Google Cloud Platform
Get started on Google Cloud Platform by signing up for a free account and creating a new project to use.
Last updated
Was this helpful?
Get started on Google Cloud Platform by signing up for a free account and creating a new project to use.
Last updated
Was this helpful?
If you don't already use , you can , and receive $300 credit.
All cloud services and resources (such as virtual machines, network, load balancer, etc) are created under a Google Cloud Platform project.
A project is a billing unit. Any services / resources you create under the project will be charged to the Billing Account associated with the project.
A project is a security boundary. You can assign additional users to access different services / resources within the project.
Projects are usually referred to by Project ID. A Project ID is globally unique.
If this is your first time signing up for Google Cloud Platform, it will automatically create a Google Cloud Platform Project.
Every project has a Project ID and a Project Number. Project ID is most used. Find the Project ID in Home, under Project info.
If you already have an account, use an existing project, or create a new one.
IAM may be one of the hardest concepts to grasp about Google Cloud Platform - but once you understand it, everything else becomes clear.
All Members (i.e., a user) are identified by an e-mail address:
Type
Uses
Identified By
User Account
User interaction with gcloud CLI, or the web console.
User's e-mail address
Service Account
Service to Service authentication
Service account's e-mail address
G Suite Group
A collection of user accounts or service accounts.
G Suite Group e-mail
G Suite Domain
All users and groups of a G Suite domain.
G Suite domain name
Sometimes, when referring to different types of Members, you may need to add a prefix:
Type
Prefix
Example
User Account
user
user:jane@example.com
Service Account
serviceAccount
serviceAccount:my-service@appspot.gserviceaccount.com
G Suite Group
group
group:webmaster@example.com
G Suite Domain
domain
domain:example.com
A Permission is the finest grain of a particular action that a Member can perform. For example, a permission to list objects / files from Cloud Storage is storage.objects.list.
Type
Credential
User Account
Service Account
This is the default credential that a Google Cloud client library will discover. And Application Default Credential can be:
Created by gcloud auth application-default login when running locally,
Service Account Key file is a JSON file that contains a private key, and the private key is used to retrieve OAuth access token. The Service Account file is like a password and must be stored securely!
Never expose the service account key file in the public.
Never check-in your service account key file.
Never put your service account key file in a container image, or deployable artifact like a JAR file.
Always store your service account securely.
See for more details.
Each Member can be associated with , and each Role is associated with a set of . For example, a roles/storage.objectViewer role, has the storage.objects.get and the storage.objects.list permissions. See for all the available roles and the associated permissions.
You can create to associate with specific permissions too.
OAuth credentials - an Access Token, or a Refresh Token, or .
A or from
or a GOOGLE_APPLICATION_CREDENTIALS environmental variable that points to the path of a Service ,
or automatically discovered using the .
When using a Google Cloud client library to access a Cloud service, the client library will automatically discover the credential to use based on precedence. See for more information.
In most cases, your application is associated with a service account, but will not need the Service Account key file. See .
All Google Cloud runtime environments (App Engine, Cloud Functions, Cloud Run, Kubernetes Engine, Compute Engine, ...) have access to the . From the runtime environment, you can retrieve the current access token associated with the Service Account:
