What is Cloud IAM?

Рет қаралды 11,869

Күн бұрын

Пікірлер: 17

@googlecloudtech 2 жыл бұрын

🙋 What other serverless topics would you like Martin to discuss? Let us know in the comments below! ✅ Subscribe for more serverless explanations → goo.gle/GoogleCloudTech

@LeonBlade 4 ай бұрын

This is such a fantastic video for explaining what you need to know about IAM without being super long or super vague. I think it goes into a great depth of how it works and explaining real scenarios that make sense for all types of learning styles.

@TheMomander 3 ай бұрын

Happy to hear you found it useful!

@panky9277 Жыл бұрын

Nicely explained Emanuel Burgess, such calm voice that everything sounds easy to do :) !

@LindaLawton Жыл бұрын

What is the best way to handle permissions across projects if say my cloud run service needs access to a database in another project

@TheMomander Жыл бұрын

Let's say we are running a REST API that uses Cloud Run in Project_A and the Firestore database in Project_B. We'd create a service account called "rest-api" in Project_A and make sure it has the right privileges for any services it is using in Project_A. Google Cloud will generate the email address "rest-api@project_a.iam.gserviceaccount.com" for this account. Then we'd go to Project_B, pick IAM, click the "Grant access" button, paste in "rest-api@project_a.iam.gserviceaccount.com" in the "New principals" text-field, and grant it the right privileges for accessing the Firestore database. Hope this helps!

@themodernglory 2 жыл бұрын

This is so amazing, Hats off to you both

@eklok5000 2 жыл бұрын

Awesome episode. But I did not get how to structure these folders at 4:43 . I mean, I get it concept-wise. But where do I navigate in the console to do that? Another question for the Cloudstore Read/Write role: Is that not still to powerful? Like can we restrict access to only RW for a certain table? And can I also specify from the Cloudstore side which SA has access to my tables (so initiating the permission from the resource itself instead of initiated it by SA)?

@TheMomander 2 жыл бұрын

Good questions! You can edit your folders by going to the Cloud Console, clicking the hamburger menu, then "IAM and admin", and then "Manage resources". You can set more granular permissions for Datastore, like allowing/disallowing creation of records, reading them, deleting them, listing them, updating them, and so on. But Datastore is a NoSQL database so it doesn't have the concept of "tables". If you want table-level access, you should probably go with Postgres on Google Cloud SQL. Hope this helps!

@eklok5000 Жыл бұрын

@@TheMomander Thanks Martin!

@ChamalNanayakkara 2 жыл бұрын

Nicely explained!

@mars3142 2 жыл бұрын

What's the best way to use multiple cloud run services with a gateway (which only has public access)? Or should I use other services (k8s, ...) for that?

@TheMomander 2 жыл бұрын

Probably "Cloud Load Balancing". It can put a single domain name in front of multiple Cloud Run services and send traffic to each service depending on the URL of incoming requests. But it depends. What is it you want to accomplish with the gateway?