This content explains Google Cloud Platform (GCP) service accounts, differentiating them from user accounts, detailing their types and uses, and providing a hands-on demonstration of their creation, key management, and application in accessing GCP resources like Cloud Storage.
Mind Map
Click to expand
Click to explore the full interactive mind map
hi everyone Welcome to Cloud Sprint
today we are going to learn about gcp
service account types you to know the I
Am by heart to pass this exam which is
gcp associate Cloud engineering exam
I hope you are following the IM City
Michelle making
and it is completely in line with the
exam courseware
in this video we will understand what
our service accounts how these are
different from user accounts what are
the types and what are the uses my
middle of this video we will start
having a Hands-On session which will
help you to understand the
implementation in a bit detail
let's get started with the video today [Music]
[Music]
I'm sure by so far you know what is I
have it is a mixture of identity role
and resources but today we are going to
focus only on identity which is service account
account
what is service account
however we have done this in one of our
video but since this video is all about
service account
the service account is an account which
is used by application services or
compute workload instance instead of an
individual end user which means when you
run code that's hosted on Google Cloud
that runs
through that particular account for
example a service account can be
attached to a compute engine VM which is
running your application and that VM can
authenticate the service account
service account can be granted IM roles
as well
when I started working on cloud I was
very confused between user account to
service account because when you work on
on-premises environments you understand
that service accounts are basically are
an account which has username and
password and used by a service but when
it comes to Cloud it is little different
so first these four bullet points will
help you to understand how service
accounts are different from user accounts
accounts
number one point is service accounts do
not have any passwords
and cannot log in Via browser or cookies
second point is service accounts are
associated with public private RSA key
pairs that are used to authentication to
Google and for signing in data
third is you can let other users or
service accounts impersonate a service account
account
fourth in service account do not belong
to Google workspace domain unlike user
accounts in our past videos we have
created a lot of users groups everything
within Google admin workspace admin but
service accounts are not created at that
level at the org label it is only
created the project level we will see
that in our Labs as well
with these four points I hope it helps
you to understand what is service account
account
and what are the user accounts
in this video the lab will be more
around creating a service account where
we will go ahead and create it assign
role of storage read and write
then we'll download the Json key we'll
authenticate using gcloud and use that
service account we'll also create a
bucket upload files read and write
let's get started with the lab and gets
our hands dirty
to start with we will choose the project
one thing I want to clarify here is that
you cannot create service account on the
org label to verify this let me click on
the organization Cloud sprint.10 let me
go to IM admin and you can clearly see
that service Account button is disabled
you cannot create any service account at
the alt label this is important for the
exam so you only create it for the
project let me choose a project now
which is data science prod
now I'm just seeing all the service
accounts available for data science
broad project I have already created one
service account
and this is how the UI looks like you
have email you have status you have a
full name
key ID key creation date if you have any
your client ID you can choose check
or uncheck if you don't need some of the
columns that's how you customize it
let's go ahead and create for the first
use case
let me pass a name so you need to pass a
name and a description ID is default
created with the extension of your project
project
project ID basically so I say that okay
is my service appointment you can see
that email address is created as bucket
Dash read Dash service the project full
now the description is this account will
be used by VM or a service
to read from the bucket
okay that's the description so I can
recall I'll click on Create and continue
now here if I assign any role it will be
assigned on the project label right
this is the difference if you are
assigning a role here you are assigning
it on the project label which means
any bucket is being created within this
project will have this access of storage admin
admin
power storage object panel whatever you
are creating I'll just say that okay
let's give it to done
now you see that one one of the service
account is created and IM policy is also
attached because it shows that role
during service account creation if we
didn't choose it this will not be here
open it once you open it you can see the
email you unique ID uh the name which
you've created
these are information you can use
also you can go ahead and check the
permission you see that all the
permissions are inherited
so far you have a viewer you have owner
the first two use cases
which which we have created we've
created a service account we have
assigned the role
now that the yeah you can see we have
assigned the role and created the
service account
now there is third thing is downloading
the Json key and authenticating it with
CG cloud
for that you can do two ways either you
can click it or you can go from these
actions to manage keys
Keys is will be used to login and
authenticate yourself you'll click on
ADD key one thing to know is that
service account Keys could pose a
security Escape compromised so Google is
itself not recommending you to create a
key but while working on
uh while learning it you can definitely
use it there are better ways to do it
which we'll cover in the next videos but
for now we will create a key the key tab
will be Json p12 is for the backward
compatibility but for now for this
example we'll be using this one I just
saved the private key to my desktop
and I'll use that private key to
authenticate ourselves to Google Cloud
now what should be the next step so we
have created a key downloaded a key
created a service account downloading
the key give the required permission
now the thing is that cloud shell I'll
click on cloud share cloudshit is free
for all users it has gcloud or SDK
editor everything is pre-installed it is
free for everybody whoever for the user
is and you can do many things I mean
eyes love this tool because it's fastest
and it's easiest to communicate to
Google Cloud now I'll say that g Cloud
path list it will ask me to authenticate
myself that who am I
I'll just enter my password
once I enter my password it will
authenticate yourself and tell me that
your current active account is pushkar
at the cloud Sprint dot in which is that
now it also has option to upload or
download the file I am going to upload it
it
if I say upload
it will ask you to choose a file and
tell me the destination
I just uploaded the Json key which we
have downloaded for the service account
okay it is destination is home pushka it
will just upload in that particular location
location
I'll just click on upload
once you click on upload it will copy
that particular key to home slash home
let's go to that location and see if the
key is copied yep
you can see the key is copied
now we have transferred the key from
local to Cloud shift by by the simple
utility by cloud share now I will
first of all activate this service
account as you as you have already seen
that pushkar s was in use but now I'll
use this command to activate the service
account so whatever the roles or
permissions this particular service
account has I can use them
the command is G Cloud auth activate
service account
and the full name email address of your
service account slash
key file your key file location and dash
dash project name
please note you need to pass the full
project ID not just the name
once this is done you will see that
initially it was pushkar s was the
active account and I'll just click on
enter because I have just let me
re-verify again the service account the
key file is correct
and the project name is also correct I
just enter it will show that activated
the service account credentials for this particular
particular
EU service account I'll say G Cloud
author list you can see that our service
account is an active when you see star
star means this is the active
we have we are done with the third step
as well
the fourth step is to create a file and
upload it in bucket
let's do the fourth one
for doing the fourth one we have to
create a bucket I'll go to storage
let me go to
storage buckets click on create
the name has to be unique as you might
know if you don't know we'll cover it in
the next videos in detail
this name has to be unique so let me
make it Dash Cloud Sprint which must be available
available
not focusing much just click next next create
create
yeah it shouldn't be public of course
when you go to a bucket
and see that bucket already has
permission because it is inheriting from
the project level
that's what I mentioned while we were
assigning the role while creating the
service account if you do it if your
resource is the project then all
buckets inside this project will have
the success
if you do it on the resource level it
will be only on resource level so I came
to I am I'm removing this because I want
the specific permission only on the
bucket not on all upcoming buckets
okay I removed it from I am attachment I
removed I am coming back to my bucket permissions
permissions
I'll click on current access
okay when you click on Grant access I
will just
drop my
service account name I'll pass the role
of service
storage admin because I want to
communicate with the Google Cloud Storage
Storage
now you can see this particular
permission is done on the resource level
which is just the bucket earlier it was
in the project level which was very wide
this is the best way now I'm going to
upload a file so I just uploaded a Json
file in a random file
uh you can also see the configuration
that you have Gs utility GS util is to
communicate with your GCS which is
Google Cloud Storage it's a APA through
API calls you can communicate you when I
say LS you can see that this particular
um you are first of all able to talk to
the bucket you can list the files inside
the bucket which means the service
account which we activated the
permissions were set rightly and we can
connect to GCS and we can list the files
inside that
when you when you get
the files it's from the locally the
other key looks like something like this
the private key looks like something
like this which has your all uh what
mechanism how to create a token and
certain all the private information to
make the connectivity
now I'm going to again elicit
once I LS it you can see that
yeah if I come back to my cloud shell
I'm going to say GSU till CP so I'm
going to copy this
service account to the bucket for that I
have to
uh say dot so what I'm saying I'm
copying the service account from bucket
to my local
so it it has copied let me say less less
price one
lrth to check if timing yeah it's 8 26
yeah wait last
copy is it 26 just now so we are able to
copy it also the requirement was to give
read write
now I'm uploading one more file in this location
location
I could copy which means I can read I
want to write now
I just uploaded a file
gsutil or dot right draw.io inside my
cloud shell home directory I'm gonna say
GS util CP
the file name and the location the
location could be the your GS util URI
you please note you need to give GES
column slash
otherwise the location will not be
picked so I'm copying it to test
permissions yes I can copy also so that
was the requirement right that you had
to copy and you had to read and write
you are able to do both
that was the first task
now let me go ahead and uh
yeah so we have we are done with the
fourth step as well one thing I want to
show you that once you remove the excess
at the Bucket Level by mistake or you
for the testing purpose what kind of
error will you get so when you now you
try to copy you will see that X's denied
exception 403 is coming
when you get this access you should know
that that's why you are not able to
write and you need to work on fix your permissions
permissions
even if you do LS you will not be able
to even read or write anything
now again for the
purpose I'm gonna assign the permission
again because we have we have the rest
of the things to be done
now I'll say that okay give the storage admin
yeah again let me check permission is
added yes you can list that that how
many files that particular bucket has
you can read you can write down
that is how you control I am on specific
resources rather than a blanket approval
on a project or the oracle
Outlet we have to work on the minimum
permission level
once your work is done suppose you are
done with your work you are going to
delete this because you don't want this
to be misused
for security purpose you first of all
you don't create it if you create it you
must delete it
once your work is done
that is about the All About the service
accounts we are done with these four steps
steps
I really hope this was helpful and you
could you can do your handsome session
and just comment if you if you are stuck
anywhere I'll be happy to help
if you're liking my gcp playlist and
other videos consider subscribing to my
channel thanks for watching
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
