To help you get the most out of the security tools offered in Google Cloud, this Course covers how to properly manage IAM, service accounts, and audit logs.
Learning Objectives
- How you can manage identity and access management in GCP
- Learn about service accounts, what they mean, and how you can manage them
- Audit logs and how to review them
Intended Audience
This Course is intended for cloud administrators. If you are a cloud security practitioner or are involved in any sort of development with GCP, you will also benefit from taking this Course.
Prerequisites
- Completion of Google Cloud Platform Fundamentals course on Cloud Academy or practical working experience with GCP infrastructure
- Basic proficiency with command-line tools and Linux operating system environments
So now, I am going to show you how to manage service accounts from the GCP console. First, I will create a new service account and assign it a role. And then, I will show you how to associate the service account with a virtual machine.
To work with service accounts, first head to the “IAM & Admin” page. Then click on “Service accounts” in the side menu here. As you can see, I have a few default service accounts already. I have one for Compute Engine. This is the service account that will be used by default when launching a VM. I also have a default service account for App Engine as well. These default service accounts are used to provide a basic set of permissions. For simple projects, these default accounts work fine. But more advanced solutions will probably require extra permissions which will often require creating a new service account.
So let me show you how to do that. To start, click on “Create Service Account”. Then enter a name. You will notice that it will automatically generate a service account ID for you (which ends up looking like an email address). Then you can enter a description, but it is optional.
So at this point, you can click “Done” and it will create a service account with no permissions. If you want to also assign some roles to the service account, you can instead click “Create and Continue”. Assigning roles to service accounts works much the same way as it does for user accounts. You can scroll through all the roles, or you can do a search. Let’s say I want to make sure this account can read files from Cloud Storage. So I’ll pick “Storage Object Viewer”. After I am done picking roles, I can pick “Done”, Or I could click on “Continue” to go on to the next optional step. This last step will allow you to grant users access to this service account. This is a more advanced feature, so I am going to skip it. And I will click on “Done” to finish.
Now that I’ve created the service account, let me show you how to actually use it. I am going to create a new VM and assign this service account to it. Then the VM will inherit all the associated permissions.
So I’ll go to Compute Engine and click on “Create Instance”. Let me call this “demo-vm1”. And if I scroll down, you'll see that it has the default account selected. I am going to change that to use the service account I just created. Now I just need to confirm the creation of the VM. And we will have to wait a little bit for this to complete. Ok it should be done.
Let me verify that the correct service account was assigned. There we go. Now you know how to assign a service account to a virtual machine.
So what if you forget to change the service account while creating a VM? Or what if you need to change it later? Well don’t worry. That is actually pretty easy.
To do that, you first need to make sure the VM is not running. So I’ll go ahead and stop it. Now I can edit the VM and change the service account down here. I just need to save and restart the VM for the change to take effect.
As you saw previously, service accounts are not just for Compute Engine. You also use service accounts for other things like App Engine and Google Kubernetes Engine. Basically anytime you have an app or service that needs to access a GCP resource.
Service accounts give you a lot of flexibility. One of the cool things you can do with service accounts is to use them across projects. For example, you can use a service account to access resources in project B from a VM in project A.
So now you should understand what a service account is and how to create one. You also should know the difference between a service account and a user account, and when to use one versus the other.
Daniel began his career as a Software Engineer, focusing mostly on web and mobile development. After twenty years of dealing with insufficient training and fragmented documentation, he decided to use his extensive experience to help the next generation of engineers.
Daniel has spent his most recent years designing and running technical classes for both Amazon and Microsoft. Today at Cloud Academy, he is working on building out an extensive Google Cloud training library.
When he isn’t working or tinkering in his home lab, Daniel enjoys BBQing, target shooting, and watching classic movies.