcoming projects that's the benefit of
doing at the ALT level that is it [Music]
[Music]
in use case 3 we have to ask first is to
allow data science Engineers owner
access on the dev projects because we
want to set them free under their projects
projects
but when it comes to production we want
to restrict the users
data scientist groups should only have
read-only access in production project
three roles first is compute paper
second is Storage River third is vertex
AI viewer all right how are you going to
do it let's see at the labs so I'll go
to the data science
folder and Dev folder because I have to
give the owner access of the development
project so if today I have one project
tomorrow I can have 10 projects for that
I'll go to IM of that particular folder
where I have to give the default
permission and I'll you can see this
permission viewer is already inherited
from data science folder and Dev is
inside data science folder now I'm gonna
give uh owner role on dev project okay
now any project inside the dev folder of
data science has owner to data
scientists and in production they have
just a viewer access you can see
production just viewer and Dev you have
your honor
First Step was to do that and that's how
very very simply you can have different
permissions for different folders that's
the benefit of creating our organization
at the starting only
and that is from data scientist team
in maths console you can see Matt is not
able to do anything at all just a viewer
when he switches to Dev he can create or
he can create a bucket he can grant
access because he's owner in the dev project
project
that's the difference we wanted to
create with the first use case because
your engineers are have more permissions
in depth but less permissions in product
that that's how an Enterprise level use
cases are generally
second is to allow data scientists data
science Engineers to access only below
services and production projects so
we're going to give compute viewer
storage Google vertex AI viewer
let's go to the console
for this I need to give it production so
I'll go to the production project
provided the ID the three roles which I
have to give is first is compute viewer
let me scroll yeah first second one is
storage viewer
select the storage River
third is vertex cibu it's a mlai
solution from gcp
managed one so I added all three
permissions and viewer is already coming
from the data sense folder so top to
bottom it inherited itself that that's
how you're going to give
different permissions at different
levels now your data scientists can just
see production projects [Music]
in use case 4 we need to create a
service account for jupyter Notebook to
be used by a VM when it will be created
for data scientists we need to attach
below roles to the service account first
is compute instance admin second is
cloud scheduler user
let's hit the labs and see how we can do it
it
I'll go ahead and select the projects
and let's create it in data sense Dev
I'll go to service account create a
service account the ask is to create it
for Jupiter notebooks I'll say it right
in any name of the service account
this is your email address for the
service account which you'll use for all
accesses description is to be used
create and continue I can also sign role
over here or I can attach it later under
IM Also let's give the rules over here
only first is compute admin instance
admin so it's very powerful role that
you can control compute and second is
cloud scheduler user so let's select
Cloud scheduler job Runner yeah done
let's continue that and hit on done
that will create the Jupiter notebook
service account you can go to IM it's
already attached because we submitted the
the form
form
always note it is at the project level
only and that is how you always create
service accounts and assign a role and
you can use this service account while
creating your resources foreign
foreign [Music]
which is to create a bucket and
configure the access for authenticated
and unauthenticated users which is
basically making it public we also need
to name our bucket as Cloud Sprint Dash
public Dash bucket
we have to assign a level we have to
give a class as reasonable all right in
the next video while we go through the
storage options this example will be
really helpful all right without a delay
let's hit the labs and let's find out
how to do it
for this I'll come to TCP storage cloud
storage buckets let's click on create a bucket
bucket
over here I have to put the name this
name has to be globally unique
once you paste the name I'll go to label
label is needed because this is needed
when you are checking the bill of your
overall structure overall projects
click on continue once you click on continue
continue
you will be offered to choose location
it has three options multi-reason
jewelries and Regional in my case I want
to create a regional bucket I'll say
that okay find Regional go ahead with us
East one click on continue it has
storage class standard nearline code
liner chival you can go ahead with
standard for now I'm saying enforce
Public Access uncheck it
click on continue
click on create that will create a
bucket for me once you create and click
yeah you can see you can upload file
because I am the org admin so I have by
default access and you can upload files
in inside the bucket
if you go to permissions you can see
it's not public yet because we have not
given the access
you can go to configure to check that
when it was created what is the location
what is the reason what is the storage
class if any label it asks what is the
URL for GSU deal what is the URL for
cloud console that's all detail let's go
ahead and give make it public for making
it public you can select all users
that's a flag
and you can select that cloud storage
cloud of object viewer resource is a
bucket IM is all users I mean identity
is all users you can see it is showing
warning you that this is public now you
should not make it public that's the
standard warning because if somebody
have done it by mistake Google warns you
you can copy the URL and any anybody can
open it up because it is public to
internet now anything inside this let's
go ahead and use my personal email
address to check without any access if I
can access this bucket or not
yes you can see I am able to open this
bucket download this file from my
personal ID I can download it
and I can see it it's not something very
very uh common but there are needs when
you need to do it that's how you make
things public
I hope that was helpful today you know
what it takes to work on I am and how
can you assign roles and permissions
most secure manner
all right if you're liking my content
and following my gcp playlist my channel
like the video if you have any questions
write it in the comment thanks very much
Klicke auf einen beliebigen Text oder Zeitstempel, um direkt zu dieser Stelle im Video zu springen
Teilen:
Die meisten Transkripte sind in unter 5 Sekunden bereit
Mit einem Klick kopieren125+ SprachenInhalt durchsuchenZu Zeitstempeln springen
YouTube-URL einfügen
Gib den Link eines beliebigen YouTube-Videos ein und erhalte das vollständige Transkript
Transkript-Extraktionsformular
Die meisten Transkripte sind in unter 5 Sekunden bereit
Unsere Chrome-Erweiterung installieren
Transkripte abrufen, ohne YouTube zu verlassen. Installiere unsere Chrome-Erweiterung und greife mit einem Klick direkt auf der Wiedergabeseite auf das Transkript jedes Videos zu.
