Google Cloud Platform

Sign Up
If you don't already use Google Cloud Platform, you can get started for free, and receive $300 credit.
Project
All cloud services and resources (such as virtual machines, network, load balancer, etc) are created under a Google Cloud Platform project.
A project is a billing unit. Any services / resources you create under the project will be charged to the Billing Account associated with the project.
A project is a security boundary. You can assign additional users to access different services / resources within the project.
Projects are usually referred to by Project ID. A Project ID is globally unique.
New Account
If this is your first time signing up for Google Cloud Platform, it will automatically create a Google Cloud Platform Project.
Google Cloud Platform console with a default project
Every project has a Project ID and a Project Number. Project ID is most used. Find the Project ID in Home, under Project info.
Project info panel showing the Project ID
Existing Account
If you already have an account, use an existing project, or create a new one.
Identity Access Management
IAM may be one of the hardest concepts to grasp about Google Cloud Platform - but once you understand it, everything else becomes clear.
Member
All Members (i.e., a user) are identified by an e-mail address:
Type
Uses
Identified By
User Account
User interaction with gcloud CLI, or the web console.
User's e-mail address
Service Account
Service to Service authentication
Service account's e-mail address
G Suite Group
A collection of user accounts or service accounts.
G Suite Group e-mail
G Suite Domain
All users and groups of a G Suite domain.
G Suite domain name
Sometimes, when referring to different types of Members, you may need to add a prefix:
Type
Prefix
Example
User Account
user
user:[email protected]
Service Account
serviceAccount
serviceAccount:[email protected]
G Suite Group
group
group:[email protected]
G Suite Domain
domain
domain:example.com
See Identity Access Management Overview documentation for more details.
Permission
A Permission is the finest grain of a particular action that a Member can perform. For example, a permission to list objects / files from Cloud Storage is storage.objects.list.
Roles
Each Member can be associated with different Roles, and each Role is associated with a set of Permissions.  For example, a roles/storage.objectViewer role, has the storage.objects.get and the storage.objects.list permissions.  See Understanding roles documentation for all the available roles and the associated permissions.
You can create Custom Roles to associate with specific permissions too.
Credential
Type
Credential
User Account
OAuth credentials - an Access Token, or a Refresh Token, or Application Default Credentials.
Service Account
A Service Account Key file or from Machine Credentials from Metadata Server​
A User Account is great for local development when using gcloud.  Service Account is great for your application/microservice.
Application Default Credentials
This is the default credential that a Google Cloud client library will discover. And Application Default Credential can be:
Created by gcloud auth application-default login when running locally,
or a GOOGLE_APPLICATION_CREDENTIALS environmental variable that points to the path of a Service Account key file,
or automatically discovered using the Metadata Server. 
When using a Google Cloud client library to access a Cloud service, the client library will automatically discover the credential to use based on precedence. See Google Auth Library README for more information.
Service Account Key
Service Account Key file is a JSON file that contains a private key, and the private key is used to retrieve OAuth access token. The Service Account file is like a password and must be stored securely!
Never expose the service account key file in the public.
Never check-in your service account key file.
Never put your service account key file in a container image, or deployable artifact like a JAR file.
Always store your service account securely.
In most cases, your application is associated with a service account, but will not need the Service Account key file. See Machine Credentials.
Machine Credentials from Metadata Server
All Google Cloud runtime environments (App Engine, Cloud Functions, Cloud Run, Kubernetes Engine, Compute Engine, ...) have access to the Metadata Server. From the runtime environment, you can retrieve the current access token associated with the Service Account:
curl -H "Metadata-Flavor: Google" \
  http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token
Each runtime / service may be associated with a specific Service Account. For example, VM1 uses Service Account A, and VM2 uses Service Account B. Depending on which VM is used to access the Metadata Server, the Metadata Server will return the token for the associated Service Account.

Introduction

Next - Getting Started

Cloud Shell

Last modified 1yr ago

Copy link

Outline

Project

New Account

Existing Account

Identity Access Management