Controlling Application Authentication and Access
Start course

Learn how to simplify all of your application infrastructure into just a few configuration files then deploy your code on Google Cloud Platform with this course. We will start by learning the core concepts behind Infrastructure as Code, discussing security best practices when working with IaC, and comparing some popular orchestration and configuration management tools.

After that, we’ll implement version control for our IaC configurations, and learn how we can automate deployment updates using Cloud Build Triggers. Next, we’ll learn how to integrate Google Secret Manager to protect any sensitive data in our source code. Then to tie it all together, we’ll walk through Google Identity and Access Management and learn how to monitor our users and resources on GCP.

After learning the basics, we’ll build our own immutable server images with Google Cloud Build using both Docker and Packer. We’ll then explore a practical usage scenario and build a WordPress deployment with Google Deployment Manager. We’ll also deploy a similar WordPress configuration using Terraform to compare the two methods.

I will be working in Visual Studio Code during the demos for this course, but you are also free to use any other IDE you are comfortable with instead. A demo repository is provided along with this course, and while we will be working with some Python and PHP in our examples, you should still be able to follow along with the demos without any background in either of these languages.

Learning Objectives

  • Build server images from a configuration file using Docker and Packer.
  • Learn to use Google Cloud Build with third-party build steps.
  • Deploy application infrastructure from code using Google Deployment Manager and Terraform.
  • Understand templating systems for Infrastructure as Code.
  • Implement version control for Infrastructure as Code.
  • Learn to protect secret data in IaC configurations using Google IAM role management and Google Secret Manager.

Intended Audience

This course is intended for programmers interested in expanding their knowledge about modern cloud-based DevOps workflows. Learning to manage Infrastructure as Code is beneficial to solo developers who need to focus as much of their time as possible on their application code and not on managing infrastructure. Development teams will also benefit from this course, because implementing IaC provides consistent performance across deployments in multiple environments, which greatly simplifies project collaboration. This course will also help prepare the viewer for the Google Professional Cloud DevOps Engineer certification.


  • You should already have a Google Cloud Platform account.
  • You should have Google Cloud SDK already installed and initialized.
  • You should already have Git installed, and be familiar with its use.
  • Demos will be shown in Visual Studio Code, but you're free to use any IDE they are familiar with.
  • Demos will utilize some Python and PHP, but you're not required to be fluent in either of these languages to follow along with the examples.


Additional Documentation


Controlling application authentication and access. In the last lecture, we got our first peek at just how easy it can be to build and deploy Infrastructure as Code on Google Cloud Platform. Before we get too carried away though, we need to take a few minutes to learn about and better understand a few key GCP features we should be implementing in our IaC configurations that will both streamline authentication and improve our security. Identity and Access Management.

In the previous lecture group, we talked a little about layered security and principle of least privilege. We want each user to have their own credentials to each system they need access to, with only the minimum number of permissions they require. Google Identity and Access Management makes it considerably easier for us to do this all in one place. We can easily add a new member with a Google account to our project, and assign them any specific roles they need for access to the project, or to any Google resources the project uses. These roles can even be assigned conditionally, so you could grant a user permissions with an expiration date, or only grant them access to specific resources on certain days or between certain times.

Service Accounts. To improve security even further, we can create service accounts with Google IAM that our applications can use for authentication or access to any other Google resources. Unlike member accounts, service accounts have no password. They instead provide an easy way to embed service authentication into our application, without including any sensitive password data or credential files in our project source code at all.

We can add roles to the service account the same way as a member account, then reference the service account in our project code, and Google handles the rest. Sometimes when working with virtual machine instances or containerized environments, we won't be able to automatically authenticate these service account credentials with Google due to layers of abstraction in our application.

For these situations, we can add a key to our service account, either from the cloud console or as a gcloud command. When you do this, a new private key file will be create. Be sure to store it safely. This is the only time Google will ever give you this key, and there's no way to recover it if you lose it. You will have to create a new one instead. Each service account can have up to ten keys. We can then use this key from within our application images to authenticate with Google services using our service account.

Google Secret Manager. Including a key file for our service account in our project source code means we are once again storing sensitive data in our repository. We can avoid this by implementing Google Secret Manager into our project as well. We can upload our key file using the cloud console to create a new secret, then reference this secret to include the key into our build at runtime. We can also create and interact with secrets directly using gcloud commands.

Since Google Cloud Build is able to authenticate using our service account natively, we can easily access our secret data during the build process to embed it in our image where our application code can use it later. We just need to make sure that we give our service account permissions to access our secret. It's easiest to do this from the cloud console web interface, but can also be done from command line with gcloud commands.

Google Cloud Client Library. We've seen how to work with service accounts and secrets natively from the cloud console and gcloud command line. To interact with Google APIs from within our application will require that we include the Google Cloud Client Library in our project source code. In the example repository for this course, you can see where we have included the PHP version of the library here. This code authenticates our PHP application using our service account, and allows us to replace all of the sensitive data in our WordPress config file with secrets managed by Google Secret Manager instead.

About the Author

Arthur spent seven years managing the IT infrastructure for a large entertainment complex in Arizona where he oversaw all network and server equipment and updated many on-premise systems to cloud-based solutions with Google Cloud Platform. Arthur is also a PHP and Python developer who specializes in database and API integrations. He has written several WordPress plugins, created an SDK for the Infusionsoft API, and built a custom digital signage management system powered by Raspberry Pis. Most recently, Arthur has been building Discord bots and attempting to teach a Python AI program how to compose music.