Hello Everyone!!!
In our last blog, we talked about Introduction to Google Cloud Platform. In this blog we're getting started with GCP.
Cloud security requires collaboration, i.e. Google is responsible for managing its infrastructure security. And we're responsible for securing our data. When we build an application on our on-premises infrastructure, we're responsible for entire security whether it's physical security of the hardware or integrity of your network. Google delivers high level of security with best practices, templates, products and solutions. The upper layers of the security stack is customer's responsibility for which Google provides tools, such as IAM.
1. Google Cloud Platform resource Hierarchy - Resource hierarchy levels define trust boundaries and resource isolation too. You can group your resources according to your organization structure. It is easiest to understand the GCP resource hierarchy from bottom up.
All the resources(such as Virtual Machines, tables in Big Query or anything else)are organized into Projects. These projects are organized into folders and folders contain another folders.
Projects and folders are kept under an organization node. And these are the places where policies can be defined. Policies are inherited downwards in the hierarchy. All GCP services we use are associated with a project. And Project are the basis of using GCP services which includes :
Track resource and quota usage
Enable APIs and billing
Enable billing
Projects have three attributes - Project ID, Project name and Project Number. Out of which ID and number is globally unique while name need not to be unique. Project number is assigned to us by GCP but we can chose ID and name.
Folders offer flexible management. Folders can contain projects, other folders or both. To use folders, you need an organization at the top of the hierarchy.
The Organisation node organises the projects, it's the top of the hierarchy.
2. Identity and Access Management - Google Cloud Identity and Access Management defines who part, a can do what part, and on which resource part.
The who part contains a Google account, a Google group, a service account or Cloud Identity domain. The can do what part is defined by IAM role. So the permissions are grouped together in a role to make them easier to manage. The on which resources part is that in which users get roles on specific items in the hierarchy.
There are three kind of roles in IAM - Primitive, Predefined and Custom. Primitive roles are broad. We can apply them to a GCP project and they affect all the resources in that project. These roles offer fixed, coarse-grained level of access. Predefined roles are applied to a particular GCP service in a project for e.g. on Compute Engine resources in the project or folder, or org. These offer more fine-grained permissions on particular services. Custom roles let you define a precise set of permissions. And they can only be used at the project or organization levels. They can't be used at the folder level.
3. Cloud Identity To manage GCP administrative users, we can use -
Gmail accounts and Google Groups
Users and Groups in Cloud Identity domain
Users and Groups in G Suite domain
To collaborate with teammates, many of us use Google Groups to get people together. But when someone leaves the organization there is no centralized way to remove their access. GCP customers who are also G Suite customers can define policies in terms of G Suite, and admimistrator can immediately disable account and remove the person from the group who have left. GCP customers who are not G Suite customers can get these same capabilities through Cloud Identity. Cloud Identity lets you manage users and groups but you don't pay for receiving G Suite's products such as Gmail, Docs, Drive and Calendar. Cloud Identity is available for free and a premium edition.
4. Interacting with Google Cloud Platform There are four ways to interact with GCP :
Cloud Platform Console
Cloud Shell and Cloud SDK
Cloud Console Mobile App
REST- based API
GCP Console is centralized console for all project data. It includes Developer tools such as Cloud Source Repositories,Cloud Shell and Test Lab. It provides access to product APIs, it also manage and create projects. Google Cloud SDK is set of tools that we can use to manage resources and applications hosted on GCP. It includes CLI tools for Cloud Platform products and services : gcloud, gsutil, bq. Available as Docker Image and via Cloud Shell. Cloud Console Mobile App manages virtual machines and database instances. It manages apps in Google App Engine, manage your billing and Visualize your projects with customizable dashboard. RESTful APIs enabled through the Google Cloud Platform Console. To help us control spend, most include daily quotas and rates. With APIs explorer we can browse quickly through available APIs and versions.
4. Cloud Marketplace
Cloud Marketplace gives quick access to solutions. It lets you quickly deploy functional software packages that run on Google Cloud Platform. And you pay for the underlying GCP resource usage.
I end my blog here, In the next article I'll summarise Virtual Machines in the Cloud.
Keep Learning, Keep Growing