Another day, another question and
solution of The Certified Q&A for the Google Cloud Platform
Associate Cloud Engineer. It’s very important to the process of
understanding Google Cloud and passing the certification exam, that you go through
the question and attempt answering it yourself first. So pause the video, work
through the question, we’ll catch up in just a little while and I’ll show you how I
do it. In this project scenario, you want to find out who in your organization has
Owner access to a project called “my-project”. What should you do? This is
typical in any organization, that you want to audit the access given to
certain members to ensure that they do not have access privileges. Especially a
primitive role like Owner which has very wide privileges, should be regularly
audited so that there is no misuse or even accidental misuse. The question is
fairly straightforward, we just have to find out who has owner access to a
project within your organization. In looking at the options, there are two
groups that you can consider separately. One, you can approach this via the Google
Cloud Platform Console, or you can access this via gcloud. Both of these options are
available here. We might be able to eliminate one group. Let us look at C and D first.
Option C suggests that you use “gcloud IAM list-grantable-role” and provide it the
project ID from your Terminal. Option D suggests that you use pretty much the
same command, but do it from the Cloud Shell on the project page. Now let’s just
apply a little common sense here. What is the difference between these two options?
That you can run gcloud from the terminal or from the Cloud Shell does not
make any essential changes to the command or what is going to be the
effect. In the first case you are choosing a particular project ID, in the
second case you probably have set it as of the configuration within gcloud. If
that is the case, both these commands are going to have the same impact. Therefore,
there is actually no difference between option C and option D. Even though, let’s
just go a little further and find out what this command called list-grantable-roles is.
Looking at the documentation, it says before you grant an IAM role to
a user for a resource, you might want to know what roles are available to grant
on a particular resource. And a role is grantable on or above a resource if
it contains any permissions for that resource type. So as the name suggests,
one, it is listing something. What is it listing? It is listing the
grantable roles, which means that if there is a resource, say for example, a VM
or a hard-disk, you want to see what roles can be
assigned for them, what roles can be granted to a member for that
particular resource. And that’s exactly what it does. In the sample that I have
run, I am doing a listing of the grantable roles on the project, and I get a
whole list of them. But this is essentially just listing what can be
granted, it is not listing what has been granted, which of course is a
requirement in this case. So both C and D can be straight away eliminated at this
point. What about the option to go to the Google Cloud Platform Console, then to
the IAM page for the organization and apply the filter called
“Role;Owner”. Let’s see how that works. In Google Cloud, there is a hierarchy of
resources. At the very root or at the very top, if you are using g-suit or
Cloud identity you are going to have an organisation. In our question, we do know
that there is an organization. Under the organization, you can
have a few levels of folders. And within the folders you can have Google Cloud
projects. These projects of course, does not need to be within a folder, it can be
directly attached to an organization also And it’s under these
projects that there are the resources like VMs, Storage, Network and
Firewalls and so on and so forth. Now just imagine, there are going to be
probably hundreds of projects and within that maybe thousands of such resources.
Let us say we apply a filter of “Role:Owner” at the organization level as this
option is suggesting. Is it going to show us all the folders also that has got the
role owner? Is it also going to show us all the projects that have got the role
owner? Is it also going to show us all the resources that have got the role owner?
There could be many, thousands of this. And it seems impractical, that applying a
role or rather a filter at the organization level automatically shows
you everything under it. So just intuitively, we can figure out that just
applying a “Role:Owner” at the organizational level will not show you all
the roles for the entire organization and all the sub entities.
Therefore this option is looking very unlikely. Even then, let us go look at the
Console and see if it is possible. In this case I have chosen my current
organization in step one, in step two I’m filtering by the role, and in step three
I am trying to filter by the specific role called owner. But I can see that
there is no settable role called ‘Owner’ and the organizational level.
so this option is not possible at all. It was impractical anyway to start with, but
technically it is not possible to do this via the Console.
A separate tip, at the organization level when you have G Suit or Cloud Identity,
that two very high-level roles are the super administrator and the GCP
Organization admin. Those are the ones that you will work with at that level
when it comes to an organisation. Having eliminated this, let’s move on to
the next option which suggests that we go to the Google Cloud Platform Console,
the IAM page for the project now, not the organization. and then apply the filter
called “Role:Owner”. This makes sense. In thinking about the resource
hierarchy, we can see now that if we apply the filter at the project level we
should see all the owners for that project.
Let us go ensure that’s the case on the Console. So in this case, in step one, I
have chosen the project. In step two, I’m filtering the members by the role, and
then I am applying the role called ‘Owner’ as the complete filter. And when I do
that, I can see all the owners for this particular project. That brings us to the
correct answer for this question which is B, to go via the Google Cloud Platform
Console, go to IAM page for the project and apply the filter “Role:Owner”.
What are the key learnings we can take away from this question? One, looking at
list-grantable-roles, we can see that the roles and commands are
intuitively named. You do not need to know all of them but you can guess what it
means by looking at the name. It is a good approach to eliminate groups of
options. In this particular case, we looked at two options and saw that they
were essentially the same and both cannot be right. Therefore we can eliminate
both of them. The other thing to know is the resource hierarchy, that there are
organizations, possibly folders, under that projects, and within that all the
resources. You also need to know how permissions are inherited on this
resource hierarchy. Any privileges that are granted at a higher level cannot be
revoked at a lower level. So if somebody gets a permission at the organization
level, you cannot revoke that at a project level. You also need to know how
to set roles and permissions via the Cloud Console and gcloud. I will
leave you with a few resources on the resource hierarchy, on creating and
managing organizations, especially when you create an organization at the
beginning, you need to make sure that you have the right roles and groups in place.
It’s very important for the longevity of the project and the organization being
handled well in terms of IAM. Very important to know the best practice
guides when it comes to IAM and assigning permissions. Also look at some
commands like list-grantable-roles, but it is not very important to know all
of these. It is okay to just get a general sense of these commands, and you
don’t need to by heart all these rules. Be strategic about knowing what the
nomenclature and the naming approaches, without by having all the roles and
commands. Now, it’s time to subscribe to all the great content we’ve got lined up
for you to learn Google Cloud and to help you the certifications.