Skip to main content

Google Cloud Identity and Access Management (IAM) Deep Dive

Course

Intro Video

Photo of Matthew Ulasien

Matthew Ulasien

Team Lead Google Cloud in Content

Length

07:00:00

Difficulty

Intermediate

Videos

35

Hands-on Labs

4

Course Details

Welcome to our deep dive into Identity and Access Management on the Google Cloud Platform.

Identity and Access Management (IAM) is the process of managing who, can do what on which resources, which we will explore as we proceed in this course. Properly managing access to your critical and sensitive resources is a fundamental skill required for any GCP administrator.

Syllabus

Course Intro

Course Introduction

00:02:54

Lesson Description:

Welcome to the course on GCP IAM deep dive. Let's explore who this course is for and what we will cover. Beginner, prerequisite course links are below: Google Cloud Concepts https://linuxacademy.com/cp/modules/view/id/295 Google Cloud Essentials https://linuxacademy.com/cp/modules/view/id/207

About the Training Architect

00:00:33

Lesson Description:

Let's briefly learn about Matthew Ulasien, the training architect for this course.

IAM Big Picture

Big Picture Perspective - IAM on GCP

00:04:31

Lesson Description:

Let's start with a big picture overview of what exactly is Identity and Access Management on the Google Cloud Platform, from which we will go into more details on its various sub-topics.

Establishing Identity

Member Types

00:10:34

Lesson Description:

Let's take a closer look at the different member types that can be used to authenticate with GCP.

Creating Identities with Cloud Identity

00:04:17

Lesson Description:

Let's take a quick conceptual look at Cloud Identity and G Suite, which we will use to create our organization identities.

Hands-On - Cloud Identity

00:10:36

Lesson Description:

We will now demonstrate using a live Cloud Identity/G Suite administrative domain to create new Google user accounts.

Synchronize Cloud Identity with Active Directory

00:04:19

Lesson Description:

For organizations that operate primarily out of the Active Directory, maintaining both an Active Directory and Cloud Identity environments can be cumbersome. We will go over the challenges of maintaining two environments, and how to solve this challenge by synchronizing Active Directory with Cloud Identity automatically, which we will follow with a hands-on demonstration.

Google Groups

00:08:33

Lesson Description:

In this lesson, we talk about why groups are important for multi-user management, then go through a brief hands-on demonstration.

Configure Multi-Factor Authentication

00:08:13

Lesson Description:

We are going to finish this section by covering how to enable multi-factor authentication, both for individuals and enforcing it across your organization.

Granting Access to GCP Resources with Cloud IAM

GCP Resource Hierarchy

00:09:44

Lesson Description:

It is now time to learn how to apply Identity and Access Management policies in Google Cloud. We have a LOT of ground to cover, so let's start with a fundamental understanding of how GCP resources are organized, what dictates how access is inherited, and what will be a key term moving forward.

Roles and Resources

00:08:41

Lesson Description:

In this lesson, we will get into the core topic of this course by covering what are roles, permissions, IAM policies, and the relationships of all three.

IAM Navigation and Organization Node

00:09:35

Lesson Description:

We are going to start our series of hands-on demonstrations by establishing the initial context in working with the organization node, assigning organization level roles for administrators, and the roles necessary to create a project.

Hands-On - IAM Roles

00:12:57

Lesson Description:

In this lesson, we will continue assigning additional IAM roles to both individual members and groups to our organization and projects.

Working with Folders

00:08:35

Lesson Description:

This lesson will cover working with Folders, which are an efficient grouping feature to group projects together that need identical levels of access.

Custom Roles

00:13:31

Lesson Description:

This lesson goes over a conceptual overview and a hands-on demonstration of creating custom roles and looking up roles and permissions, as well as how they are paired.

Granular Access by Service

00:07:09

Lesson Description:

Some services in Google Cloud Platform allow even more of a narrow scope of IAM roles than the project level, allowing you to apply access to only a single Cloud Storage bucket, BigQuery dataset, and others. In this lesson, we will explore more granular IAM access.

OS Login for Compute Engine

00:13:22

Lesson Description:

The OS Login role allows users to connect to GCE instances over SSH in either an administrative or non-administrative capacity without giving them the ability to create/edit/delete instances. We will explore this role in detail in this lesson. References are provided below. How it works:Grant OS Login and Service Account User roles to membersAdd metadata per-instance or project-wide to enable OS Login for affected instancesenable-oslogin:TRUE To connect over SSH to the instance: gcloud compute ssh command INSTANCE_NAME --zone INSTANCE_ZONE OS Login RolesOS Admin Login - SSH with admin accessOS Login - SSH without admin access

Managing IAM Policies with Command Line

00:04:50

Lesson Description:

Over the next two lessons, we will cover use cases, syntax, and a hands-on demonstration of editing IAM policies using the command line. Reference notes and documentation links are below: Editing IAM policies with both web console and command line: https://cloud.google.com/iam/docs/granting-changing-revoking-access Command-line reference from the lesson below: Fully replace existing policy:Getting/downloading the current policy is optional, can always set a fresh policy without downloading the old policy firstGet (download) a copy of the policy:gcloud projects get-iam-policy [PROJECT_ID] --format [FORMAT] > [FILE-PATH]Set a new policy by applying an edited one:gcloud projects set-iam-policy [PROJECT_ID] [FILEPATH] Directly add/remove a single IAM role:Does not affect other assigned roles in a projectgcloud projects add-iam-policy-binding [PROJECT_ID] --member user:[EMAIL] --role [ROLE_ID] gcloud projects remove-iam-policy-binding [PROJECT_ID] --member user:[EMAIL] --role [ROLE_ID] Editing policies on organizations/folders:Similar commands, but for organizations/folders instead of projectsgcloud organizations get-iam-policy [ORGANIZATION_ID] ... gcloud resource-manager folders get-iam-policy [FOLDER_ID] ...

Hands-On with IAM and the Command Line

00:12:27

Lesson Description:

We are now going to go through a hands-on demonstration of editing IAM policies with the command line. The same reference points from the previous lesson are copied below for your reference. Editing IAM policies with both web console and command line: https://cloud.google.com/iam/docs/granting-changing-revoking-access Command-line reference from the lesson below: Fully replace existing policy:Getting/downloading the current policy is optional, can always set a fresh policy without downloading the old policy firstGet (download) a copy of the policy:gcloud projects get-iam-policy [PROJECT_ID] --format [FORMAT] > [FILE-PATH]Set a new policy by applying an edited one:gcloud projects set-iam-policy [PROJECT_ID] [FILEPATH] Directly add/remove a single IAM role:Does not affect other assigned roles in a projectgcloud projects add-iam-policy-binding [PROJECT_ID] --member user:[EMAIL] --role [ROLE_ID] gcloud projects remove-iam-policy-binding [PROJECT_ID] --member user:[EMAIL] --role [ROLE_ID] Editing policies on organizations/folders:Similar commands, but for organizations/folders instead of projectsgcloud organizations get-iam-policy [ORGANIZATION_ID] ... gcloud resource-manager folders get-iam-policy [FOLDER_ID] ...

Troubleshooting IAM Roles

00:12:09

Lesson Description:

This lesson covers how to use the IAM Policy Troubleshooter to determine where, in your resource hierarchy, a specific permission is (or is not) applied. References are provided below. Resource API naming format: https://cloud.google.com/iam/docs/full-resource-names Permissions list: https://cloud.google.com/iam/docs/permissions-reference

IAM Best Practices

00:03:53

Lesson Description:

We close this section out by covering Google's recommended best practices for IAM. Google's best practices documentation link - keep in mind that we will cover the best practices for service accounts and auditing later in this course: https://cloud.google.com/iam/docs/using-iam-securely

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:45:00

Service Accounts

Service Accounts Overview

00:09:52

Lesson Description:

We are now going to move onto learning about service accounts, which authenticate applications and services, not end users (people).

Creating and Managing Service Accounts

00:14:45

Lesson Description:

This lesson will cover a hands-on demonstration of creating, editing, enabling, disabling, deleting, and assigning IAM roles to a service account. We will use both the web console and the command line via Cloud Shell. The command line reference for this lesson is listed below. Create a service account:

gcloud iam service-accounts create (account_name) --description "(description)" --display-name "(display name)"
Show service accounts in a project:
gcloud iam service-accounts list
Rename service account display name/description (cannot change address):
gcloud iam service-accounts update (SA-NAME)@(PROJECT-ID).iam.gserviceaccount.com --description "(UPDATED-SA-DESCRIPTION)" --display-name "(UPDATED-DISPLAY-NAME)"
Disable/enable service the account:
gcloud iam service-accounts (disable/enable) (SA-NAME)@(PROJECT-ID).iam.gserviceaccount.com
Delete the service account:
gcloud iam service-accounts delete (SA-NAME)@(PROJECT-ID).iam.gserviceaccount.com
Add an IAM binding:
gcloud projects add-iam-policy-binding (PROJECT-ID) --member serviceAccount:(SA-NAME)@(PROJECT-ID).iam.gserviceaccount.com --role (ROLE)

Working with Compute Engine Service Account

00:14:52

Lesson Description:

In this lesson, we will cover how to use service accounts with Compute Engine instances, and how service accounts affect instance interactions with GCP services.

Managing Service Account Keys

00:04:24

Lesson Description:

Service accounts use RSA keys to authenticate with GCP. We will go through a quick conceptual overview of service account keys, which we will follow with a two-part hands-on demonstration.

Hands-On (Part 1) - Service Account Keys

00:10:58

Lesson Description:

This lesson is the first of a two-part hands-on demonstration working with service account keys. The command line reference for our demo is listed below. Create a key:

gcloud iam service-accounts keys create /(PATH)/(FILENAME).json --iam-account (SERVICE_ACCOUNT)
List keys per service account:
gcloud iam service-accounts keys list --iam-account (SERVICE_ACCOUNT)
Delete the service account key (requires key ID):
gcloud iam service-accounts keys delete (KEY-ID) --iam-account (SERVICE_ACCOUNT)

Hands On (Part 2) - Service Account Keys

00:09:09

Lesson Description:

This lesson will be the second part of our demo working with service account keys. We will use a local backup application (Cloudberry Backup) and authenticate it with a Cloud Storage bucket using a service account key. Download links for the application are below: Windows client: https://www.msp360.com/backup/windows/desktop.aspx Mac client: https://www.msp360.com/backup/mac.aspx Linux client (you can alternatively choose your distro from the Linux dropdown menu): https://www.msp360.com/backup/linux.aspx

Service Account Best Practices

00:04:32

Lesson Description:

Let's close out this section with some best practices for managing service accounts.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:45:00

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:45:00

IAM on Cloud Storage

Importance of Cloud Storage Security Policies

00:02:45

Lesson Description:

Properly managing access to Cloud Storage resources, especially sensitive data, is VERY important. We will cover why this is so before we go into more depth.

Bucket IAM Roles and ACLs

00:08:30

Lesson Description:

Let's go through a conceptual overview of IAM roles, ACLs, and Signed URLs, all of which manage access to Cloud Storage buckets and objects. We will follow up with a hands-on demo.

Hands-On - Bucket Roles and ACLs

00:22:05

Lesson Description:

We will now go through a hands-on demonstration of how to assign IAM roles, ACLs, and Signed URLs to buckets and objects. Links to GCP documentation on command line reference and commands used in this lesson are referenced below. IAM roles with gsutil: https://cloud.google.com/storage/docs/gsutil/commands/iam ACLs with gsutil: https://cloud.google.com/storage/docs/gsutil/commands/acl Assign IAM roles to buckets:

gsutil iam ch user:(user_email):(role1,role2) gs://(BUCKET)
Remove IAM role from the bucket:
gsutil iam ch -d user:(user_email):(role1,role2) gs://(BUCKET)
Remove all roles from the bucket for a given user:
gsutil iam ch -d user:(user_email) gs://(BUCKET)
Give public read access to the bucket:
gsutil iam ch allUsers:objectViewer gs://(BUCKET)
Assign ACL roles to buckets and object:
gsutil acl ch -u (user_email):(O/R/W) gs://(BUCKET)/(OBJECT)
Delete ACLs for a user:
gsutil acl ch -d (user_email) gs://(BUCKET)/(OBJECT)
Set default ACL for all new objects (in this case, public read access):
gsutil defacl ch -u AllUsers:R gs://(BUCKET)
Create a signed URL Create a service account:
gcloud iam service-accounts create signed-url-agent --display-name "Signed URL Service Account Agent" 
Create a user-managed key for the service account:
gcloud iam service-accounts keys create keyfile.json --iam-account (SERVICE_ACCOUNT)
Grant Storage Object Viewer IAM role to the service account:
gcloud projects add-iam-policy-binding (PROJECT_ID) --member serviceAccount:(SERVICE_ACCOUNT) --role roles/storage.objectViewer
Generate signed URL on the object to grant timed access:
gsutil signurl -d 1m keyfile.json gs://(BUCKET)/(OBJECT)
May need to install pyOpenSSL library: sudo pip install pyopenssl

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:45:00

Protecting Resources

IAM Conditions

00:10:08

Lesson Description:

IAM Conditions are a new feature (currently in beta) that provides an additional resource or time-based restrictions to an IAM role. Google's documentation for IAM Conditions: https://cloud.google.com/iam/docs/conditions-overview Example CEL expression from lesson is below:

(resource.type == "compute.googleapis.com/Disk" &&
resource.name.startsWith("projects/(PROJECT_ID)/regions/us-central1/disks/devAccess")) ||
(resource.type == "compute.googleapis.com/Instance" &&
resource.name.startsWith("projects/(PROJECT_ID)/zones/us-central1-a/instances/devAccess")) ||
(resource.type != "compute.googleapis.com/Disk" &&
resource.type != "compute.googleapis.com/Instance")

IAM Auditing and Logging

00:08:49

Lesson Description:

In this lesson, we will cover how to view your 'digital paper trail' of all IAM related actions performed in your GCP project, using both the Activity Feed and logging tools in GCP.

Quick Look - Security Command Center

00:04:50

Lesson Description:

We will go through a quick overview of the Security Command Center, which provides organization-wide visibility to potential trouble spots for access management (among many other users).

Wrapping Up

Course Conclusion and Next Steps

00:01:21

Lesson Description:

Congratulations on making it to the end of this course. Let's talk about the next steps.

Take this course and learn a new skill today.

Transform your learning with our all access plan.

Start 7-Day Free Trial