This content explains Google Cloud Identity and Access Management (IAM) by breaking it down into three core questions: Who are you (identity), What can you do (roles), and On which resources. It emphasizes an enterprise-centric approach to managing access, focusing on groups and predefined roles for efficient and secure resource management.
Mind Map
Нажмите, чтобы развернуть
Нажмите, чтобы открыть полную интерактивную карту
hi folks Welcome to Cloud Sprint today
we are going to learn gcp IM the
Enterprise Way by end of this video I'll
be sharing five use cases which will
help you to understand gcp IM end to end
and that is the maximum scenarios which
you'll be getting while working on gcp
in any
corporates what if I tell you this gcp
IM is all about these three basic
questions first is who are you second
question what can you do and third is on which
which
resources let me break it for you and
how does I am helps me I am allows all
the administrators to authorize and take
action on specific resources giving you
full control and visibility to control
Google Cloud manage resources centrally
this IM is all about managing those
resources efficiently effectively who
are you question is all about finding
out who are you which is your identity
what can you do is all about your role
your permissions what are the abilities
you have resources are mainly about the
GCB infrastructure in this
case if you go in more detail identity
majorly as used by any major corporates
or Enterprise level users are these five
categories which are
used we will get into detail of this
identity later on uh then second part is
what can you do there are set of roles
which has set of permissions
included then you have resources
resources are inside your folder inside
your organization node or within your gcp
gcp
projects if you can answer these three
questions you have already have IM
policy in place first is Google account
or Cloud identity a Google account
represents a developer an administrator
or any other person basically it has to
be a human user it it is not a system
who is interacting going to interact
with Google Cloud any email address
Associated that's that qualifies as a
Google Cloud identity for example in the
last video we created Pusher at
cloudprint doin as or user and then you
also have an example of from
Gmail second is service account a
service account is an account for an
application services or compute workload
instead of individual end user so when a
system is talking to a system that's
when you create a service account for example
example
Jupiter Das service atate your gcp
project D service accounts are not
created at the or level it is always
created at the project level however
Cloud identity can be created at the or
level generally it is cre at the or
level only the third type is Google
group a Google group is is is a named
collection of Google accounts and
service accounts every group has a
unique email address that's associated
with the group example gcp organization
admins now fourth part is all
authenticated users
this is about all authenticated users
within your uh boundary of your
organization within gcp all right if you
need some resource to be make it
available for all of your organization
users you can use this filter the fifth
and last majorly used part is all users
this flag helps you to make allow any
exess any resource to all authenticated
and un authenticated users which is
basically making it public all right
just give it a scan these are only five
kind of users you going deal with while
working with
GCB now you know what is identity what
are the chances of identities can be all
right let's understand the next part
which is
roles a role is a collection of
permissions you cannot Grant a
permission to the user directly instead
you grant them a role when you grant a
role to user or a group you grant them
all the permissions that the role
contains for example you have role
called compute. instance admin and this
role consists all these permissions to
delete a compute instance to get it to
list it to stop start to set the machine
type and many more if you allocate this
particular role to any group they will
be able to do all these operations on
compute of
gcp the roles extensive list can be
found at this uh particular uh location
which is cloud.
google.com/ right as as we mentioned
that it is a collection of of
permissions okay it has mainly three
types first is basic roles which is uh
these were you know created earlier when
the Google blond was launched but it is
being carried since then uh but it's
definitely not recommended for you to
use in your production projects and you
should never ever use it the there are
few examples of it like browser browser
is to allow you to see your folder
structure your or admin and all second
is your owner who can do anything in
within your project or in your
organization you've given at that level
then editor can do little less viewer
can just viewer stuff so that is a basic
role while learning you can definitely
use it but when you're designing systems
for any Enterprise you are not going to
use them because it's too permissive and
it gives lot of options to the uh any
user which is not recommended for the
cloud second is predefined roles roles
that give fine gr Access Control to the
basic roles for example if you just want
to give pops up publisher to a
particular user you'll just assign roles
/ub sub. publisher so that person can
only publish uh you know messages to
that queue and nothing else that's and
this these predefined stol are already
created by user so you don't have to
create it uh that will save your time
and that is recommended as well if a
role already exists we should use that
rather than creating one third is custom
role this role can be it has a tailored
permissions which as per the need of our
Oran organization if we want to allow
create a role for one set of users like
for example devop user can do five
things I'll add all those predefined
roles in a custom role and I'll assign
that custom role to a user that's where
custom role helps but generally we don't
create it until we have you know a
specific need that's about role so we
understood about the identity we
understood about the roles last bit is
to understanding about the resources in
last video we have created this
structure all right
what are resources resources are
infrastructure in Google Cloud project
classified under folders in this case we
created a domain as an org node we
created folders for devops data science
and as per environment we created the
folders We also created four projects
for these four segments we don't have
any resources but when you create
resources that is something will fall
under this category while assigning I am
policy as a best practice we make sure
that we are not assigning any permission
to an individual it must be allowed or
allocated to a group
only in a nutshell identity plus roles
when it is attached to a
resource together it is called I am
policy all right I'm just going to give
you a quick walk through of I am and
then we can directly jump to the use
cases which will help you to understand
for this I need to go to IM IM has a
you know menu child menu over here you
can create service accounts you can
click on service accounts and you can
create a service account which we will
create in one of the use cases this is
more about attaching the policy if you
want to know how to see the
here okay this this is set of default
roles we already have you can also
create a custom role from here you have
identity and this is a place where we
attach the principle which is your um
you any of the identity this is a role
and when you attach here it becomes a im
policy that's what we all discussed in
our PP now let's jump to the use cases
and try and understand how to do it in
the real world [Music]
[Music]
the first use case is that you have
three devops engineers and two data
scientists have joined your team
decently and you need to provide them
access to gcps let's do
it I'll go to gcp admin since they are
new users I have to create it let's go
and create the first user John Miller
I'll pass the I basically breting
credentials and email address here so
I'm passing the email ID at john. Miller
cloudprint doin
I'll click add new user his credential
is created so same way I created five
more users which is needed for this use
case so we had to create three uh three
you know Engineers for devops 2 for data
scientists that's what I have created
Five um you know new joiners in the
company the second part is to give them
access now if I have created John let's
check his access can he
when you go here you find out that
within organization node he cannot see
anything okay if he goes to I am he's
John is not having permission to go
anywhere or check anything because so
far we have not given him any permission
specifically we have just created his
user within our organization and that
says that he have no active projects
that is really expected until and unless
given explicitly should be able to
access any user now go ahead and uh
create a group
for devops engineers I'm going to give
the group name as gcp devops group same
will be used as a email address because
that's the uniquely ID unique identifier
basically while working with I am I'm
going to give a owner and let's activate
the security and click on next when you
click on next you'll be asked to
configure the exess type
it has various categories team
announcement only restricted or custom
for this example we are going with
restricted because we want to control
the way how anybody can be added in the
script I'll choose restricted I'm not
going to allow outside members and
that's my gcp devops group is
created I'll go and add members I'll
click on ADD members all let's check
that how many uh members we have John
Kunal and Rahul as devops uh Engineers
let's add three of them click add to
group we have added these three users
and pushon as a admin all right now
let's go ahead and create a group for
data scientists also which is pratique
and Matt let's create a group for them
gcp data science group same will be used
as uh email address which is at
cloudspin doin description to refer
later on you can have a owner
security again we going to use
restricted one and we we just want that
anyone in organization can ask to join
this group after approval let's add
users from early I'll click on ADD
members let's check the names pratique
and Mattis from data science team add
them in the data science
group all right so this this is added we
have two groups now we have all users in
place this is the first part of the uh
this task which was asked to do these
users have have access but they are
still not able to access anything we
just checked in here you can see that
the structure have data science folder
and the devops folder data science has
two projects devops has two projects
respectively under Dev and production we
want that only devops Engineers should
access folders under projects under
devops folder I'll click select devops
in the project section access I'll go
back copy the group name which is gcp
devops group cloud.
let's copy copy it and paste it if sync
is working fine we should be able to
find it yes we could find it for now
let's give the viewer
access okay once viewer access is given
you can also give another role by
clicking add another role let's save
it once you save it you'll see that gcp
principle which is identity viewer is
rooll and attachment is done at IM am
that is the three part of the IM IM
which we just explain during PPD let's
log in through credentials of John
Miller and let's see what John can see
when you login change your organization
awesome you can see John has permission
to see view devops Dev and devop
production project that is what was
expected a devops engineer is only able
to see devop projects He has no
visibility on data science project or
any other folder structure that is the
minimum level of permission we wanted to
give and we have achieved by uh doing
this for devop all right this is the way
if you have groups already
available tomorrow you don't have to do
it you just have to add new users or
exiting users in from that group you
don't have to come to gcp now you can
access bucket John can access bucket now
John can see projects now or anything as
a viewer let's sign
out and also do the same stuff with data
science St because data science stain
also wants to see their projects that
that's my use case one for that for that
again I'm going to do the same thing
I'll go to gcp data science group copy
it always remember this email address is
your principal and the identity and uh
this particular member of this group
should have viewer access on all the
folders Matt Hardy is from data
scientist team let's go and check if he
can see the projects of data science
folder Welcome Matt I'll accept it and
let's go ahead and check if he has
access to any projects now brilliant he
also have access to data science
projects now he can go ahead and check
the access if he can access after adding
that attaching the credentials we can go
to IM and check that if Matt Matt can
you know see have read only permissions
to these these two projects
earlier this group has nothing so that's
how we created groups we created uh
attached to the IM permissions and all
these users can see only their
respective projects that's the way you
do it in Enterprise
way that is the end of the use case one
I hope it was helpful to reduce the size
of the video I'm going to cover
remaining four use cases in the next
video let me know your comments in if
you like the video is something you
could understand I'll be happy to answer
see you at the next video while we cover
remaining four use cases thanks for watching
Нажмите на любой текст или временную метку, чтобы перейти к этому моменту видео
Поделиться:
Большинство транскрипций готово менее чем за 5 секунд
Копировать одним кликом125+ языковПоиск по текстуПерейти к временным меткам
Вставьте ссылку на YouTube
Введите ссылку на любое YouTube-видео, чтобы получить полную транскрипцию
Форма извлечения транскрипции
Большинство транскрипций готово менее чем за 5 секунд
Установите расширение для Chrome
Получайте транскрипции прямо на YouTube, не переходя на другие сайты. Установите наше расширение и открывайте текст любого видео в один клик — прямо на странице просмотра.
