0:06 hi everyone Welcome to Cloud Sprint
0:08 today we are going to learn about TCP
0:11 custom roles since this topic is really
0:13 important for TCP associate Cloud
0:16 engineering exam take take this further
0:19 and explain you step by- step guide so
0:21 it becomes very easy while you prepare
0:23 by end of this video you will also get
0:26 to learn that how can you sync your LP
0:31 users to gcp to to have an automated
0:34 sync between your ldap and gcp projects
0:36 without any delay let's get started with
0:46 today far we have applied permissions at
0:48 or label at the folder
0:53 labels or at the project label these are
0:56 three places where we apply IM policies
0:58 also at the resource
1:01 level just a quick recap if you want to
1:05 see that which person has or which group
1:07 has what permission you will come to I
1:10 am principle is your identity rol is
1:12 roles what you can do your capabilities
1:14 and this is your
1:17 resources okay this resource tells you
1:20 that where you can do what and who can
1:24 do that it is all about I am policy if
1:27 you click on Grant access for example
1:30 you can see resource is data science BR
1:32 project if it's a folder it will come a
1:35 folder this principle means a user group
1:38 domain service account and then you have
1:41 at last role role is your capability we
1:44 learn about basic roles we learn about
1:46 predefined role which is already
1:50 provided by Google we learned uses of
1:54 these uh two roles but today we are
1:57 going to learn a more specific thing
1:59 which is called custom role so yeah this
2:01 these three aspects I think you have so
2:04 far understand very well and you can do
2:08 anything for custom role we will just
2:11 give a quick recap that go to I am you
2:15 know I am permission custom rooll and
2:18 all and you can see that I am basic and
2:20 predefined role reference you can see
2:23 these three roles are here owner
2:25 viewer then this is the predefined role
2:28 which is which Google have prepared for
2:31 us which is very specific to Services if
2:33 you want to just see any specific
2:35 service like Cloud composer you can
2:38 select it and all permissions for that
2:41 particular service will be available
2:44 here that is the benefit of predefined
2:46 role but then there will be some
2:49 situations this is complete list of uh
2:52 all the services which we have like
2:56 Cloud spanner SQL compute engine you
2:58 want to give somebody just admin you can
3:00 give just admin or maybe a you image
3:02 user there could be a situation when I
3:05 just want to use three permissions from
3:09 this three permissions from image user
3:12 or just three permissions from admin
3:15 part then how can I handle that kind of
3:19 situations custom role is all about that
3:21 which we are going to learn so suppose
3:25 we need to give
3:29 somebody gcp big query role and a computer
3:30 computer
3:32 and data proc
3:36 R and we cannot use this this predefined
3:41 roles because it will give you too much
3:45 permission support role has three phases
3:47 one is supported testing and not
3:50 supported for production use cases we
3:53 are only going to use the roles which
3:57 are supported okay we this is a list of
4:00 the supported one or not support one or
4:03 which is just in testing this is to help
4:07 us that how are we going to you know
4:11 create our role without you know um
4:13 making any fault with the testing one it
4:15 is just a flag for
4:19 us so uh I think it's the time to go
4:21 ahead and create a custom role and get
4:24 our hunts dirty for that I'll click on I
4:27 am admin and
4:29 rols in this here here you can see a
4:33 list of already a level Ro okay this
4:36 this is created by Google in every
4:38 project and you can just use if you need
4:41 them but today we want to learn about
4:42 our own custom role so I'll say that
4:44 okay create a
4:53 role you can say any any name now very
4:56 important part is um this role launch
4:59 type Alpha Beta GA disabled Alpha is
5:01 with you're just creating a role and
5:04 testing it beta is when you're confident
5:08 that it will work and GA is available
5:10 and everybody can use it for production
5:13 as well for that once you choose Alpha
5:16 you can click on ADD permissions this is
5:18 a list of services I'll say I want to
5:22 work on compute so show me all the
5:25 compute related uh list so I say okay
5:28 I'm interested in these two roles which
5:30 is image user and instance
5:34 admin there are 288 permissions okay I
5:37 don't want all of them I just want few
5:40 of them I will just go ahead and choose
5:42 see this testing I'm not going to choose
5:44 the testing one for my production use
5:48 cases until it is supported by Google so
5:50 uh basically Google is also doing the
5:53 testing so I I'll choose randomly few
5:55 options while you work you know what you
5:58 need so as for your need you can select
6:01 so I just selected 17 permissions out of
6:04 288 I'm REM removing the testing one
6:07 also you can see this is the list of all
6:10 compute now I say that okay I also want
6:13 to give the user or service account
6:15 whoever is going to use this role a SQL
6:17 viewer role because they have to talk to
6:21 a database so out of 41 I am going to
6:24 give them users get users list also I'm
6:26 going to give them 21 so total 27
6:29 permissions we have assigned for this
6:32 particular Ro this is how you can select
6:35 roles now you can see we have compute
6:38 and Cloud SQL together we'll create
6:40 click on create this will create a
6:44 custom role for me in Alpha phase okay
6:46 Alpha means we are just we have started
6:49 testing it you can edit it and you can
6:52 have a meaningful name like say cloud
6:59 Sprint um role data science role okay
7:01 this is the name of our role just
7:04 remember this Alpha phase we say update
7:07 it you can see this role is created and
7:10 it has a different logo right an or
7:13 label kind of logo you have 27
7:15 permissions it's created under this
7:20 project okay your role is created so you
7:24 out of identity role resources you are
7:27 under this resource and your role is
7:31 created now you say okay uh suppose I
7:32 want to give it to a service account
7:35 first of all okay let me choose this
7:37 service account Jupiter service data
7:40 proc service account and uh I'll go to
7:42 custom and you can see the role which we
7:44 just created is available here we have
7:48 basic we have uh currently used Custom
7:50 Custom is custom role which we just
7:53 created on data science prod this
7:55 particular rule I'm going to save it so
7:58 I attached the policy so now Jupiter
8:00 notebook can do those 27
8:04 things which we just selected in that
8:06 and it this particular service account
8:08 can do only on this project because
8:11 resource is a project project called
8:15 data science fraud okay this is how you
8:17 can create a custom role and use a
8:21 custom role that is uh the beauty of it
8:23 if you have created it at the or label
8:26 you can use it at the or level
8:31 also that's how you create a custom role
8:33 now let's go ahead
8:39 to I am again and check out that can I
8:41 attach the same role to a different
8:44 group as well because that question can
8:46 come come to your mind that is it can is
8:50 it unique to an identity no it's not you
8:53 can attach to anybody role the point of
8:54 creating the custom role it can be used
8:57 many times so we just assign this to
9:00 data science group as well you can see
9:03 it is assigned to a service account and
9:06 a user group also so if you you know
9:08 create a role which can be used by
9:10 anybody it can be used by anybody that's
9:14 the benefit of creating custom roles now
9:17 let's go ahead and we are confident that
9:19 okay it is fine let's change it to
9:22 General available or beta and you can
9:25 update it so which means anybody else
9:29 can use it now okay this is the benefit
9:33 of uh uh you know keeping it in phases
9:35 when you are not confident do not make it
9:36 it
9:39 available next is you can create a role
9:41 from a
9:44 role you can have those 27 permissions
9:46 you can just add one more
9:49 permission because you don't want to
9:51 give that single permission to anybody
9:53 else there's a new requirement you will
9:56 just go ahead create from the
10:00 role okay that's the thing
10:04 that's how you can create a role from
10:09 that cool so now we just created it yeah
10:12 this is very important for the exam G
10:14 gcloud roles copy when you create a role
10:16 in a project you can copy it to a
10:19 different project if you have created in
10:22 an organization you can copy to other
10:25 any project or organization as well
10:29 gcloud has also two more commands which
10:32 is is copying Alpha and beta so just for
10:34 now understand you can copy roles from
10:37 one project to other project or from or
10:40 to or that's the uh benefit of uh
10:42 creating custom roles you don't have to
10:45 create it again and again that's all
10:56 roles now do you think that this
10:59 particular U set of users
11:04 within admin how are we able to you
11:08 know assign permissions so easily in gcp
11:12 because Google identity is synced with
11:15 gcp but when you're working in a company
11:18 you you are not going to use this Google
11:20 identity every time most of the
11:24 companies are on ldap using Microsoft
11:26 solutions to manage their uh accounts
11:29 how can you um you know manage that syn
11:32 that whenever there's any change in your
11:34 adfs it should be you know in sync with
11:37 your gcp project it's a very very hard
11:40 task to do that for that you need to
11:42 automate this thing because you cannot
11:45 do it every time manually you will be
11:48 doing multiple things to do that you can
11:52 create you can have an OU for this OU
11:55 and then directory sync is a service
11:59 from um uh gcp you you just need to come
12:02 here you can any third party uh thing
12:03 which you're
12:06 using you can use this so ldap server if
12:08 it is hosted on Google Cloud option one
12:11 but mostly you will be in the option two
12:14 case where lb server is hosted outside
12:16 Google cloud in your on premises project
12:19 so these are the two ways to do it first
12:22 way is that you can have you can connect
12:25 your on Prem uh you know VM to Google
12:27 Cloud using Cloud VPN or Cloud interconnect
12:29 interconnect
12:31 and then you create a folder like
12:34 suppose Google cloud and that particular
12:38 folder will be synced with directory of
12:41 cloud identity directory sync so every
12:45 15 minute a job will run which will you
12:49 know pick things from your adfs and drop
12:51 it here and this is a place how you're
12:53 going to add your directory and
12:56 configure it if you can do this you can
13:01 directly automate your uh you know a
13:04 user sync 24/7 without any manual
13:08 intervention that's how you design it in
13:11 an in any corporate world because
13:13 nobody's going to do it manually that's
13:15 all I don't have L app so I could demo
13:18 it properly but this is the step it's
13:20 not very difficult to do once you follow
13:22 these three steps you'll be easily able
13:25 to sync your users from elap to here I
13:29 hope that covers I am pry well and and
13:31 let's we can move to the next topics
