This content provides a comprehensive guide to creating and managing custom Identity and Access Management (IAM) roles in Google Cloud Platform (GCP), emphasizing their importance for the associate Cloud engineer exam and detailing how to synchronize on-premises LDAP users with GCP for automated access management.
Mind Map
Clic para expandir
Haz clic para explorar el mapa mental interactivo completo
hi everyone Welcome to Cloud Sprint
today we are going to learn about TCP
custom roles since this topic is really
important for TCP associate Cloud
engineering exam take take this further
and explain you step by- step guide so
it becomes very easy while you prepare
by end of this video you will also get
to learn that how can you sync your LP
users to gcp to to have an automated
sync between your ldap and gcp projects
without any delay let's get started with
today far we have applied permissions at
or label at the folder
labels or at the project label these are
three places where we apply IM policies
also at the resource
level just a quick recap if you want to
see that which person has or which group
has what permission you will come to I
am principle is your identity rol is
roles what you can do your capabilities
and this is your
resources okay this resource tells you
that where you can do what and who can
do that it is all about I am policy if
you click on Grant access for example
you can see resource is data science BR
project if it's a folder it will come a
folder this principle means a user group
domain service account and then you have
at last role role is your capability we
learn about basic roles we learn about
predefined role which is already
provided by Google we learned uses of
these uh two roles but today we are
going to learn a more specific thing
which is called custom role so yeah this
these three aspects I think you have so
far understand very well and you can do
anything for custom role we will just
give a quick recap that go to I am you
know I am permission custom rooll and
all and you can see that I am basic and
predefined role reference you can see
these three roles are here owner
viewer then this is the predefined role
which is which Google have prepared for
us which is very specific to Services if
you want to just see any specific
service like Cloud composer you can
select it and all permissions for that
particular service will be available
here that is the benefit of predefined
role but then there will be some
situations this is complete list of uh
all the services which we have like
Cloud spanner SQL compute engine you
want to give somebody just admin you can
give just admin or maybe a you image
user there could be a situation when I
just want to use three permissions from
this three permissions from image user
or just three permissions from admin
part then how can I handle that kind of
situations custom role is all about that
which we are going to learn so suppose
we need to give
somebody gcp big query role and a computer
computer
and data proc
R and we cannot use this this predefined
roles because it will give you too much
permission support role has three phases
one is supported testing and not
supported for production use cases we
are only going to use the roles which
are supported okay we this is a list of
the supported one or not support one or
which is just in testing this is to help
us that how are we going to you know
create our role without you know um
making any fault with the testing one it
is just a flag for
us so uh I think it's the time to go
ahead and create a custom role and get
our hunts dirty for that I'll click on I
am admin and
rols in this here here you can see a
list of already a level Ro okay this
this is created by Google in every
project and you can just use if you need
them but today we want to learn about
our own custom role so I'll say that
okay create a
role you can say any any name now very
important part is um this role launch
type Alpha Beta GA disabled Alpha is
with you're just creating a role and
testing it beta is when you're confident
that it will work and GA is available
and everybody can use it for production
as well for that once you choose Alpha
you can click on ADD permissions this is
a list of services I'll say I want to
work on compute so show me all the
compute related uh list so I say okay
I'm interested in these two roles which
is image user and instance
admin there are 288 permissions okay I
don't want all of them I just want few
of them I will just go ahead and choose
see this testing I'm not going to choose
the testing one for my production use
cases until it is supported by Google so
uh basically Google is also doing the
testing so I I'll choose randomly few
options while you work you know what you
need so as for your need you can select
so I just selected 17 permissions out of
288 I'm REM removing the testing one
also you can see this is the list of all
compute now I say that okay I also want
to give the user or service account
whoever is going to use this role a SQL
viewer role because they have to talk to
a database so out of 41 I am going to
give them users get users list also I'm
going to give them 21 so total 27
permissions we have assigned for this
particular Ro this is how you can select
roles now you can see we have compute
and Cloud SQL together we'll create
click on create this will create a
custom role for me in Alpha phase okay
Alpha means we are just we have started
testing it you can edit it and you can
have a meaningful name like say cloud
Sprint um role data science role okay
this is the name of our role just
remember this Alpha phase we say update
it you can see this role is created and
it has a different logo right an or
label kind of logo you have 27
permissions it's created under this
project okay your role is created so you
out of identity role resources you are
under this resource and your role is
created now you say okay uh suppose I
want to give it to a service account
first of all okay let me choose this
service account Jupiter service data
proc service account and uh I'll go to
custom and you can see the role which we
just created is available here we have
basic we have uh currently used Custom
Custom is custom role which we just
created on data science prod this
particular rule I'm going to save it so
I attached the policy so now Jupiter
notebook can do those 27
things which we just selected in that
and it this particular service account
can do only on this project because
resource is a project project called
data science fraud okay this is how you
can create a custom role and use a
custom role that is uh the beauty of it
if you have created it at the or label
you can use it at the or level
also that's how you create a custom role
now let's go ahead
to I am again and check out that can I
attach the same role to a different
group as well because that question can
come come to your mind that is it can is
it unique to an identity no it's not you
can attach to anybody role the point of
creating the custom role it can be used
many times so we just assign this to
data science group as well you can see
it is assigned to a service account and
a user group also so if you you know
create a role which can be used by
anybody it can be used by anybody that's
the benefit of creating custom roles now
let's go ahead and we are confident that
okay it is fine let's change it to
General available or beta and you can
update it so which means anybody else
can use it now okay this is the benefit
of uh uh you know keeping it in phases
when you are not confident do not make it
it
available next is you can create a role
from a
role you can have those 27 permissions
you can just add one more
permission because you don't want to
give that single permission to anybody
else there's a new requirement you will
just go ahead create from the
role okay that's the thing
that's how you can create a role from
that cool so now we just created it yeah
this is very important for the exam G
gcloud roles copy when you create a role
in a project you can copy it to a
different project if you have created in
an organization you can copy to other
any project or organization as well
gcloud has also two more commands which
is is copying Alpha and beta so just for
now understand you can copy roles from
one project to other project or from or
to or that's the uh benefit of uh
creating custom roles you don't have to
create it again and again that's all
roles now do you think that this
particular U set of users
within admin how are we able to you
know assign permissions so easily in gcp
because Google identity is synced with
gcp but when you're working in a company
you you are not going to use this Google
identity every time most of the
companies are on ldap using Microsoft
solutions to manage their uh accounts
how can you um you know manage that syn
that whenever there's any change in your
adfs it should be you know in sync with
your gcp project it's a very very hard
task to do that for that you need to
automate this thing because you cannot
do it every time manually you will be
doing multiple things to do that you can
create you can have an OU for this OU
and then directory sync is a service
from um uh gcp you you just need to come
here you can any third party uh thing
which you're
using you can use this so ldap server if
it is hosted on Google Cloud option one
but mostly you will be in the option two
case where lb server is hosted outside
Google cloud in your on premises project
so these are the two ways to do it first
way is that you can have you can connect
your on Prem uh you know VM to Google
Cloud using Cloud VPN or Cloud interconnect
interconnect
and then you create a folder like
suppose Google cloud and that particular
folder will be synced with directory of
cloud identity directory sync so every
15 minute a job will run which will you
know pick things from your adfs and drop
it here and this is a place how you're
going to add your directory and
configure it if you can do this you can
directly automate your uh you know a
user sync 24/7 without any manual
intervention that's how you design it in
an in any corporate world because
nobody's going to do it manually that's
all I don't have L app so I could demo
it properly but this is the step it's
not very difficult to do once you follow
these three steps you'll be easily able
to sync your users from elap to here I
hope that covers I am pry well and and
let's we can move to the next topics
Haz clic en cualquier texto o marca de tiempo para ir directamente a ese momento del video
Compartir:
La mayoría de las transcripciones están listas en menos de 5 segundos
Copia con un clicMás de 125 idiomasBuscar en el contenidoIr a marcas de tiempo
Pega la URL de YouTube
Ingresa el enlace de cualquier video de YouTube para obtener la transcripción completa
Formulario de extracción de transcripción
La mayoría de las transcripciones están listas en menos de 5 segundos
Instala nuestra extensión para Chrome
Obtén transcripciones al instante sin salir de YouTube. Instala nuestra extensión de Chrome y accede con un clic a la transcripción de cualquier video directamente desde la página de reproducción.
