Get startedGet started for free

Lab Review: Exploring IAM

1. Lab Review: Exploring IAM

In this lab, you granted and revoked IAM roles, first to a user, Username 2, and then to a Service Account User. Having access to both users allowed you to see the results of the changes you made. You can stay for a lab walk-through, but remember that Google Cloud's user interface can change, so your environment might look slightly different. Welcome to the walk-through of the Cloud IAM lab. In this lab, we have set up two users for you, and at this point I have logged into the console as username 1. So Qwiklabs will provide you with two usernames to log into and we'll do some operations with both, but right now I have already logged in as username 1. So the first instruction tells you to log into the console in another tab as username 2. So console, I'm going to grab that username, certainly going here, I'm going to say add account, username 2, and luckily we've been given the same password for both usernames and login here, and with Qwiklabs you have new accounts. So it's always going to ask you for all of this new user acceptance, and I'll accept this terms, I'm good to go. So task two is to explore the IAM console. So I'm going to go to the username 1 tab. I'm going to go to IAM, and I'm going to click on there. If I hit Add, I can look around at the different roles I can provide. Let me go ahead and click Cancel, feel free to explore as much as you want, you can see here there are roles based on different products and services that we have. I'll hit Cancel. Let me go to username 2, and I'm going to do the same thing. Let me go to IAM. So I'm going to browse this list now and I am going to look for the names associated with username 1, which in my case ends in 82462, I see it here, and here is username 2. You can see there are different roles associated with each one of them. Username 1 has App Engine admin, BigQuery admin, editor, owner, and viewer. Whereas, username 2, which is the one that I'm logged in in this tab only has Viewer Access. So now I'm going to move on to task three. So I'm going to go back to username 1, there's going to go to be a lot of switching back and forth in this lab. So make sure you keep track of which tab is username 1 and which is username 2. I am going to go to Google Cloud Storage here, and I'm going to create a bucket in here. So buckets need to be globally unique. So I am going to use my Cloud Project ID because it is pretty unique, and I'm going to click Create and keep all the other defaults, and make sure to note the name of your bucket because we'll use it as your bucket name across the lab. So here I'm going to go to upload files, and let me find just any sample file here just a screenshot, and I've uploaded it there. Once it's uploaded, I'm going to rename it here, and I'm going to call it sample.txt. The reason I'm doing this is because it's going to be much easier to run any of the commands I'm going to do with sample.txt as a name as opposed to that long name I already had. So at this point in the lab, you can hit the Check my progress button inside the lab and it'll give you a green check and five points. If you've correctly created a bucket and uploaded a sample file. So now I'm going to switch to username 2 and I'm going to go to storage browser. I'm going to verify that username 2 has view access to that bucket, and here it is. Because it's inherited that, I can view the sample file. Task four is I'm going to remove project viewer role for username 2. So in order to do that I have to go back to username 1. I'm going to go back to IAM, and then I'm going to find username 2 which is this one right here, 73. I'm going to hit Edit, and then I am going to hit the garbage can so that I can remove it. I hit Save, and then I at this point I can also check my progress and I'll get five points and a green check mark. I should have 10 points out of 20 in the lab. If I have properly done that. Throughout these labs if you ever get to a point where you realize that you didn't get the points necessary, it's probably because you missed a step or two, granted sometimes the lab is actually broken because they're based on technology that changes a lot. But if a lab isn't broken, chances are you just missed a step. So I usually recommend go back three steps. Check your work, make sure you did everything. Usually, that's what happened. So now we're going to verify that the username 2 has lost access. So I'm going to go back to the username 2 bucket tab, and then I'm going to click Home, and then I'm going to go back to storage to verify. I could've just refresh the screen as well, Refresh. List of buckets could not be loaded. So as you can see I do not have access anymore. So now the next task, task five, is to add Storage Access. So I'm going to copy the value of username 2 from the Qwiklabs lab name, from their connection details on the left of your lab instructions. So I'll copy that, I'm going to go back to username 1 tab, and I'm already in I am. So I'm going to hit Add, and then for new members I'm going to paste the value here. That is it, and I am going to select Storage, scroll down. Luckily it's alphabetical, and I am giving it Storage Object Viewer. Then I'm going to hit Save. This is another checkpoint in the lab where you can go back and hit Check my progress, and you should get another five points that you have checked, that you have actually provided the right permissions. Now we had one in the modules that sometimes the permissions upload faster than will be displayed in the GCP Console. Sometimes you just have to be patient. Maybe click Check my progress, wait a couple seconds if you didn't get it, and then you'll get the five points and the green check. So the next piece of task 5 is to verify that username 2 now has storage access. So if I go back here, and I'm going to start Cloud Shell. Because username 2 doesn't have project viewer roles, so it won't be able to see anything in the console, but we can see things in Cloud Storage. So we're going to use Cloud Shell for that. So let's make sure I know my bucket name. I copied it earlier, but I have definitely forgotten it by now. So let me go back here to Storage easily, and I can easily copy paste the bucket name here. Copy that, and back in Cloud Shell, I am going to do a gsutil ls to list for that bucket, gs://my bucket name, and username 2 should be able to see that there's sample.txt in the bucket and there it is. So now I can close username 2 tab because the rest of the lab is done in the username 1 console. So task 6 is to set up the service account user. So in IAM, I'm going to go to Service accounts. I'm going to create a service account, and the service account name is going to be read-bucket-objects, and I'm going to hit Create. It's going to ask me which role to provide, and I am going to be giving it Storage, Storage Object Viewer. Hit Continue, and then I'm going to hit Done. So now we've created our service account, so we're going to go back to the main IAM page, and we are going to select the service account we just created, and we're going to hit Add. In order to add members, normally you could perform this activity for a specified user group or a domain. But for training purposes and for this video, we're just going to grant the service account user role to everyone at a company called autostrat.com, which is a fake company used for demonstrating and training. So the new member is going to be autostrat.com, and I am going to give it Service Accounts, Service Account User, and then I'm going to hit Save. So now I'm going to go back to IAM, and I am going to add, and I am going to provide compute engine access. So the new member is autostrat.com. Make sure you're typing it correctly. I am giving it Compute Engine, and Compute Instance Admin V1 and save. So essentially, that step is a rehearsal of activity that you would probably perform for a specific user. It gives the user limited abilities with a VM Instance. It would be able to connect via SSH to a VM and perform possibly some administration tasks. So now, I am going to create a VM with the service account I created. Create, I am going to use the same name provided in a lab, demoIAM. I'm using us-central1. The zone is us-central1-c, and the machine type is an F1-micro. It is just for demonstration purposes. So let's not waste resources, and the service account is the read bucket objects account, and I'm going to hit Create. So this is another checkpoint in the lab, and you should be able to hit Check my progress, and verify that you have gotten the last five points in the lab. Again, this is another one that might take a couple seconds to propagate. So just give it a second, and make sure that you get the green check in the final five points. Task 7, you explore the service account user role, and now you've already completed all of the tasks in the labs. So this is just for learning purposes. So I'm going to go in here, and I'm going to SSH into this account into the VM that I just created. Then I am going to run a gcloud compute instances list. I am expecting to see an error because I do not have the correct permissions to list those for my project. Just wait for that to show up, and there you can see error. Some request did not succeed because I don't have permission to do that. So now I'm going to try to copy the file from the bucket that I created earlier. So my bucket name is the Project ID which I've forgotten already. Here gets/sample.txt, and you can see it successfully copied it. Now I'm going to copy it into another file, and then I'm going to try to upload into my bucket. Bucket name is here, and you'll see I can download, but I cannot add. In review in this lab, you granted and revoked Cloud IAM roles, first for user, and then to service account user. I hope you enjoyed the walkthrough. Thank you.

2. Let's practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.