0:06 hi folks Welcome to Cloud Sprint today
0:08 we are going to learn gcp IM the
0:10 Enterprise Way by end of this video I'll
0:12 be sharing five use cases which will
0:15 help you to understand gcp IM end to end
0:16 and that is the maximum scenarios which
0:18 you'll be getting while working on gcp
0:20 in any
0:22 corporates what if I tell you this gcp
0:24 IM is all about these three basic
0:27 questions first is who are you second
0:29 question what can you do and third is on which
0:30 which
0:34 resources let me break it for you and
0:37 how does I am helps me I am allows all
0:40 the administrators to authorize and take
0:42 action on specific resources giving you
0:44 full control and visibility to control
0:47 Google Cloud manage resources centrally
0:50 this IM is all about managing those
0:52 resources efficiently effectively who
0:54 are you question is all about finding
0:57 out who are you which is your identity
0:59 what can you do is all about your role
1:01 your permissions what are the abilities
1:04 you have resources are mainly about the
1:07 GCB infrastructure in this
1:11 case if you go in more detail identity
1:13 majorly as used by any major corporates
1:17 or Enterprise level users are these five
1:18 categories which are
1:20 used we will get into detail of this
1:22 identity later on uh then second part is
1:26 what can you do there are set of roles
1:28 which has set of permissions
1:30 included then you have resources
1:34 resources are inside your folder inside
1:36 your organization node or within your gcp
1:37 gcp
1:39 projects if you can answer these three
1:41 questions you have already have IM
1:44 policy in place first is Google account
1:47 or Cloud identity a Google account
1:50 represents a developer an administrator
1:53 or any other person basically it has to
1:56 be a human user it it is not a system
1:58 who is interacting going to interact
2:00 with Google Cloud any email address
2:03 Associated that's that qualifies as a
2:06 Google Cloud identity for example in the
2:08 last video we created Pusher at
2:11 cloudprint doin as or user and then you
2:13 also have an example of from
2:16 Gmail second is service account a
2:17 service account is an account for an
2:20 application services or compute workload
2:23 instead of individual end user so when a
2:25 system is talking to a system that's
2:27 when you create a service account for example
2:28 example
2:32 Jupiter Das service atate your gcp
2:34 project D service accounts are not
2:35 created at the or level it is always
2:37 created at the project level however
2:40 Cloud identity can be created at the or
2:42 level generally it is cre at the or
2:44 level only the third type is Google
2:48 group a Google group is is is a named
2:49 collection of Google accounts and
2:51 service accounts every group has a
2:53 unique email address that's associated
2:56 with the group example gcp organization
2:58 admins now fourth part is all
3:00 authenticated users
3:03 this is about all authenticated users
3:05 within your uh boundary of your
3:08 organization within gcp all right if you
3:10 need some resource to be make it
3:12 available for all of your organization
3:15 users you can use this filter the fifth
3:18 and last majorly used part is all users
3:22 this flag helps you to make allow any
3:24 exess any resource to all authenticated
3:26 and un authenticated users which is
3:28 basically making it public all right
3:31 just give it a scan these are only five
3:32 kind of users you going deal with while
3:34 working with
3:37 GCB now you know what is identity what
3:40 are the chances of identities can be all
3:42 right let's understand the next part
3:43 which is
3:46 roles a role is a collection of
3:47 permissions you cannot Grant a
3:49 permission to the user directly instead
3:52 you grant them a role when you grant a
3:54 role to user or a group you grant them
3:56 all the permissions that the role
3:59 contains for example you have role
4:02 called compute. instance admin and this
4:04 role consists all these permissions to
4:06 delete a compute instance to get it to
4:09 list it to stop start to set the machine
4:12 type and many more if you allocate this
4:14 particular role to any group they will
4:16 be able to do all these operations on
4:18 compute of
4:20 gcp the roles extensive list can be
4:23 found at this uh particular uh location
4:25 which is cloud.
4:28 google.com/ right as as we mentioned
4:30 that it is a collection of of
4:32 permissions okay it has mainly three
4:35 types first is basic roles which is uh
4:38 these were you know created earlier when
4:40 the Google blond was launched but it is
4:43 being carried since then uh but it's
4:44 definitely not recommended for you to
4:46 use in your production projects and you
4:48 should never ever use it the there are
4:50 few examples of it like browser browser
4:53 is to allow you to see your folder
4:56 structure your or admin and all second
4:58 is your owner who can do anything in
5:00 within your project or in your
5:02 organization you've given at that level
5:04 then editor can do little less viewer
5:06 can just viewer stuff so that is a basic
5:07 role while learning you can definitely
5:09 use it but when you're designing systems
5:12 for any Enterprise you are not going to
5:14 use them because it's too permissive and
5:17 it gives lot of options to the uh any
5:19 user which is not recommended for the
5:22 cloud second is predefined roles roles
5:25 that give fine gr Access Control to the
5:28 basic roles for example if you just want
5:30 to give pops up publisher to a
5:32 particular user you'll just assign roles
5:35 /ub sub. publisher so that person can
5:38 only publish uh you know messages to
5:40 that queue and nothing else that's and
5:42 this these predefined stol are already
5:44 created by user so you don't have to
5:46 create it uh that will save your time
5:48 and that is recommended as well if a
5:50 role already exists we should use that
5:53 rather than creating one third is custom
5:57 role this role can be it has a tailored
5:59 permissions which as per the need of our
6:02 Oran organization if we want to allow
6:04 create a role for one set of users like
6:06 for example devop user can do five
6:08 things I'll add all those predefined
6:10 roles in a custom role and I'll assign
6:12 that custom role to a user that's where
6:15 custom role helps but generally we don't
6:17 create it until we have you know a
6:20 specific need that's about role so we
6:22 understood about the identity we
6:25 understood about the roles last bit is
6:26 to understanding about the resources in
6:28 last video we have created this
6:31 structure all right
6:32 what are resources resources are
6:35 infrastructure in Google Cloud project
6:38 classified under folders in this case we
6:41 created a domain as an org node we
6:43 created folders for devops data science
6:45 and as per environment we created the
6:48 folders We also created four projects
6:51 for these four segments we don't have
6:53 any resources but when you create
6:57 resources that is something will fall
6:59 under this category while assigning I am
7:01 policy as a best practice we make sure
7:03 that we are not assigning any permission
7:07 to an individual it must be allowed or
7:09 allocated to a group
7:14 only in a nutshell identity plus roles
7:15 when it is attached to a
7:18 resource together it is called I am
7:20 policy all right I'm just going to give
7:22 you a quick walk through of I am and
7:24 then we can directly jump to the use
7:26 cases which will help you to understand
7:30 for this I need to go to IM IM has a
7:33 you know menu child menu over here you
7:35 can create service accounts you can
7:37 click on service accounts and you can
7:39 create a service account which we will
7:41 create in one of the use cases this is
7:44 more about attaching the policy if you
7:48 want to know how to see the
7:59 here okay this this is set of default
8:01 roles we already have you can also
8:04 create a custom role from here you have
8:06 identity and this is a place where we
8:10 attach the principle which is your um
8:14 you any of the identity this is a role
8:17 and when you attach here it becomes a im
8:20 policy that's what we all discussed in
8:24 our PP now let's jump to the use cases
8:25 and try and understand how to do it in
8:29 the real world [Music]
8:31 [Music]
8:34 the first use case is that you have
8:36 three devops engineers and two data
8:37 scientists have joined your team
8:39 decently and you need to provide them
8:43 access to gcps let's do
8:46 it I'll go to gcp admin since they are
8:49 new users I have to create it let's go
8:51 and create the first user John Miller
8:53 I'll pass the I basically breting
8:55 credentials and email address here so
8:58 I'm passing the email ID at john. Miller
9:00 cloudprint doin
9:02 I'll click add new user his credential
9:06 is created so same way I created five
9:09 more users which is needed for this use
9:13 case so we had to create three uh three
9:16 you know Engineers for devops 2 for data
9:18 scientists that's what I have created
9:20 Five um you know new joiners in the
9:24 company the second part is to give them
9:27 access now if I have created John let's
9:31 check his access can he
9:33 when you go here you find out that
9:36 within organization node he cannot see
9:40 anything okay if he goes to I am he's
9:42 John is not having permission to go
9:44 anywhere or check anything because so
9:46 far we have not given him any permission
9:49 specifically we have just created his
9:51 user within our organization and that
9:54 says that he have no active projects
9:57 that is really expected until and unless
10:00 given explicitly should be able to
10:04 access any user now go ahead and uh
10:05 create a group
10:08 for devops engineers I'm going to give
10:12 the group name as gcp devops group same
10:14 will be used as a email address because
10:16 that's the uniquely ID unique identifier
10:18 basically while working with I am I'm
10:21 going to give a owner and let's activate
10:24 the security and click on next when you
10:28 click on next you'll be asked to
10:29 configure the exess type
10:31 it has various categories team
10:34 announcement only restricted or custom
10:36 for this example we are going with
10:38 restricted because we want to control
10:41 the way how anybody can be added in the
10:44 script I'll choose restricted I'm not
10:45 going to allow outside members and
10:49 that's my gcp devops group is
10:52 created I'll go and add members I'll
10:54 click on ADD members all let's check
10:56 that how many uh members we have John
11:00 Kunal and Rahul as devops uh Engineers
11:02 let's add three of them click add to
11:05 group we have added these three users
11:09 and pushon as a admin all right now
11:12 let's go ahead and create a group for
11:15 data scientists also which is pratique
11:18 and Matt let's create a group for them
11:21 gcp data science group same will be used
11:23 as uh email address which is at
11:26 cloudspin doin description to refer
11:30 later on you can have a owner
11:32 security again we going to use
11:35 restricted one and we we just want that
11:37 anyone in organization can ask to join
11:39 this group after approval let's add
11:41 users from early I'll click on ADD
11:43 members let's check the names pratique
11:45 and Mattis from data science team add
11:47 them in the data science
11:50 group all right so this this is added we
11:52 have two groups now we have all users in
11:55 place this is the first part of the uh
11:58 this task which was asked to do these
12:00 users have have access but they are
12:02 still not able to access anything we
12:05 just checked in here you can see that
12:08 the structure have data science folder
12:10 and the devops folder data science has
12:12 two projects devops has two projects
12:15 respectively under Dev and production we
12:17 want that only devops Engineers should
12:19 access folders under projects under
12:22 devops folder I'll click select devops
12:24 in the project section access I'll go
12:27 back copy the group name which is gcp
12:29 devops group cloud.
12:33 let's copy copy it and paste it if sync
12:34 is working fine we should be able to
12:37 find it yes we could find it for now
12:39 let's give the viewer
12:42 access okay once viewer access is given
12:44 you can also give another role by
12:47 clicking add another role let's save
12:51 it once you save it you'll see that gcp
12:54 principle which is identity viewer is
12:56 rooll and attachment is done at IM am
12:58 that is the three part of the IM IM
13:01 which we just explain during PPD let's
13:03 log in through credentials of John
13:05 Miller and let's see what John can see
13:08 when you login change your organization
13:11 awesome you can see John has permission
13:15 to see view devops Dev and devop
13:17 production project that is what was
13:20 expected a devops engineer is only able
13:23 to see devop projects He has no
13:26 visibility on data science project or
13:29 any other folder structure that is the
13:31 minimum level of permission we wanted to
13:33 give and we have achieved by uh doing
13:37 this for devop all right this is the way
13:39 if you have groups already
13:41 available tomorrow you don't have to do
13:44 it you just have to add new users or
13:47 exiting users in from that group you
13:49 don't have to come to gcp now you can
13:52 access bucket John can access bucket now
13:54 John can see projects now or anything as
13:56 a viewer let's sign
14:00 out and also do the same stuff with data
14:03 science St because data science stain
14:05 also wants to see their projects that
14:08 that's my use case one for that for that
14:09 again I'm going to do the same thing
14:12 I'll go to gcp data science group copy
14:15 it always remember this email address is
14:19 your principal and the identity and uh
14:21 this particular member of this group
14:22 should have viewer access on all the
14:24 folders Matt Hardy is from data
14:27 scientist team let's go and check if he
14:32 can see the projects of data science
14:36 folder Welcome Matt I'll accept it and
14:38 let's go ahead and check if he has
14:41 access to any projects now brilliant he
14:44 also have access to data science
14:46 projects now he can go ahead and check
14:49 the access if he can access after adding
14:52 that attaching the credentials we can go
14:56 to IM and check that if Matt Matt can
14:58 you know see have read only permissions
15:01 to these these two projects
15:04 earlier this group has nothing so that's
15:07 how we created groups we created uh
15:09 attached to the IM permissions and all
15:12 these users can see only their
15:14 respective projects that's the way you
15:17 do it in Enterprise
15:19 way that is the end of the use case one
15:21 I hope it was helpful to reduce the size
15:24 of the video I'm going to cover
15:26 remaining four use cases in the next
15:29 video let me know your comments in if
15:30 you like the video is something you
15:33 could understand I'll be happy to answer
15:35 see you at the next video while we cover
15:37 remaining four use cases thanks for watching
