Service Account Impersonation in Google Cloud - IAM in GCP

Поділитися
Вставка
  • Опубліковано 3 гру 2024

КОМЕНТАРІ • 45

  • @CloudAdvocate
    @CloudAdvocate  4 роки тому +1

    Please go back to my terraform videos and try this out.

  • @harshinigadige5829
    @harshinigadige5829 3 роки тому

    That's a short and comprehensive video. Up to the point. Great work and keep going!!

  • @shaileshchaskar6093
    @shaileshchaskar6093 3 роки тому

    Amazing, this was a very well advance concept explained in the best possible simple way. Your demo are the best attribute of your videos. Thanks again.

  • @giri455161
    @giri455161 2 роки тому

    Very informative lecture. Thankyou very much for your time towards us.

  • @michi-dl5sm
    @michi-dl5sm Рік тому +1

    Does service account impersonation works for users accessing gcp resources via third party apps (say vscode or jenkins) installed on machines outside GCP
    or in this case it is necessary to add the keys to those third party tools?
    not able to map this demo for those use cases

  • @SannanTheTraveller
    @SannanTheTraveller 4 роки тому +2

    Here is my scenario
    I want to create service account for each new incoming customer using terraform and based on his own service account I should be able to create gcp resources and destroy them whenever needed.
    After this video, I think what I can do is, simply create a service account and add new customers as members of it and using same terraform script I can tf-apply using their own token.
    Questions. how to use this token in terrrform?

    • @CloudAdvocate
      @CloudAdvocate  4 роки тому +1

      export GOOGLE_OAUTH_ACCESS_TOKEN=$(gcloud auth print-access-token)
      terraform apply

  • @sanjoydey8378
    @sanjoydey8378 Рік тому

    After creation SA, you have added a member( mail) for this SA. How this mail will work for authentication purpose to gcloud.

  • @sangeetha25
    @sangeetha25 4 роки тому +2

    We want to publish events to a pub sub topic in gcp which is hosted by a different application from our application AWS (EKS). We are searching for options to access the service account tokens from AWS. We have been provided a service account by the GCP team with publish role. Will this be applicable for my scenario if I have the token creator role for the above provided service account or should I create a new service account with the token creator role for accessing the token or should I create a user specifically to be used for this purpose?. Basically I searching to see what is the user I should use for accessing from outside gcp. And any prerequisite for getting the user created and how can I tie the user to my aws application .Please provide your thoughts and suggestions for the same

    • @CloudAdvocate
      @CloudAdvocate  4 роки тому

      Hi Sangeetha, Since this is continuous service to service communication, I would suggest using the service account itself with only pubsub permissions. Any thing that's user related could create issues when user is leaving the organization. For more security you could try using vault.

  • @EshwarNorthEast
    @EshwarNorthEast 3 роки тому

    I have an use case where I want cloud build to ssh into VM and run gcloud commands.
    The vm doesn't have access to many resources. But cloud build service account has. Is there a way to do this?

  • @PavithranB-u3h
    @PavithranB-u3h 5 місяців тому

    How Can I use Service Account Impersonation in Production?
    There I can't able to login daily.

  • @kavinkkm
    @kavinkkm 2 роки тому

    Hi,
    After impersonated the SA how we need to ingest metadata frok other projects.
    Please suggest and send me any gcloud command

  • @TradeWithCodeOfficial
    @TradeWithCodeOfficial 3 роки тому

    Hi, would it be possible for you to show a demo of SA impersonation for BigQuery bq utility. I am trying but it isnot working. Thanks.

  • @dipk.mishra
    @dipk.mishra 7 місяців тому

    Can I use this for authentication purpose as well ?

  • @rajeshrajkumar13
    @rajeshrajkumar13 2 роки тому

    How do I create projects using service account?

  • @Floyergilmour
    @Floyergilmour 4 роки тому

    Does anyone get the error:
    ERROR: (gcloud.config.set) Section [auth] has no property [impersonate-service-account].

  • @krishnamahavadi5306
    @krishnamahavadi5306 2 роки тому

    Hello GK,
    I liked the information and the way you explained very much. I have a question for you. I couldn't find any answer no matter
    how many times I went through the documents. I am the only person on my project. So I am the owner of the project and
    have all the permissions. When I create a service account, I can set a role and give permissions to it. What is the guarantee that only that account can create and view the objects. I too can do it as I have all permissions. Can you please explain, how
    I can make my permissions fewer. I seem to have nearly 6000 permissions. I have project where I have read data, analyze and down load the results without downloading the data. The organization that is supplying data want OAuth 2 autherization of my account and the service account. Please help me with this. I don't have an organization.
    Thanks

  • @darkrycybertech4024
    @darkrycybertech4024 10 місяців тому

    Hello sir how can I use Google cloud service account credentials like private key

  • @SaiDileepfantasy
    @SaiDileepfantasy 4 роки тому

    Interesting

  • @shreyas_shah
    @shreyas_shah 4 роки тому +1

    Sir I'm a fresher placed in Accenture ICI ( Intelligent Cloud & Infrastructure) IT Operations . I want to develop a career in Cloud will it be possible? Since the role is IT Operations

    • @CloudAdvocate
      @CloudAdvocate  4 роки тому

      Yes you can be operations engineer on cloud.

  • @akliluabay6392
    @akliluabay6392 4 роки тому

    hi i learned a great thing with confidence from you and also am in the path of learning am expecting a lot from you in order to pass ACE from GCP

    • @CloudAdvocate
      @CloudAdvocate  4 роки тому +1

      Thank you ☺️, I will do my best.

  • @radhikachabra4923
    @radhikachabra4923 4 роки тому

    Thanks for sharing, great stuff. I like to ask I am pretty new to GCP and I am planning to go for certification. Should I go for an Associate or Professional? I have heard from so many people that both of them cover the same level of questions. Please share your thoughts?

    • @CloudAdvocate
      @CloudAdvocate  4 роки тому

      Hi Radhika, both do not have the same level of questions. Associate has more hands on and commands etc. Whereas GCPA has more solutioning sort of questions...you can directly go for professional if thats what you are interested :)

  • @krishnarajan319
    @krishnarajan319 3 роки тому

    How cloud build use auto deploy on gitlab please help me

  • @healthvative5315
    @healthvative5315 3 роки тому

    Will service account allow to add/remove multiple users in it? Can i give service account permission to import/export images and create/delete instances?

    • @CloudAdvocate
      @CloudAdvocate  3 роки тому

      Yes you can assign permissions to service account

  • @gemini_537
    @gemini_537 3 роки тому

    What's the difference between giving the user the role of ServiceAccountUser vs ServiceAccountTokenCreator?

    • @CloudAdvocate
      @CloudAdvocate  3 роки тому

      I can explain it here but cloud.google.com/iam/docs/service-accounts gets you solid understanding :).

  • @amitprakashsrivastava5707
    @amitprakashsrivastava5707 4 роки тому

    Hi, Can I generate access token from Google Cloud Console (w/o using gcloud/gsutil commands)? If yes, how?

    • @CloudAdvocate
      @CloudAdvocate  4 роки тому

      You can generate OAuth2.0 credentials from console.developers.google.com/. This is useful when you create applications etc not in general for service communication.

  • @hamsavlogs4835
    @hamsavlogs4835 4 роки тому

    Do we have to learn JSON for MS Azure Cloud.

  • @abdulshaikh6807
    @abdulshaikh6807 4 роки тому

    Sir did you create your own tshirt

  • @YourHoss
    @YourHoss 4 роки тому

    What about the bq command?

    • @CloudAdvocate
      @CloudAdvocate  4 роки тому

      Impersonation is not supported for bq yet.

    • @YourHoss
      @YourHoss 4 роки тому

      Cloud Advocate I checked into it after commenting and it actually has an error message warning you that it doesn’t work. I then found that they’ve added a bq command to gcloud, hidden behind an alpha command. I surmised that they’re planning to deprecate bq, and the alpha bq does seem to work with impersonation.

    • @CloudAdvocate
      @CloudAdvocate  4 роки тому

      Thank you, I will make a note.

  • @sanjaydhanwani6752
    @sanjaydhanwani6752 Рік тому

    you say in this video that you created key in last video.. but that is not true.. in last video you specifically mentioned that you are not going to create the key

  • @nanditasahu2358
    @nanditasahu2358 2 роки тому

    Amazing .