What is Cloud IAM?

Рет қаралды 10,421

Күн бұрын

What is Identity and Access Management (IAM), and how does it protect your Google Cloud project? In this episode of Serverless Expeditions Extended, Martin teams up with Emanuel to discuss IAM tools. Watch along and learn about the different access roles, inherited permissions, service accounts, and more to secure your Google Cloud projects.
Chapters:
0:00 - Intro
0:27 - What is Identity and Access Management?
1:30 - What is the permissions panel?
2:07 - What are inherited permissions?
2:56 - Basic project roles explained
3:44 - How to add principals
4:18 - How to organize roles & principals for cloud projects
6:00 - What can Cloud Run services do?
7:33 - How to configure minimum permissions
9:10 - Wrap up
Identity and Access Management → goo.gle/3fI8s87
IAM overview → goo.gle/3NKmsKW
Choose predefined roles → goo.gle/3Uik68u
Checkout more episodes of Serverless Expeditions → goo.gle/ServerlessExpeditions
Subscribe to Google Cloud Tech → goo.gle/GoogleCloudTech
#ServerlessExpeditions #ServerlessExpeditionsExtended

Пікірлер: 14

@googlecloudtech Жыл бұрын

🙋 What other serverless topics would you like Martin to discuss? Let us know in the comments below! ✅ Subscribe for more serverless explanations → goo.gle/GoogleCloudTech

@panky9277 10 ай бұрын

Nicely explained Emanuel Burgess, such calm voice that everything sounds easy to do :) !

@themodernglory Жыл бұрын

This is so amazing, Hats off to you both

@ChamalNanayakkara Жыл бұрын

Nicely explained!

@mariocortes2670 Жыл бұрын

Good video!

@LindaLawton Жыл бұрын

What is the best way to handle permissions across projects if say my cloud run service needs access to a database in another project

@TheMomander Жыл бұрын

Let's say we are running a REST API that uses Cloud Run in Project_A and the Firestore database in Project_B. We'd create a service account called "rest-api" in Project_A and make sure it has the right privileges for any services it is using in Project_A. Google Cloud will generate the email address "rest-api@project_a.iam.gserviceaccount.com" for this account. Then we'd go to Project_B, pick IAM, click the "Grant access" button, paste in "rest-api@project_a.iam.gserviceaccount.com" in the "New principals" text-field, and grant it the right privileges for accessing the Firestore database. Hope this helps!

@eklok5000 Жыл бұрын

Awesome episode. But I did not get how to structure these folders at 4:43 . I mean, I get it concept-wise. But where do I navigate in the console to do that? Another question for the Cloudstore Read/Write role: Is that not still to powerful? Like can we restrict access to only RW for a certain table? And can I also specify from the Cloudstore side which SA has access to my tables (so initiating the permission from the resource itself instead of initiated it by SA)?

@TheMomander Жыл бұрын

Good questions! You can edit your folders by going to the Cloud Console, clicking the hamburger menu, then "IAM and admin", and then "Manage resources". You can set more granular permissions for Datastore, like allowing/disallowing creation of records, reading them, deleting them, listing them, updating them, and so on. But Datastore is a NoSQL database so it doesn't have the concept of "tables". If you want table-level access, you should probably go with Postgres on Google Cloud SQL. Hope this helps!

@eklok5000 Жыл бұрын

@@TheMomander Thanks Martin!

@mars3142 Жыл бұрын

What's the best way to use multiple cloud run services with a gateway (which only has public access)? Or should I use other services (k8s, ...) for that?

@TheMomander Жыл бұрын

Probably "Cloud Load Balancing". It can put a single domain name in front of multiple Cloud Run services and send traffic to each service depending on the URL of incoming requests. But it depends. What is it you want to accomplish with the gateway?