GCP Resource Hierarchy
- Organization Node (optional)
- Projects
- Folders
- (more recursive folders)
- Resources
All the resources are stored into projects and those may be organized into folders. All folders and projects may be gathered together under an organization node.
policies
You can define policies on organization nodes, projects and folders. Sometimes even on individual resources.
Policies are inherited downwards the hierarchy.
Resources inherit policies of their parent resource. If you set a policy at the org. node it’s inherited by all it’s children projects down to its resources.
The policies implemented at a higher level cannot take away access granted at a lower level. The more generous policy is the one that takes effect.
organization node
It’s the top of the hierarchy. It grants the ability to have centralized visibility on how resources are being used and to apply policy centrally. You can designate an organization policy administrator so that only people with privileges can change policies. You can also assign a project creator role which is a great way to control who can spend money.
projects
Projects are the basis for enabling and using services like managing APIs, collaborators or enable billing. Each project is a separate compartment and each resource belongs to exactly one project.
They may have different users and owners. Each one has:
- id - permanent and unchangeable
- name - human-readable, modifiable String
folders
They’re optional and let teams have the ability to delegate permissions so they can work independently. A way to avoid duplicate permissions would be to give them to folders, and put the projects into this folder.
IAM (Identity and Access Management)
The policy consist of
- a “who” part
- “can do what” part
- “on which resource” part
who
Names the users you’re refering to. It may be a Google account, group, service account, an entire G Suite or a cloud identity domain.
can do what
Is defined by an IAM Role. This is a collection of permissions (create, delete, start…) to be easier to manage
There are three kinds of roles
primitive roles
They are broad. They affect all resources in a project. These are:
A viewer of a resource can examine it but not change its state.
If you’re an editor, you can do everything a viewer can plus change its state.
The owner can do this plus manage roles and permissions on a resource and set up billing.
The biller is a separate role because some companies want someone who may set billing but not change things up. If you have too many people working on a project with sensitive data, primitive roles are probably too coarse.
pre-defined roles
They can be set to resources in any given project, folder or entire org. node
custom roles
They need to be maintained and managed. They can only be used at the project or organization levels. They cannot be used at the folder level.
service account
It’s useful to give permissions to a virtual machine or program rather than to a person.
If you have an application running in a virtual machine that needs to store data in GCStorage but you dont want to let just anyone on the internet have access to that data , only that virtual machine you’d cerate a service account to authernticate your VM to cloud storage.
They’ve an email address + a key (no password).
Service accounts are also a resource so they have IAM policies on its own attached to it. An user may have an editor role and another a viewer role to it.
Interacting with GCP
There are four ways
- GCP Console
- SDK and cloud shell
- Mobile App
- APIs
The GCP Console is a web-based administrative interface. You use it to create an app but the final users won’t.
It lets you view and manage all your projects and resources. It also lets you view and enable or disable all APIs of GCP Services.
It gives access to the cloud shell. The cloud shell is a CLI to GCP that’s accessed from a web browser. From here you can use tools from Google SDK without installing it.
Google SDK is a set of tools you can use to manage your resources and applications on GCP.
- gcloud provides the main CLI for GCP.
- gsutil is for Google Cloud Storage
- bq is for BigQuery.
You can also install the SDK on your computer native or by docker. The APIs used to manage, are RESTfull and use json. Many of those APIs are off by default and you can enable them.
The GCP Console includes a tool APIs Explorer that helps learn about all APIs interactively.
Cloud Marketplace
Its a quick way to get started with GCP with minimal effort. Its a tool for quickly deploying functional software packages on GCP. It comes already configured but you can manually modify many of them before you launch.
Some Cloud Launcher images charge users fees. Mostly those published by third paties with commercially licensed software. But they show ESTIMATES of their monthly charge before you launch them. Those are only estimates as the charge will vary depending on how you use the apps.
Also, GCP updates the base images for these software packages to fix critital issues and vulnerabilities, but it doesn’t update the software after its been deployed. You have to do it manually.