0:01 foreign [Music]
0:12 Ty roles resources we also did an
0:14 extensive use case
0:16 as promised in this video we are gonna
0:19 do a remaining four use cases which will
0:22 help you to work on any real world use
0:23 cases while you're working with Google
0:28 [Music]
0:31 in use case 2 you need to enable devops
0:34 group to be automatically added as a
0:35 viewer wherever any new project is
0:37 created in organization as they need to monitor
0:39 monitor
0:42 so any project created anywhere devops
0:44 team need to be added as a viewer that's
0:45 the ask
0:48 for this we need to add devops script
0:51 over the organization layer how let's go
0:54 and check it out do gcp console
0:56 we need to select the organization why
0:58 because we want all further upcoming
1:00 projects should also have access to
1:02 devops engineers
1:03 first thing
1:05 is that in the first use case what we
1:09 did we give permission on the data
1:12 science to data science group and devops
1:13 to devops
1:15 for this I'm gonna go to ionization
1:18 let's copy the group of devops Engineers
1:21 I copied it and let's click on Grant access
1:22 access
1:25 resource is called screen.in identity is
1:28 your group for this viewer submitted
1:31 once you add this identity attach this
1:33 IM policy
1:36 let's check that now if a devops
1:38 Engineers have access to data science
1:41 projects as well or not because earlier
1:44 they had no access now we have added an
1:46 org level which means that every project
1:48 by default
1:50 devops Engineers will be added John
1:52 Miller is from devopsy engineer let's
1:55 try to log in as John and see if John
1:58 has permission to data science projects
2:00 or not
2:03 let's open the projects clearly you can
2:06 see now John can see devops and data
2:08 science projects together
2:11 that's how you manage
2:14 resources that's how you manage our
2:16 identity and that's how you manage roles
2:18 now I want to create one more project
2:21 and showcase that you know upcoming
2:23 projects will also have the same role
2:25 applicable I'll create the billing
2:27 account creating a project once you
2:29 create a project
2:31 this is by default created under the
2:33 organization the name is test project
2:35 you can see it's out of the folder it's
2:38 not even in the folder and now go back
2:42 to John's dashboard and see if John can
2:45 see the new project or not yes John can
2:48 see test project which means the
2:49 permission which we set at the org level
2:52 is working for existing project plus
2:55 upcoming projects that's the benefit of
2:59 doing at the ALT level that is it [Music]
3:01 [Music]
3:05 in use case 3 we have to ask first is to
3:08 allow data science Engineers owner
3:09 access on the dev projects because we
3:11 want to set them free under their projects
3:12 projects
3:15 but when it comes to production we want
3:17 to restrict the users
3:20 data scientist groups should only have
3:22 read-only access in production project
3:25 three roles first is compute paper
3:27 second is Storage River third is vertex
3:30 AI viewer all right how are you going to
3:32 do it let's see at the labs so I'll go
3:34 to the data science
3:36 folder and Dev folder because I have to
3:39 give the owner access of the development
3:41 project so if today I have one project
3:43 tomorrow I can have 10 projects for that
3:46 I'll go to IM of that particular folder
3:47 where I have to give the default
3:51 permission and I'll you can see this
3:53 permission viewer is already inherited
3:56 from data science folder and Dev is
3:58 inside data science folder now I'm gonna
4:02 give uh owner role on dev project okay
4:06 now any project inside the dev folder of
4:09 data science has owner to data
4:12 scientists and in production they have
4:14 just a viewer access you can see
4:17 production just viewer and Dev you have
4:19 your honor
4:23 First Step was to do that and that's how
4:25 very very simply you can have different
4:28 permissions for different folders that's
4:30 the benefit of creating our organization
4:32 at the starting only
4:34 and that is from data scientist team
4:49 in maths console you can see Matt is not
4:51 able to do anything at all just a viewer
4:55 when he switches to Dev he can create or
4:56 he can create a bucket he can grant
4:58 access because he's owner in the dev project
4:59 project
5:01 that's the difference we wanted to
5:03 create with the first use case because
5:06 your engineers are have more permissions
5:08 in depth but less permissions in product
5:11 that that's how an Enterprise level use
5:13 cases are generally
5:15 second is to allow data scientists data
5:19 science Engineers to access only below
5:21 services and production projects so
5:23 we're going to give compute viewer
5:25 storage Google vertex AI viewer
5:28 let's go to the console
5:31 for this I need to give it production so
5:34 I'll go to the production project
5:41 provided the ID the three roles which I
5:43 have to give is first is compute viewer
5:48 let me scroll yeah first second one is
5:51 storage viewer
5:54 select the storage River
5:59 third is vertex cibu it's a mlai
6:01 solution from gcp
6:04 managed one so I added all three
6:06 permissions and viewer is already coming
6:09 from the data sense folder so top to
6:12 bottom it inherited itself that that's
6:15 how you're going to give
6:17 different permissions at different
6:22 levels now your data scientists can just
6:25 see production projects [Music]
6:31 in use case 4 we need to create a
6:33 service account for jupyter Notebook to
6:35 be used by a VM when it will be created
6:37 for data scientists we need to attach
6:40 below roles to the service account first
6:43 is compute instance admin second is
6:45 cloud scheduler user
6:47 let's hit the labs and see how we can do it
6:49 it
6:53 I'll go ahead and select the projects
6:56 and let's create it in data sense Dev
6:58 I'll go to service account create a
7:01 service account the ask is to create it
7:03 for Jupiter notebooks I'll say it right
7:07 in any name of the service account
7:09 this is your email address for the
7:11 service account which you'll use for all
7:13 accesses description is to be used
7:16 create and continue I can also sign role
7:18 over here or I can attach it later under
7:20 IM Also let's give the rules over here
7:23 only first is compute admin instance
7:26 admin so it's very powerful role that
7:29 you can control compute and second is
7:32 cloud scheduler user so let's select
7:37 Cloud scheduler job Runner yeah done
7:43 let's continue that and hit on done
7:46 that will create the Jupiter notebook
7:49 service account you can go to IM it's
7:51 already attached because we submitted the
7:52 the form
7:54 form
7:57 always note it is at the project level
7:59 only and that is how you always create
8:02 service accounts and assign a role and
8:03 you can use this service account while
8:05 creating your resources foreign
8:07 foreign [Music]
8:15 which is to create a bucket and
8:17 configure the access for authenticated
8:19 and unauthenticated users which is
8:22 basically making it public we also need
8:25 to name our bucket as Cloud Sprint Dash
8:27 public Dash bucket
8:29 we have to assign a level we have to
8:32 give a class as reasonable all right in
8:34 the next video while we go through the
8:37 storage options this example will be
8:39 really helpful all right without a delay
8:41 let's hit the labs and let's find out
8:42 how to do it
8:46 for this I'll come to TCP storage cloud
8:48 storage buckets let's click on create a bucket
8:50 bucket
8:52 over here I have to put the name this
8:55 name has to be globally unique
8:57 once you paste the name I'll go to label
8:59 label is needed because this is needed
9:02 when you are checking the bill of your
9:06 overall structure overall projects
9:08 click on continue once you click on continue
9:09 continue
9:11 you will be offered to choose location
9:13 it has three options multi-reason
9:16 jewelries and Regional in my case I want
9:18 to create a regional bucket I'll say
9:20 that okay find Regional go ahead with us
9:23 East one click on continue it has
9:25 storage class standard nearline code
9:27 liner chival you can go ahead with
9:30 standard for now I'm saying enforce
9:33 Public Access uncheck it
9:34 click on continue
9:37 click on create that will create a
9:40 bucket for me once you create and click
9:45 yeah you can see you can upload file
9:47 because I am the org admin so I have by
9:50 default access and you can upload files
9:52 in inside the bucket
9:54 if you go to permissions you can see
9:56 it's not public yet because we have not
9:58 given the access
10:00 you can go to configure to check that
10:02 when it was created what is the location
10:04 what is the reason what is the storage
10:07 class if any label it asks what is the
10:10 URL for GSU deal what is the URL for
10:13 cloud console that's all detail let's go
10:16 ahead and give make it public for making
10:18 it public you can select all users
10:21 that's a flag
10:24 and you can select that cloud storage
10:26 cloud of object viewer resource is a
10:30 bucket IM is all users I mean identity
10:33 is all users you can see it is showing
10:36 warning you that this is public now you
10:38 should not make it public that's the
10:39 standard warning because if somebody
10:41 have done it by mistake Google warns you
10:45 you can copy the URL and any anybody can
10:48 open it up because it is public to
10:50 internet now anything inside this let's
10:52 go ahead and use my personal email
10:54 address to check without any access if I
10:56 can access this bucket or not
11:00 yes you can see I am able to open this
11:03 bucket download this file from my
11:06 personal ID I can download it
11:09 and I can see it it's not something very
11:12 very uh common but there are needs when
11:14 you need to do it that's how you make
11:16 things public
11:19 I hope that was helpful today you know
11:22 what it takes to work on I am and how
11:24 can you assign roles and permissions
11:26 most secure manner
11:28 all right if you're liking my content
11:30 and following my gcp playlist my channel
11:32 like the video if you have any questions
11:35 write it in the comment thanks very much
