Skip to content

Instantly share code, notes, and snippets.

@nicolasdao

nicolasdao/gcp_guide.md

Last active July 2, 2023 07:58
Show Gist options
  • Save nicolasdao/f32d2452882d4af5212aca133e9e5c16 to your computer and use it in GitHub Desktop.
Save nicolasdao/f32d2452882d4af5212aca133e9e5c16 to your computer and use it in GitHub Desktop.
Download ZIP
Google Cloud Platform guide. Keywords: gcp google cloud platform gcloud
Raw
gcp_guide.md

GCP GUIDE

Table of contents

Security

Security model

The GCP security model defines the following concepts:

  • Policies: A policy is a list of bindings. That policy defines who and how a resource can be accessed and managed. Typically, a resource only has a single policy. That policy can be updated or replaced entirely.
  • Bindings: A binding binds one or more members to a single role. The role define what the member can do.
  • Members: A member can be a
    • user account (e.g., user:nic@neap.co)
    • service account (e.g., serviceAccount:some-long-identifier@some-project-id.iam.gserviceaccount.com)
    • Google group (e.g., group:admins@example.com)
    • a domain, such as G Suite for example (e.g., domain:google.com)

    For an exhaustive list, please refer to https://cloud.google.com/iam/docs/reference/rest/v1/Policy#binding

  • Roles: Exhaustive list here.
  • Service accounts: Please refer to the Service accounts section as this is a non-trivial topic.

Service accounts

  • When a role is added to them, they apply to all resources in the project. For example, adding the roles/run.invoker to a service account means that this service account is capable of invoking any Cloud Run services in the project. If you need to restrict access to only certain Cloud Run services, configure the binding at the Cloud Run service level rather than on the service account itself.

Agent identity

By agent, we refer to any hosting environment that contains a piece of code that attempts to connect to services hosted on GCP. In order to establish secured connections to GCP, you need to acquire a OIDC token, whether it is an access token or a JWT ID token. In NodeJS the recommended library to acquire such tokens is google-auth-library. The recommended way to use this library is as follow:

const { GoogleAuth } = require('google-auth-library')
const auth = new GoogleAuth()
auth.getAccessToken().then(accessToken => {
	console.log(accessToken)
})

How does this related to an agent's identity? Because in order to successfully execute getAccessToken the auth client needs to access the credentials of the agent's identity. As you can see, the code snippet above does not explicitly use those credentials. Instead, it automatically checks standard places where those credentials might be (learn more about this topic here).

The following steps are the recommended way to set a user on your local machine that can use the above code snippet:

  • Make sure you have a Google account that can access both the GCP project and the resources you need on GCP.
  • Install the GCloud CLI on your environment.
  • Execute the following commands: 
     gcloud auth login
 gcloud config set project <YOUR_GCP_PROJECT_HERE>
 gcloud auth application-default login
    The first command logs you in. The second command sets the <YOUR_GCP_PROJECT_HERE> as your default project. Finally, the third command creates a new ~/.config/gcloud/application_default_credentials.json file with the credentials you need for the <YOUR_GCP_PROJECT_HERE> project.

FAQ

How to manage roles on a service account?

Click on the IAM tab in the IAM & Admin service.

How is a Google Cloud service identity managed?

Please refer to the Agent identity section.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment