Google Cloud Platform
Get started on Google Cloud Platform by signing up for a free account and creating a new project to use.
All cloud services and resources (such as virtual machines, network, load balancer, etc) are created under a Google Cloud Platform project.
A project is a billing unit. Any services / resources you create under the project will be charged to the Billing Account associated with the project.
A project is a security boundary. You can assign additional users to access different services / resources within the project.
Projects are usually referred to by Project ID. A Project ID is globally unique.
If this is your first time signing up for Google Cloud Platform, it will automatically create a Google Cloud Platform Project.
Google Cloud Platform console with a default project
Every project has a Project ID and a Project Number. Project ID is most used. Find the Project ID in Home, under Project info.
Project info panel showing the Project ID
If you already have an account, use an existing project, or create a new one.
IAM may be one of the hardest concepts to grasp about Google Cloud Platform - but once you understand it, everything else becomes clear.
All Members (i.e., a user) are identified by an e-mail address:
Sometimes, when referring to different types of Members, you may need to add a prefix:
A Permission is the finest grain of a particular action that a Member can perform. For example, a permission to list objects / files from Cloud Storage is
Each Member can be associated with different Roles, and each Role is associated with a set of Permissions. For example, a
roles/storage.objectViewerrole, has the
storage.objects.listpermissions. See Understanding roles documentation for all the available roles and the associated permissions.
This is the default credential that a Google Cloud client library will discover. And Application Default Credential can be:
- Created by
gcloud auth application-default loginwhen running locally,
When using a Google Cloud client library to access a Cloud service, the client library will automatically discover the credential to use based on precedence. See Google Auth Library README for more information.
Service Account Key file is a JSON file that contains a private key, and the private key is used to retrieve OAuth access token. The Service Account file is like a password and must be stored securely!
All Google Cloud runtime environments (App Engine, Cloud Functions, Cloud Run, Kubernetes Engine, Compute Engine, ...) have access to the Metadata Server. From the runtime environment, you can retrieve the current access token associated with the Service Account:
curl -H "Metadata-Flavor: Google" \