Identity & Access Management
NOTICE: This course is deprecated and has been replaced by https://cloudacademy.com/course/configuring-gcp-access-security-2685/
Security is considered to be one of the biggest challenges when comparing cloud vs. in-house infrastructure. Due to lack of trust, loss of control, and the multi-tenant nature of the cloud, security controls and mechanisms are of the utmost importance.
Google Cloud Platform offers tools with a single dashboard and simple interfaces to implement security policies. Google Cloud Identity and Access Management (IAM) provides an easy way to manage GCP users and the permissions assigned to them. Besides human users, GCP provides a way to create non-human identities (service accounts) and attach those to cloud applications and VMs. The correct configuration and usage of service accounts and IAM are critical to GCP security. GCP also provides a centralized dashboard to view audit logs, which are useful in the case of a security breach.
To help you get the most out of the security tools offered in Google Cloud, this course covers how to properly manage IAM, service accounts, and audit logs.
- Understand how cloud security differs from on-premises security
- Configure identities and access levels in Google Cloud Platform using Cloud IAM
- Create, manage, and assign service accounts to GCP VMs
- View audit logs in the GCP console
- Students preparing for GCP cloud certifications
- Cloud administrators and IT professionals
- Cloud security practitioners
- GCP developers
- Completion of Google Cloud Platform Fundamentals course on Cloud Academy or practical working experience with GCP infrastructure
- Basic proficiency with command-line tools and Linux operating system environments
Hello and welcome to this lecture on service accounts. In this section, we'll review the basics of service accounts in Google Cloud Platform and learn how to use them in a GCP project.
Now, some of you may already be familiar with service accounts, so let's do a quick recap. Consider a simple scenario. When a user creates a VM, what is the identity and privilege of that VM? What happens if the virtual machine tries to perform some other actions such as call a GCP API or maybe access some data stored in Google Cloud Storage? If we just pass on the identity of the user who created the VM to the VM, then we are allowing the VM to do much more than what we may need. Hence we would be violating the principle of least privilege.
So what exactly should the identity of this VM be? Such problems arise in many cases where cloud services are involved. Service accounts address those issues. So what is a service account? Well, it's a special type of identity. In a sense, it's a virtual or a logical identity. There's no human user with the identity of a service account. Instead, the goal of a service account is to attach an identity to a cloud service.
In the example we discussed earlier, when a user is creating a virtual machine, you can also create a service account, which is a virtual identity. Then he can add roles to the service account such as permissions to access specific GCP buckets or to call certain GCP APIs. Then the user can attach the service account identity to the VM that he's creating. This decouples the human user from the identity of the virtual machine. The application's identity is now different from the identity of the human creating it or managing it.
To summarize, service accounts are used for authentication and authorization of workloads that are running in virtual machines or containers, and that need to have access to other GCP resources.
Abhishek Gupta has 10+ years of experience in the domain of high-performance computing, cloud, and security. Currently, he's leading an innovation team at the Schlumberger Software Technology Innovation Center and is also a visiting faculty member at Santa Clara University where he teaches a graduate course in cloud computing. Gupta has a Ph.D. in Computer Science from the University of Illinois at Urbana Champaign.