GCP Associate Cloud Engineer Study Notes

ACE Exam Guide Project Permissions

It is not necessary to have an organization to create projects in GCP. Creating a project automatically generates certain permissions. GCP assigns the project owner role to the current user. It also generates GCP-managed service accounts required to run the resources. These accounts may have primitive or predefined roles and are authenticated with Google-managed keys. In Cloud IAM lingo, this is called setting up a policy for each of these accounts. A policy binds a member (user or service account) to a role (set of permissions). The roles can be primitive, predefined or custom. Primitive roles are broad levels of access like view, edit or own. Predefined roles are a set of permissions that fine tune access to resources. Custom roles exist for advanced security configurations needed for special situations.

I had already created two projects with no organization, but I wanted to explore Cloud Identity by setting up an organization. This involved buying a domain name. From the admin console of Cloud Identity, I created an organization with its own super-admin user. While I was there, I defined three departments in my organization, each with one employee. Logging into GCP with the super-admin user, I then delegated the Organization Admin role to my personal account. At this point, I didn’t expect to do anything requiring the organization’s super-admin, so I logged that account out of everything.

Logged into GCP with my personal account, I noticed that there were now two separate work areas. My original area, called “No Organization”, held my two projects. The organization’s domain name, along with a unique GCP-generated ID, identified the other area. I created a folder inside the organization and moved my static web page project into this folder. When I compared the permissions for each project, I found that GCP had automatically created new policies in the static web page project. These policies are inherited via the resource hierarchy. I then manually created a policy to give one of my employees view access to the project.

There is a lot to track when it comes to Cloud IAM and Cloud Identity. My understanding of members, roles and policies is better now that I have actually tried setting them up. This also helped clarify my understanding of the relationship between Cloud Identity and Cloud IAM. It cost me about $10 to get a domain name for my organization. Everything else that I described so far can be done at no cost.