003 [Hands-on] Managing users in Cloud Identity (manually and automated)
Category
😹
FunTranscript
00:00Hey everyone, welcome back.
00:03In this video, we will see how you can manage the different users available in a Google
00:10Cloud.
00:11So it's a kind of cloud identity.
00:13So what are the ways you can create a cloud identity?
00:18So let's see all of them.
00:21So there is one like a Google account.
00:24So if you have a Google account, you can log that into it.
00:27Don't worry about it.
00:28All those identity will see into detail and what identity or different identity can do
00:34and cannot do.
00:36Another very important identity like a service account, we have a G Suite account and we
00:42have a cloud identity domain account and at the end we have a Google group.
00:52So let's see the very first one, a Google account.
00:57So we have already logged in with one of the account through which I had a Google Cloud
01:04account.
01:05So let me just show you.
01:07So Google account.
01:08So if you have a Google account, most probably you should have a Gmail account to create
01:13a Google account, but not necessary that every time with just Gmail account you can create
01:18a Google account.
01:19If you have a Yahoo ID, if you have a let's say Hotmail ID or any other ID or a domain
01:25email address, you can create a Google account out of it.
01:29Now, in this particular case, I have one Google account like gcptutorial.2020 at gmail.com.
01:36So this is like a valid Gmail ID and Google ID.
01:41So with this, I have created this account and this is one of the identity provided for
01:48your Google Cloud account.
01:50So which is nothing but a Google Cloud account.
01:53Now what it can do?
01:54So something like if you want to log in to console, if you have a username and a password,
02:01you can do it.
02:02So with this kind of account, if you have a username, so I'm just writing here username
02:09and this is for P. So if you have a username and password, you can log in into Google Cloud
02:16console.
02:17So this is one kind of identity provider.
02:20So this is like a very straightforward also.
02:22In the last video also, we have seen that if you have such a kind of identity, how you
02:28can assign even role to this kind of identity.
02:32Another one is a service account.
02:33So service account we haven't discussed yet.
02:36So this is mainly related to application.
02:39So let me just write app.
02:44So why one needs to create a service account as a Google Cloud identity provider?
02:49So let's say you have created a Google virtual machine inside the cloud.
02:56Now this particular virtual machine wants to connect with some other resources.
03:01But it just cannot or just cannot keep using your Google account from virtual machine.
03:09So in that case, there is a one service account has been associated with application.
03:14So this service account doesn't belong to human, but it is a part of application.
03:20So if some application wants to log in into some other resource provisioning or resource
03:27management, in that case, you can use the service account.
03:31Now this particular service account with which you just cannot log in with username and password.
03:38There is nothing like a username and password exists to log in inside the Google Cloud console.
03:45So let me just show you where this service account exists.
03:49So if you go to Google Cloud console, you can go to IAM and from here we have a service
03:57account.
04:02We can just directly go to IAM.
04:04Yeah, we have a service account inside the IAM.
04:08So from here you can create a service account and this service account you can attach with
04:13different compute engine.
04:15So earlier we have created one compute engine.
04:19So you can see this automatically gets created.
04:23So while creation of virtual machine, this particular service account got automatically
04:28created.
04:29So this is like a Google managed service account and it has a domain like a developer.gserviceaccount.com.
04:39Now if you want to create your own custom service account, then also you can do it.
04:43So let me just give some name like Demosrv, okay.
04:51So you can see Demosrv, demo service account at learngcp-ac-guide.thissomething.com, alright.
05:02So this is custom service account.
05:09Alright, let me just simply create it.
05:14Later on we will give some grant or access.
05:18So what this service account can do.
05:21So let's just provide for time being the role of editor.
05:25And let's just continue.
05:28And there will be last one, grant the user access to this particular service account.
05:33Now when we learn little bit more detail about this service account, we'll see about that.
05:38But this is how you can provision a new service account.
05:42So this is nothing but Demosrv.
05:44Now let's just go to our compute engine.
05:48Now when you provision your new virtual machine inside the compute engine, there is one option
05:56like with this virtual machine, which particular service account you want to associate.
06:03I guess it's taking time.
06:05Let me just create a new instance.
06:08And from here, you can see there is an option like a service account.
06:14So Google says that compute engine default service account you want to use it.
06:19Or there is one more service account we have created just now, which is nothing but Demosrv.
06:25Now if you want to attach this particular service account, you can always use it and
06:31you can give all those kinds of roles and permission to this service account to behave
06:36like you are using the virtual machine.
06:40But on behalf of you, this particular account will make all requests, API call and everything,
06:48all those resource provisioning and everything will be done through this account inside those
06:53virtual machine.
06:54Alright, so this is about the service account.
07:00Now service account can call some kind of API.
07:02Let me just minimize this part.
07:04This is the second one.
07:06Yes, service account is meant to interact with the different application.
07:10So obviously, there are a number of ways with which you can provide some kind of authentication
07:16mechanism to this service account, so that if this service account wants to interact
07:21with let's say Google Cloud SQL or Google BigQuery or this service account wants to
07:28have some sort of API call to do image classification with the help of different machine learning
07:34services, one can do it.
07:37So these are the two very important service account and a Google account through which
07:42you can enter into Google Cloud world.
07:45The third one is a G-Suite domain.
07:49So to understand the concept behind G-Suite domain, let me go to browser and let me go
07:58to G-Suite and this is something like a Google workspace.
08:08So Microsoft has its own Microsoft 365, exactly same way for enterprise, all those office
08:15related products, equivalent office related products which Google has developed like Gmail.
08:22We have a Google Calendar, Google Drive and there are many more like a Google Docs, Google
08:28Sheet.
08:29So everything is a part of such a kind of business organization.
08:33Now here, if you already having an account for this Google workspace, a G-Suite domain,
08:41so it's not a free, you have to pay for it.
08:44And if you have those account, you can use those account and obviously you can log in
08:50into this G-Suite domain and enter into a Google Cloud one.
08:56So that is the third one.
08:58Now here there is a one great thing.
09:02You do not need to use those Gmail kind of ID because let's say there is some new joining
09:08your organization.
09:10Let's say you started using this Gmail ID, you have provided some kind of access to that
09:15particular user.
09:16Now that particular new joining got left or left the company.
09:22In that case, you have to explicitly remove.
09:25But if they are having some kind of custom domain, in that case, you can very easily
09:33remove that particular user, remove those kind of access, whatever you have given to
09:38them.
09:40So with this G-Suite account, you can attach even custom domain also.
09:44So let's say your organization has a name like, let me open Notepad and I'll show you.
09:51Let's say your organization is like example.com.
09:55So I am having like a user1 at, let me provide here example.com, let's say user2.
10:05So this way you can make users and individual users you can grant based on some list privileges,
10:14different kinds of role you can assign.
10:17So this is like a G-Suite.
10:19Now someone says that we are not using G-Suite account.
10:23Some organization said we do not require G-Suite account.
10:26We have some alternatives are available.
10:28Why do we pay for G-Suite account?
10:30Because in G-Suite, there are lots of functionality Google will provide at the organization level.
10:35But I mean, everyone do not have to attach their custom domain.
10:41So for that, Google says that we are providing another one like a cloud identity domain.
10:48So in that case, all those Google Docs, Google Sheets and everything is not available.
10:54Just a custom domain you can attach with it.
10:57So same like this example.com.
11:02So you can attach your custom domain example.com and you can manage all those users inside
11:09that.
11:10So this is like all those Google Workspace functionality.
11:15If you just deduct from this G-Suite domain, you can land up to the cloud identity domain.
11:23So these are the four ways we have seen where with every single type of cloud identity,
11:30there is a one account associated.
11:32Now we have a Google group.
11:34So if you want to give access to the bunch of people, number of people at the same moment,
11:40you can always use the Google group.
11:42Now Google group always you can use as a public Google group also and you can add all those
11:47users inside that or you can create a Google group inside the cloud identity domain.
11:53Now this too requires a paid subscription and I don't have a paid subscription for that.
12:00So I will show you how we can make this Google group through this public account.
12:06So let me just go to browser and let's just go to Google group.
12:16Now you guys must be familiar with this Google group like a groups.google.com.
12:23Here you can log in and you can create some Google group inside the Google group.
12:29You can always add some user and all those individual users, you can give some specific
12:35permissions.
12:37So you are not a member of any group yet.
12:39Yes, let me create one new group.
12:41So let's say GCP AC is like a my group name.
12:47Let me press next.
12:48Alright.
12:50I'm just going with my all those default options.
12:54Any group member, let's add later on.
12:58And let's just create a group.
13:00I am not a robot.
13:02Oops, I have to verify myself.
13:05So it's a bicycle.
13:07This is also a bicycle.
13:08This is also a bicycle.
13:09Let's just verify it.
13:11Alright.
13:12So successfully authenticated myself.
13:16Create a group.
13:17Alright.
13:18Let's just go to this particular group.
13:19I am the owner of this group.
13:20Now, next thing is we can add even a member inside that.
13:26So let me just add a few members.
13:29Let's say user1 or let me give some authenticated member like ankit.2557 at gmail.com.
13:39Alright.
13:41And I have one more like a, yeah, I should add one more actually.
13:47Let me add one more like a flashlight at gmail.com.
13:50Alright.
13:52So these are the two accounts I only managed it.
13:57So I added two members.
13:58Now what happens that instead of providing any kind of roles or any kind of permission
14:06assignment, obviously, you cannot assign a permission, but you can always assign a role.
14:11You are not going to assign to this particular individual user.
14:14Let's say both of them are going to work with the Compute Engine resources.
14:20So in that case, you can just directly give permission to this particular group.
14:26Now, you can always find the group setting.
14:29What is the email ID of group?
14:30So group also having some email ID like a gcp-ac at googlegroup.com.
14:37And we have my membership setting.
14:41Yeah.
14:43So this is the owner of this particular group.
14:45Now what we'll do, let me go to group setting.
14:49gcp-ac, I'm just going to, I am part of my root account of Google Cloud.
14:58And let's say, I will provide some Google Compute Engine instance role.
15:07So let me just add one more user, gcp-ac at, let me provide exactly at googlegroups.com.
15:17Oops.
15:18gcp-ac.
15:19Yes.
15:20So this is like a valid ID.
15:28Now instead of providing role assignment to this particular individual users like Ankit
15:33or 25587 and another one is a Flashlight at gmail.com, I'm providing the role to this
15:40particular groups.
15:42Now what happens that when you provide, let's say, I just want to make them viewer role
15:48and let's just save it.
15:50This viewer role has been assigned to both of this user.
15:54So if you want to give permission like a role assignment to multiple users at the same moment,
16:01a similar kind of role, you can always add them to the group.
16:05And this is also one of the best practice also.
16:09Lot of big discussion we have done related to cloud identity.
16:14Last one is a Google group.
16:15Now just now what we have created that is a public Google group, you can always create
16:19a Google group inside your cloud identity domain.
16:22So in that case, you do not require to add those users as a Google account, but your
16:28user1 at example.com, user2 at example.com, all those individual organization, employee,
16:36domain or email ID, you can add it and you can assign those permissions to all those
16:43list of users at the same moment.
16:46But with this Google group, you just cannot log in inside the Google cloud console because
16:51obviously who is the owner of Google group.
16:56I mean, it's not like a one single person.
17:00It is dealing with the multiple users at the same moment.
17:03So there is no provision to give username and password has been associated with a Google
17:08group to enter into Google cloud.
17:11Can you call to some kind of APIs through Google group?
17:14No.
17:15Individual users obviously can do it depending on what kind of role you will assign to them.
17:21Alright, so that is about the cloud identity that what are the different cloud identities
17:26are available to enter into a Google cloud.
17:31That's all about this video.
17:32See you into next video.