0:01 foreign [Music]
0:06 [Music]
0:08 in this video we are going to learn
0:10 about service account impersonation
0:12 impersonation means acting on somebody's
0:15 behalf and doing the job
0:18 in I highly recommend you to you watch
0:21 this service account part one this will
0:23 give your context what we'll be talking
0:25 about in this video if you are
0:27 interested only in impersonation you can
0:29 continue watching this video as well
0:33 in last video we did these four steps
0:35 where we created a service account we
0:37 assigned the role we downloaded the Json
0:40 key and authenticated gcloud with
0:42 service account and then uploaded and
0:44 downloaded the files
0:47 here the third step which is downloading
0:49 the Json key is not at all secured
0:53 because when you create a Json key it is
0:54 at risk because you are going to share
0:58 with your teammates over email over file
1:00 system or however you want to share it
1:03 it has very very high potential to get compromised
1:05 compromised
1:07 to avoid this situation
1:10 Google provides us a better solution
1:12 which we are going to do now
1:15 that thing is called service account impersonation
1:16 impersonation
1:19 what is impersonation so suppose John Miller
1:20 Miller
1:22 is a user
1:25 and John is not having permissions to
1:27 create cloud storage
1:29 we have a service account which we
1:32 created in the last video which bucket
1:35 read Service it is it has the role of
1:37 service admin John
1:39 John
1:41 only need a role called service account
1:43 token creator
1:46 once John has this role you assign that
1:50 role John can impersonate as bucket read
1:53 service service account and create a
1:55 bucket on behalf of the service account
1:58 how it will be done when John will try
2:00 to create a bucket
2:03 of course John has to impersonate a
2:06 service account while doing it our token
2:07 will be generated
2:10 that token is short-lived token it will
2:14 do the job and will close the session
2:17 that's how you can do the job without
2:19 generating the key and only generating a
2:22 token as per the need basis I'm going to
2:24 see this in action
2:27 but for now understand when anybody can
2:29 act as anybody provided right set of permissions
2:30 permissions
2:32 in the lab we'll go ahead and see
2:35 quickly today's Hanson lab will be about
2:38 we'll assign servicing account the
2:40 required permissions to create a bucket
2:42 we'll assign John Miller required
2:44 permission to impersonate and create token
2:46 token
2:48 strictly we are not going to generate
2:51 any service account because that's the
2:54 point of creating this video because you
2:56 should know how you will be working in
2:58 any company
3:02 fourth step will be will John Miller
3:05 will try to create a bucket using his
3:07 own credentials imp only by
3:09 impersonating a service account in the
3:12 last video we activated downloaded the
3:14 key activated the session and then we
3:17 copied and read and write the files to
3:19 the bucket but now I'm not downloading
3:21 any key I'll not be downloading any key
3:23 and then I'll show you how can we create
3:26 the bucket let's hit the labs now to see
3:28 these four steps in action
3:30 to another side
3:33 in last video we have created the
3:34 service account
3:37 bucket read Service
3:41 we also have created a bucket
3:44 we downloaded the key and then we wrote
3:47 the files in this bucket
3:49 you can also see we assigned permissions
3:51 on the resource level which is just on
3:53 this particular bucket not an overall project
3:55 project
3:57 this was the bucket name which we
3:58 created last time today
4:00 today
4:02 we are going to do something different
4:05 which is without generating the key how
4:06 can we
4:09 create a server or create a bucket
4:12 John Miller in this example John Miller
4:14 is one of the user from the devops group
4:17 he wants to create a bucket
4:19 but without assigning or generating the key
4:20 key
4:22 we have to use the service account
4:25 assigned roles to both of them
4:28 and then John has to impersonate as the
4:30 service account and that create this
4:33 cloud storage bucket
4:35 that that will be the example
4:38 so let's go ahead and do it
4:41 so you you go to the user directory and
4:44 you can see John Miller is here
4:48 and uh we will now go ahead and give
4:51 required rights to John Miller
4:53 in fact let's do that before doing that
4:56 let's see what error we will get that
4:58 will help you to understand the error
5:00 also because that is
5:04 part of the working on this area so we
5:06 ensure that we have logged in as John
5:09 Miller John Miller is member of devops group
5:10 group
5:13 uh yeah you can see John has low
5:15 permission he's part of this devops group
5:16 group
5:18 devops group has viewer permission so
5:22 John can see uh all the all the
5:25 resources of this project but he cannot
5:28 uh do anything which in this case we
5:30 have to create a bucket so he should not
5:33 be able to create the bucket
5:35 you can see
5:39 that as we have logged in as John
5:42 I cannot create the bucket
5:45 when you go to the create
5:47 button you can see this it is disabled
5:50 for John because he don't have right to
5:52 create a bucket
5:55 now what we'll do we will open the cloud
5:57 shells session
5:59 In This Cloud solution we will
6:03 authenticate as John Miller will log in
6:06 as John Miller and then try to create
6:09 the bucket in last video what we did we
6:12 logged in as a user called pushkar
6:15 sharan at cloudspin.in downloaded the
6:18 key authenticated hit and then created
6:20 using that service account but today we
6:23 are not going to download any key
6:26 yeah let me do gcloud auth list you can
6:29 see Active Star means this is the active
6:30 account you can have multiple
6:33 authentications in place within one
6:35 Cloud shell session
6:39 now since the session is set let me try
6:41 to create a bucket
6:43 of course from UI I cannot create but
6:47 from CLI can I the command is Google
6:51 gcloud storage buckets create and the
6:54 Full Bucket name it is trying to create
6:58 it oh I got the error and the error says
7:01 that 403 which is you do not have
7:04 storage bucket create access this is
7:06 what we wanted right we don't want to
7:10 give John any permission yet we want him
7:12 to create a bucket
7:14 and now
7:18 here comes the first part of our
7:21 example which is giving John and the
7:22 service account
7:25 required permissions
7:27 let's go ahead and give those
7:30 permissions to them
7:33 yep here you can go to service account
7:36 let's copy the full service account
7:39 email address that because we have to
7:41 assign the required permissions to both
7:43 of them
7:46 now I want to give rights or entire
7:50 project so I will create a im policy
7:53 over here resource is this project the
7:55 principle is the service account and
7:58 role will be storage admin because I
7:59 want to play with storage and I want to
8:02 create a delete bucket
8:05 without storage admin you have to create
8:07 a custom role but since for this example
8:09 we can use storage admin
8:12 all right I'm just clicking save this
8:15 will attach to these three
8:17 um set of IM policy and create an IM
8:19 policy for me
8:21 which means that this particular service
8:24 account will be able to create buckets
8:27 that is the first part of it
8:31 second what I'm going to do is I'm going
8:33 to assign permission to John Miller as
8:36 well because so far we have not given
8:38 any permission to John Miller he is a
8:40 viewer because he's part of a group
8:44 with that he cannot create a pocket
8:47 now comes the power of impersonation I
8:50 want to give John
8:51 a resource will be data science project
8:55 so on Project level John should be able
8:59 to create tokens which is impersonate as
9:04 others the rule is called
9:07 service account
9:10 token creator
9:13 you can see impersonate service accounts
9:15 create auth tokens Etc
9:18 so I am again attaching this policy so
9:20 this was one of the ask that assigned
9:22 the required permission so we give John
9:25 service account token creator and we
9:27 give this service account storage admin
9:31 so John still don't have much permission
9:34 he can just create tokens but he cannot
9:38 create uh buckets directly yet
9:40 let's give it one more try can he do that
9:42 that
9:46 okay I'm gonna list the buckets to check
9:48 it again first example of impersonation is
9:49 is
9:53 gsutil GS utilized CLI to communicate
9:56 with buckets I'm saying GS util hyphen I
9:58 which is impersonate the entire service
10:01 account name which we just gave the
10:04 storage admin right LS which means list
10:06 all the buckets
10:08 within this project
10:15 where within the service account
10:18 accessed if it has yes
10:21 you did get the response this time now
10:22 because you impersonated John
10:25 impersonated as the service account
10:28 without generating the key
10:31 okay and he could get the output as GS
10:34 service account demo Cloud Sprint you
10:36 can see above you have just one bucket
10:42 that was the idea of impersonation so we
10:44 have just listed it to check the
10:47 connectivity that annexes that if we can
10:49 list the buckets or not
10:54 now I am going to create the bucket
11:03 yeah let me click on enter the bucket
11:04 name is also fine yeah
11:06 yeah
11:09 oh again we are stuck with an error why
11:12 because again this time we try to create
11:15 with John Miller's ID only
11:17 now we're gonna try again by
11:20 impersonating a service account
11:22 the command is gcloud impersonate
11:24 service account
11:25 yeah this time
11:28 you can see the bucket is created the
11:30 command is gcloud in Personnel Service
11:32 account full email address storage
11:35 buckets create and the bucket name with GS
11:36 GS
11:39 double slash
11:42 this time the bucket is created
11:45 that's the reason because this time you
11:48 impersonate it John impersonated as a
11:50 service account that's why he could
11:52 access the rights what service account has
11:53 has
11:55 what happened in between it created a
11:57 token here you can see the bucket is
11:58 also created successfully
12:02 when you did this a token was created
12:05 when John submitted the request to API a
12:08 token was created that token held to
12:11 create this bucket yeah again you can
12:14 re-verify that only with this service
12:16 account token Creator without generating
12:17 any key
12:20 you any user can impersonate an as any user
12:21 user
12:25 and create it any resource if if the
12:27 service account has that permissions
12:29 that is the concept of impersonation
12:32 it's very very powerful you can use it
12:35 for uh doing your terraform deployments
12:38 your CI CD Etc
12:41 few few documentation part which I
12:43 wanted to highlight was uh you can
12:50 credentials with workload identity you
12:53 can also uh
12:57 see these CLI stuff which is get IM
13:00 policy set I am policy it is all this
13:01 service account below the service
13:04 account you should practice these
13:06 commands because they are very important
13:08 for the exams
13:11 you can how can you set an IM policy
13:14 from the console or you can get you can
13:17 create delete describe these things you
13:19 must at least have a look before you
13:22 appear for the exam because these are important
13:24 important
13:27 next bit is creating short-lived token
13:30 which is uh we just did example you can
13:33 create short-lived tokens and that is
13:35 going to uh without generating key you
13:38 can do a lot of stuff and uh
13:41 last part is that how do you impersonate
13:43 there are three ways to do it service
13:45 account user service account to
13:47 calculator which we just did in this
13:50 example we generated a joy token and
13:52 third is workload identity user it is
13:55 used for uh working with kubernetes pods
13:57 where you can authenticate your part
14:01 with any service account that's the way
14:04 of impersonation that you work with GK
14:08 this concludes IO for this particular
14:10 exam which is associate Cloud
14:13 engineering exam I have created
14:16 five videos about I am
14:19 more than sufficient to cover the exam
14:22 you really need to know I am by heart so
14:25 I really recommend you go through these
14:27 five videos and do practical as well
14:30 that's really going to help you pass the
14:32 exam with this video all foundational
14:33 work of creating organization setting up
14:37 users understanding the roles groups is
14:40 done now we'll be starting to learn one
14:44 service every week so that's the idea if
14:47 you like the content please subscribe to
14:49 my channel thank you very much for your
