Skip to content
This repository was archived by the owner on Dec 12, 2025. It is now read-only.

Commit

Permalink
Adding GCP Scope.
Browse files Browse the repository at this point in the history
  • Loading branch information
@tmiddelkoop
tmiddelkoop committed Jan 10, 2022
1 parent a06ac4d commit 5d70d30
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions content/GCP/02_intro_to_compute.ipynb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,15 +86,21 @@
"source": [
"## Security\n",
"\n",
"Everything in the cloud requires permission (authorization). Ordinary we would configure and check security first but in the case of exploring services it is often easier to do things out of order. We noted that the *VM instance* was created with the *Compute Engine default service account*, and if the \"Allow full access to all Cloud Api's\" scope is enable, then everyone on the VM has access to all the resources in your project..\n",
"Everything in the cloud requires permission (authorization). Ordinary we would configure and check security first but in the case of exploring services it is often easier to do things out of order. We noted that the *VM instance* was created with the *Compute Engine default service account*, and if the \"Allow full access to all Cloud Api's\" scope is enable, then everyone on the VM has access to all the resources in your project.\n",
"\n",
"In the case of Drew, this is useful since they will be storing results of the analysis in Cloud Storage and the VM that will be doing the processing will need to have access to the storage. This is the mechanism that allows this.\n",
"\n",
"Specifically, we are interested in verifying what permissions that the *Compute Engine default service account* has for your *VM instances* . To do this navigate to the IAM page (**Navigation Menu** -> **IAM & Admin** -> **IAM** -> **Permissions** tab -> View By: **Principals** tab)\n",
"\n",
"*Note: There is a powerful filter box to limit the permissions shown.*\n",
"\n",
"In the **Name** column you should see a row with **Compute Engine default service account**. Here you should see the **Editor** role in the Role column. A *role* is a collection of permissions managed by Google or someone else. The **Editor** role for a project will *allow* a **VM instance** to modify resources *in* the **project**. The principal for the *Compute Engine default service account* should start with the *Project ID* of your project. It is possible to create a custom service account with the appropriate roles for the *VM Instance*.\n",
"\n",
"There are three important pieces of information that work together to form the **IAM policy**. The permission (role), the identity (principal or member), and the resource (project)."
"There are three important pieces of information that work together to form the **IAM policy**. The permission (role), the identity (principal or member), and the resource (project).\n",
"\n",
"There is one additional tool that is used, **scope**. Scope describes the services that are accessible by an identity and is a simple way of limiting access to services. \n",
"\n",
"When we previously created the virtual machine we selected the default **scope**, which limits what services the virtual machine has access to. In other words, these scopes can only *limit* what a virtual machine instance can do, it can not add any permissions that are not already granted to the service account through IAM. In general, access should be managed through IAM policy, not scope.\n"
]
},
{
Expand Down

0 comments on commit 5d70d30

Please sign in to comment.