Skip to main content

Understanding Service Accounts and Scopes on Google Compute Engine

Hands-On Lab

 

Photo of Matthew Ulasien

Matthew Ulasien

Team Lead Google Cloud in Content

Length

00:45:00

Difficulty

Intermediate

In this hands-on lab, we are going to demonstrate working with legacy scopes using our default Compute Engine service account on Google Compute Engine.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Understanding Service Accounts and Scopes on Google Compute Engine

Introduction

In this hands-on lab, we are going to demonstrate working with legacy scopes using the default Compute Engine service account on Google Compute Engine.

Be sure to copy/paste the bucket name we will be using to a textpad for easy reference.

Solution

Begin by logging in to the GCP Console in an incognito (or other private browser window) using the credentials provided on the hands-on lab page.

Right click on the Open GCP Console button and choose New Incognito Window.

Copy/paste the bucket ID we will be using

From the Storage menu, copy/paste the bucket ID we will be using for reference.

> Note: The bucket name we need to copy includes the text "scope-lab".

First instance - Read Only Storage scope

Create a Compute Engine instance with a Read Only service account scope, and attempt to copy a file to it.

  1. Navigate to the Compute Engine section, using the menu in the top-left of the page.
  2. Click Create.
  3. In the Identity and API access section:
    • Access scopes: Set access for each API
    • Storage: Read Only
  4. Click Create

After about 30 seconds, the Compute Engine instance will show in the VM instances list.

  1. Click SSH under the Connect section.

  2. View the Google Cloud SDK configuration:

    gcloud config list
  3. Attempt to read contents of the Cloud Storage bucket:

    > Note: Be sure to replace BUCKET_NAME with the bucket name we copied in Step 1.

    gsutil ls BUCKET_NAME
  4. Attempt to write a file to the same Cloud Storage bucket (this operation will fail):

    touch file1
    gsutil cp file1 BUCKET_NAME
  5. Close the SSH session tab.

Second instance - Read Write Storage scope

In your second instance, attempt to copy a file to the cloud storage bucket. It should succeed.

  1. Click CREATE INSTANCE.
  2. In the Identity and API access section:
    • Access scopes: Set access for each API
    • Storage: Read Write
  3. Click Create

After about 30 seconds, the Compute Engine instance will show in the VM instances list.

  1. Click SSH under the Connect section.

  2. Attempt to read contents of the Cloud Storage bucket:

    > Note: Be sure to replace BUCKET_NAME with the bucket name we copied in Step 1.

    gsutil ls BUCKET_NAME
  3. Attempt to write a file to the same Cloud Storage bucket (this operation should now succeed):

    touch file1
    gsutil cp file1 BUCKET_NAME
  4. Close the SSH session tab.

Conclusion

Congratulations, you've completed this hands-on lab!