002 [Hands-on] Assigning users to predefined IAM roles within a project
Category
😹
FunTranscript
00:00Hello everyone and welcome back.
00:05So in this video, we will see how we can assign a user to some predefined IAM role within
00:13a project.
00:15So there are lots of things going on here.
00:19So it will be like a lot of entities are there.
00:24Let me point out some of them.
00:27So first one is what is user here, what is predefined IAM role and IAM itself.
00:36And we have a project.
00:38So before we assign some particular predefined role to the user within a project, first of
00:45all, we need to understand this terminology.
00:48Now what is project here we have already seen in earlier videos.
00:53So I want you to go through earlier videos that how we can create a project.
00:59Now we will see what is here IAM is and what is predefined role and what does the users
01:06mean here.
01:08So what I'm going to do, let me go to Google Cloud Console and I am inside the dashboard
01:15of Google Cloud Console.
01:17So first thing is from the left-hand side navigation menu, let me go to IAM and Admin.
01:26So IAM here means Identity and Access Management that whether you want to give some access
01:33to some particular user on some particular resources, you can always manage it from here.
01:41And that's why this is module which Google Cloud or Google has created.
01:48Now when you land up to IAM, you will be able to see that currently what are the members
01:53are there.
01:54So we haven't assigned any kind of roles or a permission to any particular user.
02:00So by default, there will be a one member which is nothing but gcptutorial.2020 at gmail.com
02:08and with this account only I have logged in and this particular account has a role like
02:13an owner.
02:14So IAM or the user which is currently logged in is a root user or I would say super user.
02:22He's an owner.
02:23He can do everything.
02:25Now corresponding to this particular user, what are the roles are there?
02:28So there will be only one role which is nothing but an owner role.
02:33So from here, you can always add more members.
02:36You can always create new roles.
02:39But next thing what we want to learn about predefined role.
02:45So for that, on the left-hand side, we have a roles are available.
02:49So Google has already created a number of roles like owner, viewer, compute admin.
02:55So what does all role mean?
02:59So let's say let me open some notepad first and let's say some user one user one or instead
03:08of that, let me provide some user proper email address.
03:15Let's say to this particular user, I want to give some role like a compute admin or
03:23let's say compute viewer.
03:25All right, compute viewer role.
03:28So this is like a role.
03:30Now who will give the role to this particular user?
03:34I am the root user and I want to provide to this another user this particular role.
03:40Now before assigning this role, let's just have a scan through what are those roles are
03:46there.
03:47So roles is nothing but a collection of permissions.
03:56Now you cannot assign individual permission to some particular user.
04:01Instead of that, a collection of permission you can combine into role and those particular
04:07role you can assign to the user.
04:09So what I will do here, Google has already created some predefined role for us.
04:15So there are two kinds of role.
04:16One is a predefined role and one is the custom role.
04:19So when your requirement doesn't get satisfied, you can always create a role from here.
04:25So that is nothing but a custom role.
04:26So our objective here in this video not to go through a custom role later on we'll see,
04:33but a predefined role.
04:34So these are all the predefined role.
04:37So let me just scan through what are those predefined roles are available.
04:41So you can see we have a total 793 predefined role Google has already created.
04:48So what does it mean here?
04:50Let me show you one role.
04:52Let's say let's say some primitive roles like an admin.
04:59So if you just want to filter out some role, you can filter and search it from here.
05:04So based on a lot of different properties, you can filter out.
05:09So let me just filter out based on the name.
05:12So name I want to give like role-admin Oops, yeah, it should not be admin.
05:22Let's say owner Yes, we have owner.
05:29So that is like a full access control of every single thing.
05:34So if you just click on owner, you will be able to see what are the permissions are allocated
05:40to this role.
05:41So let's say when you assign someone this particular role, he can do all those thing
05:47has been listed inside this role.
05:50So we have a 3953 permissions are available, you can see there are lots of lots of permissions
05:58one can do.
05:59So one of them is a compute engine.
06:01So let me focus upon Yeah, we have a compute, compute, compute instance, compute instance,
06:10compute firewall and lots of things.
06:13Let me go to some other roles.
06:15So this is like a very super user role.
06:18Let me go to role and let's just search for some other roles.
06:22Let's say based on the name only we are going to search it.
06:25So roles slash let's say viewer.
06:29So in case of here, definitely we have lesser permissions are available.
06:34So earlier we have close to around 4000 permissions.
06:38But in case of this viewer role, we have a 1731 assigned permissions only.
06:46Now, these are all predefined role.
06:49And if you want to give access to this particular user or some particular role, let's say some
06:57new joinees are there.
06:58So this is like a Ankit.255HC, gmail.com.
07:03In our case, it's like a new joinee.
07:06Now this new joinee just do not be able to create a compute engine, but he'll be just
07:13able to see this compute engine that what are the compute resources we have created
07:19inside what are the virtual machines we have created.
07:22And for that there is a one role like a compute viewer.
07:25So what I will do, let's just go to again and filter out based on the name.
07:33We have to filter based on the name.
07:35So it will be a roles slash it will be a compute.
07:41Yes.
07:42So we have a compute.admin, we have a, or I can just search for, we have a compute viewer
07:53roles are available, oops, compute, let me just search with this compute only and, oops,
08:05it has name, name, okay.
08:11And we have a compute, or I can just search it from here.
08:22What are the compute engine?
08:24Let me just make 200.
08:27So there'll be 200 roles will be listed at one shot.
08:33Let me go to another page.
08:36Maybe the role name is a little bit different.
08:38So while filtering, I am not able to do it.
08:41So what I will do, compute instance, yeah, we have a compute viewer role.
08:55You can see this is applied to compute engine.
08:57That means the user to whom you will assign this particular role, he will be just able
09:04to do these things.
09:06So he doesn't have a permissions related to modification of those virtual machine on
09:12anything.
09:13So if you see all those permissions, these are only get and list kind of permissions,
09:18get IAM policy, get list, get list.
09:20So mostly they are get and a list.
09:23So you won't be able to modify, you won't be able to change anything inside the virtual
09:27machine.
09:28All right.
09:29So what we will do, let's just skip this compute viewer role inside our notepad.
09:36Yes, I kept it right.
09:39So let's just try once more that why we were not able to get it.
09:46So it will be a roles slash compute space and compute space viewer, oops, it is not
10:01able to display.
10:06So what we'll do, we'll just do the exact copy, might be little things are different
10:12compared to what we are expecting.
10:17So it will be a compute, yeah, we have a compute viewer.
10:21Let me just copy it and I'm just gonna search it from here.
10:29So it will be a name or maybe we have to search it based on the title, I guess.
10:36Yeah, we have to search with the help of title.
10:40Yes, we have a compute viewer.
10:43So name is I guess the different properties.
10:45All right.
10:46So we have seen, let me go to my notepad that this particular role we want to assign to
10:53this particular user.
10:55So he will be able to see what are all compute resources or virtual machines we have created.
11:01Now how we can assign a role.
11:03So we can go to IAM and just add this particular user.
11:08So who is the new member?
11:09So we can give the ID here.
11:12Ankit.25587 add gmail.
11:16Now what role we want to assign.
11:19So let me just assign to compute viewer.
11:26Yes, we have a compute viewer.
11:30So compute viewer, it says that read only access to get and list information about the
11:34compute engine resources.
11:36Let me just assign it.
11:38And let's just save it.
11:41Now currently, if you go to my compute engine resources, we don't have any virtual machines
11:48are available.
11:49So what first of all I am going to do, I'm going to log in with my new joining account
11:54here.
11:55So for that, I can go to console.cloud.google.com and I'm going to point out the same thing
12:02with our new projects like a Learn GCP-AC Guide 23 and you will be able to see it should
12:10appear here.
12:12Yes, it is available.
12:14So we can just navigate to this particular project.
12:17Now let me just dismiss it.
12:19This particular billing related notification Google has given.
12:24Now let me go to my compute engine and currently anyhow, I don't have any compute engine resources,
12:33but we have just a viewer role.
12:35So oops, something goes wrong.
12:38So let me just retry it again.
12:41It may take some time to reflect this role.
12:46So compute engine.
12:49Yes, so let me just enable API.
12:54So if you just try to enable API, you can see you are missing the required permission
12:58because we have just given a compute engine viewer role.
13:02We haven't given the role at an admin level or maybe some kind of contributor level.
13:09So we just cannot enable it.
13:10But from our root user account, so on the left hand side, we have a root user account.
13:15Just remember that this particular a my new joining account and this is our root user
13:21super user account.
13:22So from here, obviously I can enable it.
13:24So let me just enable it or let me just make it into two different screens.
13:29So what I will do.
13:32So at the same moment, you will be able to see both the screen.
13:39So things will be very much clear to you what is I am in a one single window.
13:44Yeah, here also we got some error, but those error has some different meaning.
13:51Let me just try it once again.
13:54Compute engine API.
14:00So it's taking a little time enabling service because before we create any compute engine
14:06resources, we have to enable oops, there is unknown error when attempting to enable the
14:13API.
14:14Oops, there is something goes wrong.
14:17Yeah, so I guess there is some issues related to billing.
14:23Might be the new projects what I have created that is not associated with any kind of billing
14:29information.
14:30So what I will do, let me just make it big screen and we have our projects.
14:36So we have one billing account.
14:39Now if you just go to this billing account, account management, there will be two projects.
14:46We have two projects are associated.
14:49So I don't think there is any issue with the billing.
14:52So let me just try once again.
14:56Hopefully it should create.
14:58Yeah, so we have a VM instance skins are available, API got enabled, but even though we got some
15:06error.
15:08So next thing what we can do, I can create some instance here and whatever instance I
15:14will be able to create, you will be able to see from here.
15:17So I am not going into detail about how to provision this resource.
15:21Instead of that, with all those default parameters, let me give here name IAMDEMO.
15:29So our instance name will be IAMDEMO, remaining everything, I am just going to keep it as
15:33it is.
15:34Let me create it and our new joinee will be able to see this particular resources.
15:41So let me just go back and I am going to my compute engine.
15:49Yes, you can see now IAMDEMO on the right-hand side, our new joinee account also able to
16:02see this.
16:03So this instance is still getting created.
16:06So it gets provisioned and here also you will be able to see very soon that this thing's
16:12got provisioned or you can just simply refresh the screen and our new instance got created
16:18and our new joinee is also able to see.
16:21Let me just SSH into this particular account from our new joinee.
16:27So I'm just going to SSH into.
16:30Now it says that you don't have a sufficient permission to SSH into this particular instance
16:34because in that case, you have to provide some more permission.
16:41Now our compute engine viewer role doesn't allow this thing.
16:46So what we can do, we can provide this kind of permission or the role, more roles we can
16:53assign which is having those permissions.
16:55So I'm just leaving it to you that you can just search for this particular permission.
17:01This permission is a part of viewer or not.
17:04If it is not part of viewer role, you can just search for what are the other roles which
17:09contains those permissions and you can add user to this particular role and you will
17:15be able to do this SSH.
17:19So currently I am closing and now instead of providing here on my root account, let
17:26me go to IAM from my root account.
17:31We have given a compute viewer role.
17:34Let me just edit it and I want to provide one more role like a compute or rather than
17:45searching this way, what we can do, we can here search, I think there is no better way
17:51to search.
17:52Yeah, we have to go with this way only.
17:56Compute admin.
17:57Yeah, we have a full control of all compute engine resources and let me just save it.
18:03But before we save, let me go to my new join account.
18:08Yes, we have this new join account.
18:12So here you can see we are just the reader role.
18:15So there is no option to create a VM for us.
18:19So we want to create a VM and we don't have any option.
18:23But the same thing if you can do it from your root user account.
18:27But now moment I assign compute admin role, you'll be able to see we can create VM from
18:35our new joining account also.
18:37So let me just save it.
18:39And whenever you do such a kind of role assignment or a new role assignment, obviously those
18:47policy updation will take little time.
18:49So just have a basis before that and let me keep refreshing it or what we can do, we can
18:55just sign out and sign in or instead of that, you can just simply reload the page couple
19:00of minutes it will take to reflect all those changes what we have done from our root account.
19:08Now don't get confused the new joining accounts with the root account and you can see after
19:13we given this compute admin role, that means the full access over all the resources are
19:20available inside the compute admin.
19:23So from here, you can always create new instance.
19:26So you can see create instance and from here also will create one more Google compute instance
19:37or virtual machine.
19:38So I am demo, I am, I will just give the name I am from new join.
19:46Alright, so we will be able to differentiate.
19:51And what we can do, let me just create it.
19:57So this way you will be able to understand that what's going on that earlier we have
20:02given a very list privilege role.
20:04Now we have given some higher level role, which is having much higher priority or much
20:10more thing this particular compute engine or compute admin role can do.
20:15Oops, something goes wrong.
20:18Yes, so user do not have access to the service account.
20:21Now still one more error we have got.
20:24So just let me copy this error and let's just try to dissect this error.
20:31So let me just copy and let me put it inside the notepad and let's just dissect it.
20:38So this is that this particular new user has complete access to this resources.
20:46But with every single virtual machine, there is one service account got associated and
20:53we haven't given those roles.
20:55So this project owner should have this particular permission service account user role.
21:01So this is like a role.
21:02So this one more role we have to assign, otherwise this new joining still won't be able to create
21:08those accounts.
21:09So this way you are learning in a very good way this particular I am.
21:14So what we'll do one more role, let me go to what is that role I am service account
21:21user.
21:22Yeah, and let me just search for it.
21:25Oops, service account user, service account user, yeah, we have a service account user
21:39role.
21:40Let me just select it and let's just save it.
21:44Now, next thing is what we will do, we'll go to our new joining account.
21:48So I am inside my new joining account and let me just retry it.
21:53So whatever options we have given earlier with those same option, it will try to create
21:58virtual machine inside our Learn GCP ACE Guide 23 projects from our new joining account.
22:11And exactly the whatever resource we will create that will be available and that you
22:18can see from your root account also.
22:20So this is my root account and let's just go from here.
22:26And you can see we have a I am from new join also.
22:30So this way you can provide different roles to individual new joining user and they can
22:36just start working on it.
22:41So there is some common rule here that always assign a less privileges.
22:46So earlier we have given the permissions like compute viewer, then it doesn't work for new
22:54joining to create our complete virtual machine from his own account.
22:59Then we have given a compute admin role, still it was not sufficient.
23:03So we have added one more role based on the suggestion given by the user like a service
23:08account user because those service account user contains the permission which is able
23:13to list down and create service account which is being associated with virtual machine.
23:19Alright, so this is like a very long demo, but I guess you have understood what is the
23:25concept behind here, what are the roles, how you can assign permissions or I would want
23:31to say permission but list of permission combined into roles and those role you can
23:36assign to some particular user within a given projects.
23:39Alright, so that is all about this video.