From 5d70d3048239584661fe81284869635b8b2e4075 Mon Sep 17 00:00:00 2001 From: Timothy Middelkoop Date: Mon, 10 Jan 2022 21:34:13 +0000 Subject: [PATCH] Adding GCP Scope. --- content/GCP/02_intro_to_compute.ipynb | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/content/GCP/02_intro_to_compute.ipynb b/content/GCP/02_intro_to_compute.ipynb index 374d54b..ac35e1c 100644 --- a/content/GCP/02_intro_to_compute.ipynb +++ b/content/GCP/02_intro_to_compute.ipynb @@ -86,7 +86,9 @@ "source": [ "## Security\n", "\n", - "Everything in the cloud requires permission (authorization). Ordinary we would configure and check security first but in the case of exploring services it is often easier to do things out of order. We noted that the *VM instance* was created with the *Compute Engine default service account*, and if the \"Allow full access to all Cloud Api's\" scope is enable, then everyone on the VM has access to all the resources in your project..\n", + "Everything in the cloud requires permission (authorization). Ordinary we would configure and check security first but in the case of exploring services it is often easier to do things out of order. We noted that the *VM instance* was created with the *Compute Engine default service account*, and if the \"Allow full access to all Cloud Api's\" scope is enable, then everyone on the VM has access to all the resources in your project.\n", + "\n", + "In the case of Drew, this is useful since they will be storing results of the analysis in Cloud Storage and the VM that will be doing the processing will need to have access to the storage. This is the mechanism that allows this.\n", "\n", "Specifically, we are interested in verifying what permissions that the *Compute Engine default service account* has for your *VM instances* . To do this navigate to the IAM page (**Navigation Menu** -> **IAM & Admin** -> **IAM** -> **Permissions** tab -> View By: **Principals** tab)\n", "\n", @@ -94,7 +96,11 @@ "\n", "In the **Name** column you should see a row with **Compute Engine default service account**. Here you should see the **Editor** role in the Role column. A *role* is a collection of permissions managed by Google or someone else. The **Editor** role for a project will *allow* a **VM instance** to modify resources *in* the **project**. The principal for the *Compute Engine default service account* should start with the *Project ID* of your project. It is possible to create a custom service account with the appropriate roles for the *VM Instance*.\n", "\n", - "There are three important pieces of information that work together to form the **IAM policy**. The permission (role), the identity (principal or member), and the resource (project)." + "There are three important pieces of information that work together to form the **IAM policy**. The permission (role), the identity (principal or member), and the resource (project).\n", + "\n", + "There is one additional tool that is used, **scope**. Scope describes the services that are accessible by an identity and is a simple way of limiting access to services. \n", + "\n", + "When we previously created the virtual machine we selected the default **scope**, which limits what services the virtual machine has access to. In other words, these scopes can only *limit* what a virtual machine instance can do, it can not add any permissions that are not already granted to the service account through IAM. In general, access should be managed through IAM policy, not scope.\n" ] }, {