Spring Boot on GCP
  • Introduction
  • Getting Started
    • Google Cloud Platform
    • Cloud Shell
    • gcloud CLI
    • Hello World!
      • Cloud Shell
      • App Engine
      • Cloud Run
      • Kubernetes Engine
      • Compute Engine
      • Cloud Functions
  • Application Development
    • Development Tools
    • Spring Cloud GCP
    • Cloud Services
      • Databases
        • Cloud SQL
        • Cloud Spanner
        • Cloud Firestore
          • Datastore Mode
          • Native Mode
      • Messaging
        • Cloud Pub/Sub
        • Kafka
      • Secret Management
      • Storage
      • Cache
        • Memorystore Redis
        • Memorystore Memcached (beta)
      • Other Services
    • Observability
      • Trace
      • Logging
      • Metrics
      • Profiling
      • Debugging
    • DevOps
      • Artifact Repository
  • Deployment
    • Runtime Environments
    • Container
      • Container Image
      • Secure Container Image
      • Container Awareness
      • Vulnerability Scanning
      • Attestation
    • Kubernetes
      • Kubernetes Cluster
      • Deployment
      • Resources
      • Service
      • Health Checks
      • Load Balancing
        • External Load Balancing
        • Internal Load Balancing
      • Scheduling
      • Workload Identity
      • Binary Authorization
    • Istio
      • Getting Started
      • Sidecar Proxy
  • Additional Resources
    • Code Labs
    • Presentations / Videos
    • Cheat Sheets
Powered by GitBook
On this page
  • Sign Up
  • Project
  • New Account
  • Existing Account
  • Identity Access Management
  • Member
  • Permission
  • Roles
  • Credential

Was this helpful?

  1. Getting Started

Google Cloud Platform

Get started on Google Cloud Platform by signing up for a free account and creating a new project to use.

PreviousIntroductionNextCloud Shell

Last updated 4 years ago

Was this helpful?

Sign Up

If you don't already use , you can , and receive $300 credit.

Project

All cloud services and resources (such as virtual machines, network, load balancer, etc) are created under a Google Cloud Platform project.

A project is a billing unit. Any services / resources you create under the project will be charged to the Billing Account associated with the project.

A project is a security boundary. You can assign additional users to access different services / resources within the project.

Projects are usually referred to by Project ID. A Project ID is globally unique.

New Account

If this is your first time signing up for Google Cloud Platform, it will automatically create a Google Cloud Platform Project.

Every project has a Project ID and a Project Number. Project ID is most used. Find the Project ID in Home, under Project info.

Existing Account

If you already have an account, use an existing project, or create a new one.

Identity Access Management

IAM may be one of the hardest concepts to grasp about Google Cloud Platform - but once you understand it, everything else becomes clear.

Member

All Members (i.e., a user) are identified by an e-mail address:

Type

Uses

Identified By

User Account

User interaction with gcloud CLI, or the web console.

User's e-mail address

Service Account

Service to Service authentication

Service account's e-mail address

G Suite Group

A collection of user accounts or service accounts.

G Suite Group e-mail

G Suite Domain

All users and groups of a G Suite domain.

G Suite domain name

Sometimes, when referring to different types of Members, you may need to add a prefix:

Type

Prefix

Example

User Account

user

user:jane@example.com

Service Account

serviceAccount

serviceAccount:my-service@appspot.gserviceaccount.com

G Suite Group

group

group:webmaster@example.com

G Suite Domain

domain

domain:example.com

Permission

A Permission is the finest grain of a particular action that a Member can perform. For example, a permission to list objects / files from Cloud Storage is storage.objects.list.

Roles

Credential

Type

Credential

User Account

Service Account

A User Account is great for local development when using gcloud. Service Account is great for your application/microservice.

Application Default Credentials

This is the default credential that a Google Cloud client library will discover. And Application Default Credential can be:

  • Created by gcloud auth application-default login when running locally,

Service Account Key

Service Account Key file is a JSON file that contains a private key, and the private key is used to retrieve OAuth access token. The Service Account file is like a password and must be stored securely!

Never expose the service account key file in the public.

Never check-in your service account key file.

Never put your service account key file in a container image, or deployable artifact like a JAR file.

Always store your service account securely.

Machine Credentials from Metadata Server

curl -H "Metadata-Flavor: Google" \
  http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token

Each runtime / service may be associated with a specific Service Account. For example, VM1 uses Service Account A, and VM2 uses Service Account B. Depending on which VM is used to access the Metadata Server, the Metadata Server will return the token for the associated Service Account.

See for more details.

Each Member can be associated with , and each Role is associated with a set of . For example, a roles/storage.objectViewer role, has the storage.objects.get and the storage.objects.list permissions. See for all the available roles and the associated permissions.

You can create to associate with specific permissions too.

OAuth credentials - an Access Token, or a Refresh Token, or .

A or from

or a GOOGLE_APPLICATION_CREDENTIALS environmental variable that points to the path of a Service ,

or automatically discovered using the .

When using a Google Cloud client library to access a Cloud service, the client library will automatically discover the credential to use based on precedence. See for more information.

In most cases, your application is associated with a service account, but will not need the Service Account key file. See .

All Google Cloud runtime environments (App Engine, Cloud Functions, Cloud Run, Kubernetes Engine, Compute Engine, ...) have access to the . From the runtime environment, you can retrieve the current access token associated with the Service Account:

Identity Access Management Overview documentation
Custom Roles
Google Auth Library README
Metadata Server
different Roles
Understanding roles documentation
Permissions
Account key file
Metadata Server
Machine Credentials
Service Account Key file
Machine Credentials from Metadata Server
Application Default Credentials
Google Cloud Platform
get started for free
Google Cloud Platform console with a default project
Project info panel showing the Project ID