Getting Started with

Google Cloud
Cloud security requires collaboration
● Google is responsible Responsibility
for managing its
infrastructure security.

● You are responsible

for securing your data.

● Google helps you with

best practices,
templates, products,
and solutions.
Resource hierarchy levels define trust boundaries
● Group your resources according Org Node Company

to your organization structure.

● Levels of the hierarchy provide Dept X Dept Y Shared
infra
trust boundaries and resource
isolation. Folders
Team A Team B

Product 1 Product 2

Test Prod
Projects
Cloud Cloud
Project Project

Resources
VMs Storage
All Google Cloud services you
use are
associated with a project

● Track resource and quota usage

● Enable billing
● Manage permissions and
credentials
● Enable services and APIs
Projects have three identifying attributes

Project ID Globally unique Chosen by you Immutable

Project name Need not be unique Chosen by you Mutable

Assigned by Google
Project number Globally unique Immutable
Cloud
Folders offer flexible management
● Folders group projects under an
organization. example.com
● Folders can contain projects, other
folders, or both.
● Use folders to assign policies.
Folder A Folder B

project_1 project_2 project_3 project_4 project_5

Folders offer flexible management
● Folders group projects under an
organization. example.com
● Folders can contain projects, other
folders, or both.
● Use folders to assign policies.
Folder A Folder B

project_1 project_2 project_3 project_4 project_5

The organization node organizes projects

The organization node is

the root node for Google
Cloud resources.
bob@example.com example.com
Organization Admin

Create

alice@example.com project_1 project_2

Project Creator
The organization node organizes projects

Notable organization
roles:

bob@example.com
Organization Admin
Create
alice@example.com project_1
Project Creator
example.com
Organization Policy
Administrator: Broad
control over all cloud
resources
Project Creator:
Fine-grained control of
project_2 project creation
An example IAM resource hierarchy
● A policy is set on a resource.

Organization
○ Each policy contains a set example.com
of roles and role members.
● Resources inherit policies

Policy Inheritance
Project
from parent.
bookshelf bookshelf bookshelf
○ Resource policies are a
union of parent and
resource.
Compute App Cloud Cloud Cloud
● A less restrictive parent

Resources
BigQuery
Engine Engine Storage Storage Pub/Sub

policy overrides a more

restrictive resource policy.
instance_a queue_a bucket_a bucket_b topic_a dataset_a
Google Cloud and AWS billing have different levels of flexibility
Google Cloud and AWS billing have different levels of flexibility
Google Cloud billing by project
contract

Google An organization is created by a

contract with Google Sales
Cloud

Google Cloud
Organization

Folders

Projects

Resources
Google Cloud and AWS billing have different levels of flexibility
Google Cloud billing by project
contract
AWS billing
Google An organization is created by a

Cloud
contract with Google Sales
by account
Google Cloud
Organization
Billing Account

Folders

Billing Account Account Billing

Projects

Resources

Resources Resources
Summary of resource hierarchy differences
Summary of resource hierarchy differences

Google Cloud term AWS term

Billing accounts Many per account One per account

Summary of resource hierarchy differences

Google Cloud term AWS term

Billing accounts Many per account One per account

Billing roll-up Projects Sub-accounts

Summary of resource hierarchy differences

Google Cloud term AWS term

Billing accounts Many per account One per account

Billing roll-up Projects Sub-accounts

Policy levels Account, org, folder, project Account, org

Summary of resource hierarchy differences

Google Cloud term AWS term

Billing accounts Many per account One per account

Billing roll-up Projects Sub-accounts

Policy levels Account, org, folder, project Account, org

Admins Google users or Groups IAM users, Groups, Roles

Summary of resource hierarchy differences

Google Cloud term AWS term

Billing accounts Many per account One per account

Billing roll-up Projects Sub-accounts

Policy levels Account, org, folder, project Account, org

Admins Google users or Groups IAM users, Groups, Roles

Gmail user or G Suite super

Account admin Root user
user
Google Cloud Identity and Access Management defines...

Who can do what on which resource

IAM policies can apply to any of four types of principals

Google account or Cloud Identity user

test@gmail.com test@example.com

Service account
test@project_id.iam.gserviceaccount.com

Google group
Who test@googlegroups.com

Cloud Identity or G Suite domain

example.com
There are three types of IAM roles

Primitive Predefined Custom

IAM primitive roles apply across all Google Cloud services in a project

can do what on all resources

IAM primitive roles offer fixed, coarse-grained levels of access

Owner Editor Viewer Billing administrator

● Invite members ● Deploy applications ● Read-only access ● Manage billing

● Remove members ● Modify code ● Add and remove
● Delete projects ● Configure services administrators
● And... ● And...

A project can have multiple owners, editors, viewers, and billing administrators
IAM predefined roles apply to a particular Google Cloud
service in a project

on Compute Engine resources

can do what in this project, or folder, or org
IAM predefined roles offer more fine-grained permissions on
particular services

Google
Group ✔ compute.instances.delete
✔ compute.instances.get
InstanceAdmin ✔ compute.instances.list
Role ✔ compute.instances.setMachineType
✔ compute.instances.start
✔ compute.instances.stop
...
project_a
IAM custom roles let you define a precise set of permissions

Google
Group
✔ compute.instances.get
✔ compute.instances.list
InstanceOperator
Role ✔ compute.instances.start
✔ compute.instances.stop
...

project_a
Service Accounts control server-to-server interactions
● Provide an identity for carrying out server-to-server interactions in a project
● Used to authenticate from one service to another
● Used to control privileges used by resources
○ So that applications can perform actions on behalf of authenticated end
users
● Identified with an email address:
PROJECT_NUMBER-compute@developer.gserviceaccount.com
PROJECT_ID@appspot.gserviceaccount.com
Service Accounts and IAM
● Service accounts authenticate using keys.
○ Google manages keys for Compute Engine and App Engine.
● You can assign a predefined or custom IAM role to the service account.

Identity IAM Role Resource

Service Account InstanceAdmin Role Compute Instances

Example: Service Accounts and IAM
project_a project_b
● VMs running component_1 are
granted Editor access to project_b
using Service Account 1.
● VMs running component_2 are
component_1 Service
granted objectViewer access to Account 1
Editor
bucket_1 using Service Account 2.
● Service account permissions can
be changed without recreating
VMs.
component_1 Service
Account 1
Storage.
objectViewer

bucket_1
Key differences between IAM concepts in Google Cloud and AWS

IAM concept Google Cloud AWS

Programmatic identity Cloud IAM service account IAM role and instance profile
Key differences between IAM concepts in Google Cloud and AWS

IAM concept Google Cloud AWS

Programmatic identity Cloud IAM service account IAM role and instance profile

User identity Managed outside Cloud IAM. Managed in IAM.

Identity federated to external Identity federated to external
identity management system. identity management system.
Key differences between IAM concepts in Google Cloud and AWS

IAM concept Google Cloud AWS

Programmatic identity Cloud IAM service account IAM role and instance profile

User identity Managed outside Cloud IAM. Managed in IAM.

Identity federated to external Identity federated to external
identity management system. identity management system.

Policy A list of bindings. A binding A document that explicitly lists

binds a list of members to a role. permissions.
Key differences between IAM concepts in Google Cloud and AWS

IAM concept Google Cloud AWS

Programmatic identity Cloud IAM service account IAM role and instance profile

User identity Managed outside Cloud IAM. Managed in IAM.

Identity federated to external Identity federated to external
identity management system. identity management system.

Policy A list of bindings. A binding A document that explicitly lists

binds a list of members to a role. permissions.

Permission collection Role Policy

Key differences between IAM concepts in Google Cloud and AWS

IAM concept Google Cloud AWS

Programmatic identity Cloud IAM service account IAM role and instance profile

User identity Managed outside Cloud IAM. Managed in IAM.

Identity federated to external Identity federated to external
identity management system. identity management system.

Policy A list of bindings. A binding A document that explicitly lists

binds a list of members to a role. permissions.

Permission collection Role Policy

Predefined set of Predefined roles Managed policies

permissions
There are four ways to interact with
Google Cloud

For custom
Web user interface Command-line For iOS and Android applications
interface

>_
Google Cloud Platform Console

● Web-based administrative user

interface
Google Cloud Platform Console

● Manage and create projects

Google Cloud Platform Console

● Access to Google Cloud APIs

Google Cloud Platform Console

● Offers access to Cloud Shell

○ A temporary virtual machine with
Google Cloud SDK preinstalled
Google Cloud SDK

● Includes command-line tools for

Cloud Platform products and
services
○ gcloud, gsutil (Cloud Storage), bq
(BigQuery)
Google Cloud SDK

● Available via Cloud Shell

Google Cloud SDK

● Available as Docker image

RESTful APIs
● Programmatic access to products and services
○ Typically use JSON as an interchange format
○ Use OAuth 2.0 for authentication and authorization
● Enabled through the Google Cloud Console
RESTful APIs
● Most APIs include daily quotas and rates (limits) that can be raised
by request
○ Important to plan ahead to manage your required capacity
● Experiment with APIs Explorer
Use APIs Explorer to help you write your code
● The APIs Explorer is an interactive tool that lets you try easily Google APIs
using a browser.
● With the APIs Explorer, you can:
○ Browse quickly through available APIs and versions.
○ See methods available for each API and what parameters they support
along with inline documentation.
○ Execute requests for any method and see responses in real time.
○ Easily make authenticated and authorized API calls.
Use client libraries to control Google Cloud resources
from within your code
● Cloud Client Libraries
○ Community-owned, hand-crafted client libraries
● Google API Client Libraries
○ Open source, generated
○ Support various languages
■ Java, Python, JavaScript, PHP, .NET, Go, Node.js, Ruby, Objective-C,
Dart
Cloud Console Mobile App

● Manage virtual machines and

database instances
● Manage apps in Google App
Engine
● Manage your billing
● Visualize your projects with a
customizable dashboard
Cloud Marketplace gives quick
access to solutions

● A solution marketplace containing

pre-packaged, ready-to-deploy
solutions
○ Some offered by Google
○ Others by third-party vendors
Cloud Marketplace gives quick
access to solutions

● You pay for the underlying Google

Cloud Platform resource usage.
○ Some solutions also assess
third-party license fees.
 Lab
Deploy a virtual
development
environment using Cloud
Marketplace.
Lab Objectives
● Deploy a Bitnami LAMP stack to
Compute Engine using Cloud
Marketplace.

● Verify the deployment.