Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Dive in IAM

Dive in IAM


Krunal Kapadiya

August 29, 2021

More Decks by Krunal Kapadiya

Other Decks in Technology


  1. Google Cloud Introduction Krunal Kapadiya @krunal3kapadiya

  2. Agenda IAM - Examples of IAM Hierarchy - Who can

    use what resources - 4 Types of Principles - 3 Types of IAM Roles - Service Accounts Compute Engine - Virtual Machines - VPC - Benefits of VPC in GCloud - Compute Engine - DNS, Load Balancing and CDN
  3. IAM

  4. Examples of IAM Hierarchy - A policy is set on

    resource. - Each policy contains set of roles - And role members - Resources inherit policies from parent - Resource policies are union of parent and resources - A less restrictive parent policy overrides more restrictive resource policy
  5. Who can use what resources

  6. 4 Types of Principles

  7. 3 Types of IAM Roles

  8. 1. Primitive Roles

  9. 2. Predefined Roles

  10. 2. Predefined Roles

  11. 3. Custom Roles

  12. Service Accounts control server-to-server interaction • Provides an identity for

    carrying out server-to-server interaction in a project • Used to authenticate from one service to another • Used to control privileges used by resources ◦ So that application can perform actions on behalf of authenticated end users • Identified with and email address: PROJECT_NUMBER@developer.gserviceaccount.com PROJECT_ID@developer.gserviceaccount.com
  13. Service Account • Service accounts authenticate using keys. ◦ Compute

    manages keys for Compute Engine and App Engine • You can assign a curated or custom IAM role to the service account • You can also assign ServiceAccountActor role to user and groups.
  14. Service Account IAM • VMs running component_1 are granted Editor

    access to project_b using Service Account 1 • VMs running component_2 are graned objectViewer access to bucket_1 using Service Account 2 • Service account permissions can be changed without recreating VMs
  15. Compute Engine

  16. Virtual Private Cloud Network

  17. None
  18. Compute Engine Compute engine offers managed virtual machines • High

    CPU, high memory, standard and shared-core machine types • Persistance disks ◦ Standard SSD, local SSD ◦ Snapshots • Resize disks with no downtime • Instance metadata and startup scripts
  19. Compute Engine Pricing Compute Engine offers innovative pricing • Per-second

    billing, sustained use accounts • Preemptible instances • High throughput to storage at no extra cost • Custom machine types: Only pay for the hardware you need
  20. VPC VPC Network offers many interconnecting features • Fine-grained networking

    policies • Fine-grained IP address range selection • Routes • Firewalls • Virtual Private Network (VPN) • Cloud Routers
  21. DNS Cloud DNS is highly available and scalable • Create

    managed zones, then add, edit, delete DNS records ◦ Programmatically manage zones and records using RESTful API or command-line interface
  22. Load Balancing Cloud Load Balancing: HTTP(S) • Balance HTTP-based traffic

    across multiple Compute Engine regions • Global external IP address routes traffic • Traffic is directed only to instances that pass health checks • Scalable, requires no pre-warming and provides resilience, fault tolerance
  23. Load Balancing Cloud Load Balancing: TCP/SSL, UDP • Spread TCP/SSL

    and UDP traffic over pool of instances within a Compute Engine region • Traffic is directed only to instances that pass health checks • Scalable, requires no pre-warming
  24. CDN (Content Delivery Network) • Use Google’s globally distributed edge

    catches to HTTP(S) load-balanced content far closer to your users then your instances ◦ Faster delivery of content to users while reducing costs • Cloud CDN uses caches at network location to store responses generated by instances
  25. https://krunal3kapadiya.app/ Thank you! Krunal Kapadiya @krunal3kapadiya 25