Learn Google Cloud Platform | Zandre Schalkwyk | Skillshare

Playback Speed

  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Lessons in This Class

39 Lessons (5h 55m)
    • 1. Course Overview

    • 2. Google Cloud Platform Overview

    • 3. GCP Free Tier

    • 4. Access GCP Using GCP Web Console, CLI, and REST

    • 5. Importance of Networking in Cloud and GCP Uniqueness in Networking

    • 6. Networking Concepts 101 Virtual Private Cloud, Firewall, and Routes

    • 7. Networking Concepts 102 Shared VPC and VPC Peering

    • 8. Connect to GCP From An External Network

    • 9. Identity and Access Management (IAM) Overview

    • 10. IAM Roles, Policy

    • 11. Service Accounts

    • 12. Best Practice of IAM

    • 13. Practice Session 1

    • 14. Infrastructure as a Service Google Compute Engine

    • 15. Container as a Service Google Kubernetes Engine

    • 16. Platform as a Service Google App Service

    • 17. Function as a Service Google Cloud Function

    • 18. When to Use Which Compute Type

    • 19. Practice Session 2

    • 20. File Storage Google Cloud Storage, FileStore, and Persistent Disk

    • 21. Relational Database Cloud SQL and Cloud Spanner

    • 22. NoSQL Database DataStore and Bigtable Part One

    • 23. NoSQL Database DataStore and Bigtable Part Two

    • 24. Practice Session 3

    • 25. Enterprise Data Warehouse BigQuery

    • 26. Real time Messaging Service Cloud Pub Sub

    • 27. Managed Apache Hadoop and Spark Cluster Cloud DataProc

    • 28. Batch and Stream Data Processing Cloud Dataflow

    • 29. Cloud IoT Core

    • 30. Practice Session 4

    • 31. Overview of Developer Focused AI and ML APIs

    • 32. Overview of AutoML

    • 33. Overview of Data Scientist Focused AI and ML Concepts

    • 34. Developer Tools

    • 35. Stackdriver

    • 36. Practice Session 5

    • 37. Cloud Migration

    • 38. Born in the Cloud Application

    • 39. Google Cloud Platform

  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels
  • Beg/Int level
  • Int/Adv level

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.





About This Class

The Google Cloud Platform (GCP) class provides you with the tools to master the concepts you need to become a cloud computing architect. GCP is a large and complex set of products and services that can be overwhelming.

I have structured the class in a simple, module-based learning system with basic concepts, demonstrations, and real-world examples. Whether you are a beginner looking for an introductory overview of Google Cloud Platform or a professional preparing for certification, you will benefit from this class.

What you'll learn in this class?

This class has the following things covered,

  • Course Overview
  • Getting Started with Google Cloud Platform
  • Intro to World's Largest and Fastest Private Networks
  • Identity and Security
  • Introduction to Planet Scale Computing
  • Storage and Database
  • Working with Big Data
  • Artificial Intelligence and Developer Tools
  • Connecting the Dots

Who is this class for?

  • This class is for all levels of students, Beginner, Intermediate, Expert.
  • IT professionals seeking an introduction to Google Cloud Platform
  • Students studying for the GCP Architect or Data Engineer exams
  • IT professionals who are responsible for implementing, deploying, migrating, and maintaining applications in the cloud

This class is very hands-on, I have gone to great lengths to provide you with not only theory but real-world examples of GCP application development that you can try on your own laptop.

By the end of this course, I am confident that you will have a thorough understanding of GCP and general cloud computing knowledge that will help your company or your own project to apply the right cloud solution and build better software consistently.

Meet Your Teacher

Teacher Profile Image

Zandre Schalkwyk

Analyst, Advisor, Architect


Class Ratings

Expectations Met?
  • Exceeded!
  • Yes
  • Somewhat
  • Not really
Reviews Archive

In October 2018, we updated our review system to improve the way we collect feedback. Below are the reviews written before that update.

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.


39. Google Cloud Platform: In this video, we're going to take a look at GCP resources, the differences between regions and zones, accessing resources, crew services, global, regional and zonal resources, project reviews and pricing ever views. This overview is designed to help you understand the overall landscape of the Google Cloud Platform. Here we'll take a brief look at some of the commonly used features and be pointed towards documentation that can help you dive deeper into the topics we cover. Gcp consists of a set of physical assets and virtual resources. Each data center location is in a global or region. Each region is a collection of zones. Each zone is identified by a name that combines a later identifier with the name of the region. If you want to understand how regions and zones, where it's going to be a lot easier if you look at the graph below. When you work with GCP, software and hardware products or services. And these services are what provide access to the underlying resources. Some resources can be accessed by any other resource. Across regions and zones. Global resources include preconfigured this images, disk snapshots and networks. But utter resources can be accessed only by resources that are located in the same zone. Some XY and other resources include VM instances, their types, and desks. And there are even some resources that can be accessed between zones, but only by resources living in the same region. Any resource in GCP belongs to a project. Projects are made up of savings, permissions, and other metadata that describes your application. Each project has a name. He provide, AI Project ID, which you can provide or you can add GCP, assign one for you and the project number. But GCP decides on that. Right foot check serves kind of like a namespace. And when billing is enabled, each project is associated with exactly one billing account. To understand more about the principles about how pricing works and GCP. See the pricing page. To understand pricing for individual services. You can take a look at the product pricing section. And there's even a pricing calculator there that provides a quick and easy way to estimate your costs would look like on GCP. To kick off the start of this process. Please go to the link below. After clicking agree, just say I agree and continue. At the second step, it's going to ask for your personal information for that event off to it's going to ask you for your credit card details. Pull those in as well, and set up your building. Going to get here, you get 12 months of free credit, as well as free a 100 colors, whichever comes first. First off, let's take a look at the web console. And you got to decide menu, go to storage and say Browse, and click on create a bucket. We should enter a name of the bucket and then select the regional to save a bit of money. Of course, you can select whatever you want to. Choose a location for the bucket. And here you can see your estimated costs. You can label it if you need be. And but let's just say Create. Once inside the bucket, you can create folders and files. I'm going to create a folder just to show you guys how it works. Let me quickly upload a file. And there we go. Our file is uploaded to GCP and publicly available. I'm just going to delete this file because we're not going to use it. Charles default this way you can interact with GCP. It's the terminal you can access straight from the web console. And it comes with all Google's SDKs and utilities. Went on the console. Go to this little icon on the screen. It opens up the Cloud Console. I'm going to open up in a new window to make things a bit easier. The first command is to create a new Cloud Console bucket or to create a new storage bucket. I mean, he specified type of bucket. Where do bucket will be located and the name of the bucket. There we go. Our bucket is created. Now we're going to copy a file that I copied on here but earlier, and move it up onto our bucket. And it's done. Now if you take a look at it inside of the console, we'll actually see, be able to see our bucket, me look inside of it. You can actually see the images we uploaded. We can do all of this raised API as well. Tourist IPI is there to make it easy to actually access all of Google services using programming languages like Python or Java. To demonstrate using duration API, I'm just going to show you how it works using the playground. After opening the OAuth Playground, scroll down to the sea to storage API JSON version 1. Then simply click Authorize APIs after if indicating you shoot land here. And you can exchange this code for a token. Using this token, we're going to cold erased API. First up, let's switch this to a post-script based application type chasten and its copy in the correct URL. Last project, project is the project ID we're working with. Then we're going to add the chastened buddy that we're going to use to create our bucket. Name is going to be those men bucket. We're going to use your free and regional storage close. We can see the sizes change after sending the equation. We should get a 200 back saying that everything went well. If we go ahead and take a look at the GCP browser, you can see after refreshing, bucket actually does appear. And of course it's empty because we haven't uploaded a file it. So let's do that now. Let's clean up. I'm going to select a file to upload. We can close this up. You're going to need to add a content header type. I'm pasting this in. And let's add the actual your own. We're going to aim it at the actual bucket, I Postman and bucket. And then at the end, we need to also put it in there I direction. It's going to be upload type, Meta name would be the file name as it would be stored on or in a bucket. And there we go. And that looks a bit hectic. But if you scroll all the way down, you should find a code 200 meeting. Everything went well. And to file should be uploaded. If we go back to the console and refresh, we can actually see the file has been uploaded. In this video, we're going to take a look at what makes Google Cloud Platform's networking a bit different. Google grade security, and how the pricing works. In the Cloud. We work with hundreds of thousands of species at a time. And then we cluster them together and make them communicate that to achieve almost impossible tasks. Google's big data technology and innovations like MapReduce, BigTable, and Dre mole, as well as more recent breakthrough services and frameworks for cloud data warehousing, advanced machine-learning, batch and real-time data processing, and telogen, data proliferation and stunning visual analytics of near live data. None of this would have been possible without super advanced networking capabilities. Google has an advantage of having to thousands of miles of fiber optic cables. Then make use of advanced software defined networking and have edge caching services or on the world. All of this and giggles, Scylla tries to be as environmentally friendly as possible, working with only renewable energy sources whenever they have the opportunity. Gcp, Virtual Private Clouds provide networking functionality to Compute Engine virtual machines, GKE clusters, and App Engine Flex Instances V cp provides global, scalable, flexible networking for your Cloud-based resources and services. Let's take a high-level look at a few VBC concepts and features. You can think of a VBC network disassembly. You think about a physical network, except that it's virtualized within GCP. A VPC network is a global resource which consists of a list of virtual subnetworks in data centers all connected by Google's global wide area network. Vpc networks are logically isolated from each letter in gcp. Compute Engine virtual machines, GKE clusters and App Engine flicks environments rely on BBC matrix for communication. The network connects the virtual machines together and to the Internet. Each VPC network implements distributed virtual firewall that you can configure. Firewall rules that allow you to control which packets are a lot of travel to its destination. Every VPC network has to default firewall that flux all incoming connections and allow all outgoing connections to default network has additional firewall rules, including the default allowing tunnel, a rule which permits communication among instances in the same network. Routes style VM instances and the VPC and neighboring how distant traffic from an instance to a destination, either inside of the network or outside of VPC. Each BCP network comes with some system-generated drops to your app, traffic amongst its subnets, and to send traffic from a vegetable instances to the Internet. For example, you can create a customer out that sands all outbound traffic to an instance configured as a NTA gateway forwarding rules while or ATS governing traffic leaving an instance, forwarding rules direct traffic to a resource in a VPC network based on IP address protocol and port. Some forwarding rules direct traffic from outside of GCP to a destination and a network routers direct traffic from inside the network. This is port forwarding rules. Our target instances, load balancer targets and VPN gateways. Gcp firewall rules to allow or deny traffic to and from your virtual machine instances based on the configuration you specify enable gcp firewall rules are always enforced protecting your instances regardless of their configuration and operating system. Even when they haven't started up yet. Every VPC network functions as a distributed firewall. While firewall rules are defined at the network level, connections are allowed or denied on a per instance basis. You can think of gcp firewall rules as existing not only between your instances and other networks, but between individual instances on the same network. When you create a GCP far will the rule, you specified a VPC network and sit the components that define what the rule we'll do. The components enable you to target certain types of traffic. I'm traffics, protocol, ports, sources, and destinations. You can create or modify gcp firewall rules fruit a console that GCloud command line interface, as well as the rest API. When you create or modify a firewall rule, you can specify the instances to which is intended to apply by using the target component of the rule. H firewall rule consists of the following configuration components and numeric priority, which is used to determine if they rule will be applied only to highest priority rule whose adder components match the traffic is applied. Conflicting rules with lower priorities are ignored. That our action of traffic ingress rules apply to incoming connections from specific sources to GCP targets and eras rules applied to traffic going to specified this nation's from targets. An action on match which could be either allow or deny, which determines if they're rule permits or blocks traffic. I target, which defines the instances to which the rule will be applied. The source for ingress rules or the destination for e-commerce rules. The protocol such as TCP, UDP, ICMP, port, the enforcement status off the firewall rule. You can enable or disable the firewall rule without deleting them. Let's take a deeper look at droughts, routes defined in Paul's network traffic takes from a virtual machine instance to other destinations. These destinations can be inside of your VBC network or outside of it. Every route consists of a destination. And the next hop traffics whose destination IP is within the destination range, is same to the next hop for delivery. A free VPC network uses a scalable distributed virtual routing mechanism, even though some routes can be applied selectively through routing table for a VPC network is defined at any VPC network label. Each VM instance has a controller that is kept in form of OLAP legal routes from the networks routing table. Each bucket leaving and virtual machine is delivered to the appropriate next hop over pickup full route based on the routing order. When you add or delete her out, the state of changes is propagated to the VM controllers using an eventually consistent design. Gcp has four different types of routes that are split into two categories. System generic droughts, or automatically created when you create a network at a subnet or modified the secondary IP range, all of a sudden a custom routes or does that you create and maintain either directly or by virtue of using a Cloud Router. This table is a nice summary of the different types of routes. So here's a quick overview of shared VPC. Shared VPCs allow organizations to connect resources from multiple projects to a common VPC network side. I can communicate with each other securely and efficiently using internal IP addresses from that network. When you use shared VPCs, you designate a project that'll be the host project. And then you attach one or more service projects to it. The VPC networks in the host project or cold shared VPC networks, triple-A resources from the service projects can use subnets in the shared VPC network. Shared VPC lets organization administrators delegate administrative responsibilities such as creating and managing instances to service project admins, while maintaining centralized control over the network resources like subnets, routes, and firewalls. This model allows organizations to do the following. Implement a security based practice of lease privileges for the network administrators. Older thing and access control. Shared VPC admins can delegate network administrators should talk to networking and security admins in this shared VPC network without allowing service project admins to make any network impacting changes. Service project admins are only given the ability to create and manage instances that make use of the shared VPC network. It also allows organizations to enforce consistent access control policies at a network level for multiple service projects in the organization while delegating administrative responsibilities. For example, service project admins can be compute instance admins in their project, creating and deleting instances that use approved subnets in the shared VPC host project. Companies can use service projects, you say pred budgeting for internal cost centers. Before we continue, let's summarize some of the key concepts. Shared. Vpc connects project within the same organization. Linked projects can be in the same or different folders. But if they are in different folders, the admin must have shared VPC admin rights for both folders. I project that participates in shared VPC is either a host or a service project. I host project contains one or more shared VPC networks. I shared VPC admin must first enable approach it to be a host. After that, as shared VPC admin can attach one or more service projects to it. I serve as project is any project that has been attached to a house project by a shared VPC admin. This attachment allows it to participate in shared VPC. It's a common practice to have multiple service projects, overwrites it and administered by different departments or teams in your organization. I project can't be both a host and a service project at the same time. This means that a service project cannot be a host project to any other service projects. You can create and use multiple hosts projects. However, a service project can only be attached to one single host project. And lastly, a project that does not participate in shared VPC is called a standalone project. I shared VPC network is a vCPU network defined in a host project and made available as essentially shared network for eligible or eat horses. In service projects. Shared GCP networks can either use auto or customer, but legacy networks are not supported. When a host project is enabled, all of its existing VCAP networks will become shared networks. And any new networks that are created automatically be shared as well. That means a single host project can have more than one shared VPC network has ten serve as projects are connected by attachments at a project level, subnets of shared VPC networks in the host project are accessible by service project administrators. Shared VPC host projects are subject to standard per project VPC quotas. They are subject to per network limits. I'm per instance limits for VBC is as well. And additionally, the relationship between the house and service projects are governed by the limit specific to shared VPC. Fighting for resources that participated and shared VPC networks is attributed to the service project where the resource is located. Even died or resource uses the shared VPC network and the host project. Here are a list of eligible or resources that can participate in shared VPC, as well as some practical limitations. Let's talk about VPC Network Peering, GCP virtual private Cloud Network Peering allows private connectivity across VPC networks, regardless of whether or not they belong to the same project or the same organization. This can be super useful for organizations with several network administrative domains, as well as organizations that want to peer with other organizations. Network peering gives you several advantages over using external IP addresses or VPNs to connect to networks, including better network latency, bitter network security, as well as being a bit cheaper. Peered VPC networks exhibit the following key properties. Kim work with Compute Engine GKE, as well as App Engine Flexible Environments, peered BCP networks reminder administratively separate routes, firewalls, VPNs, and other Catholic management tools are administrated and apply separately for each over the VPC networks, each side of the Hearing Association is set up independently. Tearing will only be active if the configuration on both sides match. Either side can choose to delete appearing at anytime. Hearing can be configured for one VBC network, even before the other QVC network is created. A given VPC network can peer with multiple VPC networks. But there is a limit, a subnet CDR prefix in one peered VPC network cannot overlap with the prefix and another peer network. Digital covers both subnets routes and customer outs. Gcp chicks for overlaps in the following circumstances and generates an error when an overlap occurs. When you peer VPC networks for the first time. When you create a static route in a peered VPC network, when you create a new subnet in a peered VPC network. And the VPC networks are supported for VPC Network Peering. Peering is not supported for legacy networks. There are new IAM permissions for creating and deleting VPC Network Peering. These permissions are included in the project owner or editor and the network admin roles. Once networks evidence appeared, every internal private IP address is accessible across peer networks, vpc Network Peering does not provide granular controls to filter out which subset or SCID ours are reachable across a period networks. You're going to need to use fall we'll rules to filter out traffic. If you need that kind of filtering. All virtual machine IPs and internal load balancer IPs are available in all subnetworks of pure networks now take routes and VPNs are not propagated to directly peered networks. I only directly peered and address can communicate. In other words, if VPC network and one is peered with VBC network to and free. But 23 are not directly connected. Vpc network and to entry cannot communicate over disappearing. Hearing traffic has the same night can see fruit and availability as private traffic in the same network. The building policy for peer traffic and private traffic are both the same. Internal load balancing and firewalls shared vCPU as well as multiple network interfaces per instance. And even IPA seeing are all available in VPC Network Peering scenarios. In this video, we're going to take a quick look at how we can use Google's IP eyes from an external networks. An example of architecture that allows this, enabling Private Google Access, configuring the firewall rules, and making use of the G Cloud Console. Here, we're going to take a look at how you can use IPR is from Google Cloud Platform services from an external network. We can use this approach to allow your on-premise servers that can connect to your private network to access GCP services without using public IP addresses. The following diagram demonstrates an overall architecture for an example solution. With a local compute instance on Amazon VPC, connecting to a translation API. On Google side. We connect a private network in Amazon VPC to a virtual network in our GCP project through IPSec, VPN. If you use an on-premise private network instead of Amazon VPC, you would use Cloud Interconnect to have a private network connection to your GCP project. We'll use private Google Access from the GCP projects. Service running outside GCP projects cannot reach GCP APIs, such as Google Cloud translation by using an internal IP address evenly in Private, Google Access is enabled. Therefore, you'll use an HTTP or HTTPS proxy in your Google project to transfer API or quiz from external servers to GCP APIs and services using internal IP addresses. You will need to enable Private Cloud axes on the subnet connected to the Amazon VPC. If you're not quite sure how to do this, you can run the following example command in the Google Cloud Shell. The next step is to add a firewall rule that allows a proxy connection from Amazon VPC, and an SSH connection from all external networks. The SSH connection is used to configure the HTTP or HTTPS proxy instance. To configure it a proxy of about manually signing in to the instance. You can use a startup script, in which case you don't need to create a firewall rule for SSH connection, launcher, Compute Engine instance that's specified a private IP address of the instance you want to use as a proxy address, then SSH into the instance and installed a proxy service. You can take a look at the example command below on how to configure the provocative service. Confirm that a service is now configured to accept connection to the IP address and port you specify. You can do it is using the command below. And the output should look something like this. At this point, you don't need the SSH connection anymore and you can remove it from the firewall if you'd like. If you wanna do this by yourself, then check out the link below. It gives a step-by-step guide. And that's the end of section 2. Let's take a look at what we will learn. We're gonna take a look at IM, concepts relating to identity and the concepts relating to access management. Google Cloud Platform offers Cloud IAM, which lets you manage access control by defining who has access to which resources in your project. With Cloud IAM, you can grant granular access to specify GCP resources and prevent unwanted access to other resources. Cloud IAM lets you it's all the security principle of least privilege. See you grant only the necessary access to your resources. In Cloud IAM, you grant access to members. Members can be any of the following types. A Google account, a service account, a Google group, a G Suite Domain, Cloud Identity domain. And we'll discuss all of these types a little more in detail in the following slides. A Google account represents a developer and administrator or any other person who interacts with GCP. Any email address that is associated with a Google account can be an identity, including gmail.com or other domains. And you user can sign up for a Google account by going to the Google account sign-up. A service account is an account that belongs to your application instead of an individual end user. When you run code that is hosted on GCP, you specify the account that the code should run as. You can create as many service accounts as needed to represent the different logical components of your application. For more information about using service accounts in your application, please make sure you check out this thing. A Google group is a named collection of Google accounts and service accounts. Every group has a unique email address that is associated with that group. You can find the email address that is associated with a group by clicking on the homepage of any Google Group. For more information about Google groups, please make sure to use the following link. Google Groups are a convenient way to apply an access policy to a collection of users. You can grant and change access controls for a whole group at once. Instead of granting or changing access one at a time for an individual user or service account. You can also easily add members under Move members from a Google group. Instead of updating a Cloud IAM policy and or removing users, It's important to note that Google Groups don't have login credentials and you cannot use Google Groups to establish IT and NTU or micro request to access a resource. As G Suite Domain represents a virtual group of older Google accounts that have been created in an organization's G Suite account. Gcp to count Domains represent your organization's Internet domain name, such as example.com. And when you add a user to your G Suite domain, a new Google account is created for a user inside a virtual group, such as username. At the example of like Google Groups, G Suite domains cannot be used to establish identity, but they haven't enabled convenient permission management. I, Cloud Identity domain is like a G Suite Domain because it represents a virtual group of Google accounts in an organization. However, Cloud Identity domain users don't have access to G Suite applications and features. For more information about this, please look at the following. Let's take a look at some identifier's that all authenticated users. Identifier is a special identified as represents anyone who is authenticated with a Google account or service account, uses who are not authenticated, such as anonymous visitors, are not included. The old users identifier is a special identifier that represents anyone on the Internet, including authenticated and unaffiliated users. Not that some GCP APIs require authentication of any user accessing the service. And in those cases, all users will only implied authorization for all authorized users. So let's take a look at some concepts related to access management. We now have antiquated member attempts to access a resource. Cannot I am shakes three sources cloud IAM policy to determine whether the action is allowed. Resources. You can grant access to users for GCP resource. Some examples of resources, our projects, Compute Engine instances and storage cloud buckets. Some services such as Cloud Pub Sub and Compute Engine supports granting Cloud IAM permissions. Either granularity finer than project that will. For example, you can crown the Pub Sub subscriber role to a user for a particular Pub Sub topic. Or you can craft a compute instance admin role to a user for a specific Compute Engine instance. In object cases, you can ground Cloud IAM permissions at a project that the permissions are then inherited by all resources within the project. For example, to grant access to a storage bucket, you must grant the access to that project that contains the bucket. For more information about what roles can be granted on which resources. Please refer to the folder annealing, permissions to this hormone, what operations are allowed on a resource? In the Cloud IAM world, permissions are reserved in the form of service resource verb. For example, Pub Sub subscriptions consume. Permissions are usually not always corresponding one on one with Theresa May fits. That is, each GCP service as an associated set of permissions for each race may fit that is exposed to coal or of that method needs those permissions to coal that may fit. For example, the color of Publisher, publish needs to Pub Sub topics published permission. You don't assign permissions to users directly. Instead you assign them to enroll, which contains one or more permissions. I roll is a collection of permissions. You cannot assign it permission to a user directly. And you said you've gotten them to a role. When you grant a role to a user, you grant them older permission that that role contains. There are three kinds of roles in Cloud IAM. Primitive roles, predefined roles and custom roles. Primitive roles. These roles are historically available into Google Cloud Platform console and we'll continue to work. These roles are owner, editor and viewer. Predefined roles, these roles or to Cloud IAM roles that give finer grained access control, then the primitive roles. For example, the predefined rule pops up. Publisher provides access to only publish messages to a Cloud Pub Sub topic, customer or roles that you create to Tyler permissions to the needs of your urbanization. When predefined roles then meet your needs. We're going to take a deeper look at roles and try and understand what IAM policies are. Understanding the roles. When identity coals that Google Cloud Platform API, cloud Identity and Access Management requires that the identity has the appropriate permissions to use that resource. You can grant permissions by granting roles to a user or a group, or a service account. As previously discussed, there are three types of roles in Cloud IAM predefined roles including owner, editor, and viewer that existed prior to the introduction of Cloud IAM defined goals which provide granular access for a specific service and are managed by GCP. And enter our custom roles which provides granular access according to a user-specified list of permissions to determine if one or more permissions are included in a primitive period of find their customer, you can use one of the following methods. The G Cloud IAM roles describe command or the roles dot kit API. There are three roles that existed prior to the introduction or Cloud IAM, owner, editor and viewer. These roles are concentric. That is, the owner role includes the permissions into its role. And the it, it's heroes includes the permissions into viewer role. The table on the right-hand side gives a summary of it. The permissions that the primitive roles include across all GCP services. In addition to the primitive roles, I am provides additional predefined roles that give granular access to specific google Cloud Platform resources and prevent unwanted access to other resources. Predefined roles are created and maintained by Google. Their permissions are automatically updated as necessary, such as when new features or services are added to GCP. I particularly role can be CRAN 22, this resource type. In most cases, any type above it into GCP hierarchy. You can create multiple roles for the same user. For example, the same user can have network admin and locally or roles on the same project and also have a publisher role for a Pub Sub topic within that project. I feel over the predefined roles are Android management roles, App Engine roles. Also ML roles, be queried roles, building roles, storage roles, and Cloud asset roles. For a full list, be sure to check out this link. In addition to predefined roles, cloud IAM roles provide about 80. Create customized cloud IAM roles. You can create a custom Cloud IAM role with one or more permissions and then grant that custom roles to users who are part of your organization. Custom roles are user-defined and allow you to bundle one or more supported permissions to meet your specific needs. Custom roles are not maintained by Google. When new permissions, features or services or attitude GCP, your custom roles will not be updated automatically. You can create custom roles at an organization. I'm not a project that will. However, you cannot create a custom role. At the folder level. You create a custom role by combining one or more of the vtable and permissions. Permissions allow users to perform specific actions on GCP resources. In the Cloud IAM world, permissions are presented in the form of service, resource verb. Let's take a look at I am policies. You can crank roles to users by creating a Cloud IAM policy, which is a collection of statements that define who has what type of axis. I've policies attached to a resource and is used to enforce access control whenever that resources access. Cloud IAM provides a set of methods that you can use to create and manage access control policies on GCP resources. These may fits are exposed by services that support Cloud. I am. For example, the Cloud it may fits are exposed by Resource Manager. The cloud Pub Sub and genomics IPI, just to name a few. The Cloud IAM, if it's our sake, I am Policy which allows you to set policies on your resources. Get him Policy which allows you to get a policy that was previously saved. And taste IAM permissions which allows you to taste way ridicule or has this specified permissions for our resource. Gcp resources are organized hierarchically. Rare IT organization node is the root node and the heirarchy. And it projects are children of that organization. And other resources are the descendants of that project. Each resource has exactly one parent. Cda Resource Manager, resource heirarchy topic. For more information, you can sit Cloud IAM policies at any level in the resource hierarchy, the organization level, the folder label, the project level, or the resource available. Resources inherit policies of their parent resources. If you said a policy at the organization though, it is automatically inherited about older children in that project. And if you set the policy at the project level, it's inherited by all Lynch child resources. The effective policy for a resource is the union of the policy saved at the source table. And the policy inherited from higher up into heirarchy. This policy inheritance is transitive. In other words, resources inherit policies from the project, which inherits policies from the folders, which inherit policies from the organization. Therefore, IT organization, they will pull US. These are also applied at the resource level. The Cloud IAM policy heirarchy follows the same path as the GCP resource hierarchy. If you change your resource hierarchy, the policy heard key changes as well. For example, moving a project into an organization will update the projects cloud IAM policies to inherit from that organization's Cloud IAM policies. Child policies cannot restrict the access is granted by higher level. For example, if you crank the editor role to a user for approaching and grant a viewer role to the same user for a child resource. Then the user still has the editor role granted for the child resource. What our service accounts. We will now explore service accounts, types of service accounts, and I am roles that are available to you to service accounts. As service account is a special Google account that belongs to your application or a virtual machine. Instead of an individual end user, your application uses the service account to cold a Google API or the service set at the uses on directly involved. I service account is identified by its email address, which is unique to the accounts. For example, a Compute Engine, VM Myron as a service account. And that account can be given permissions to access the resources it needs. This way, the service account is the identity of the service. And the service accounts for missions control which resources to serve as the account can access. Each service account is associated with a key pair, which is managed by Google Cloud Platform. It is used for service to service authentication within GCP. These keys are rotated automatically via Google and are used for signing for a maximum of two weeks. You may optionally create one or more external key pairs for use from outside GCP. When you create a new key pair, you download a private key which is not retained by Google. With external keys, you're responsible for the security over the private key and the other management operations such as the key rotation. External keys can be managed by that I am api, GCloud command line tool, or the service account page in the GCP console. You can create up to 10 service account key pairs per service account to facilitate key rotation. There are two types of service accounts. User mining service accounts, and Google managed service accounts. When you create a new Cloud Project using the GCP Console. And if Compute Engine APIs enabled for your project, I Compute Engine service account is created for you by default. It's identifiable by using the e-mail address as the example below. If your project contains an App Engine application, the default App Engine service account is created in your portrait by default, it isn't that into 50, but using the email below, if you create a service account in your project, you'll name the service account and it will be assigned an email with the following format. You can create up to a 100 service accounts per project, including the default Compute Engine service account and App Engine account. Using any of the regular methods, these default service accounts and the service account to you explicitly create, are the user manage service accounts. In addition to the user managed service accounts, you might see additional service accounts in your projects and policies or in the Google Cloud Console. These accounts are created by Google. These accounts represent different Google services and each account is automatically created I M roles to access your GCP project. And an example of a Google minus service account, the Google API service account, identifiable using the email below. This service account is designed specifically to run internal Google processes on your behalf and is not listed in a service account section in the GCP console. By default, the account is automatically granted. That project editor role on is listed in the i m section of the Google Cloud Console. This service account is deleted only when the project is deleted. Google services rely on that account having access to your project. So diaphragm move or change to a service accounts for over one year project. In addition to being an identity, I service account is a resource which has IAM policies attached to it. These policies determine who can use a service account. For instance, Alice can have the editor role on a service account, and above can have the viewer role on a service account. This is just like wrong thing roles for any other GCP resource. To default Compute Engine and App Engine service account roles are granted editor roles on their project when that are created, said I've cut executing in your app or VM instance has the necessary permissions. If you want your application to access a Cloud Storage bucket, you grow into service account the permissions to read the Cloud Storage bucket. In this case, the service account is the identity that you are granting permissions for another resource. You can crank the I am service account user role at a project level for all service accounts in that project, or at the service account level, granting the role to a user for approach, it gives that user access to all service accounts in the project, including service that constant may be created in the future. Crossing this role to a user for a specific service account gives a user access to only that account. If you'd gone to user to compute instance admin role, as well as the I am service account user role that can create and manage Compute Engine instances that use a service account. Off treaty ground. I am roles to a service account. You can assign a service account to one or more new virtual machine instances he uses who are service account users can use a service account to indirectly axis all resources to which that service account has access. For example, a user has the service account. User can start an instance using the service account. They can then use it in a sense to access anything the service account identity has access to. However, the service account user role doesn't allow a user to directly use the service accounts roles. Therefore, be cautious when incrementing the I am user account role to a user service account represents your service level security. The security service is determined by the people who have IAM roles to manage and use the service accounts and the people who hold private external keys for the service accounts. Some best practices are used the I am API to audit the service accounts, the keys, and the policies on those service accounts. If your service account doesn't need external keys, delete them. And if a user doesn't need the permissions to manage her use service accounts, then remove it from the IAM policy. Service accounts, I can create a role and I have less impersonation. I'll service accounts to create access tokens such as blobs or signed JWTs. The service account actor role has been deprecated. If you need to run operations as a service account, use a service account user role to effectively provide the same permissions as a service account actor. You should also grab the service account type and creates role. Access scopes are legacy method. See specifying permissions for your virtual machine before the existence of I emeralds axis goes where the