Configure Service Accounts and IAM Roles for Google Cloud
Checkpoints
Create a service account using gcloud
/ 20
Grant IAM permissions to service account using gcloud
/ 20
Create a compute instance with service account attached using gcloud
/ 20
Create a custom role using a YAML file
/ 20
Use the client libraries to access BigQuery from a service account
/ 20
Configure Service Accounts and IAM for Google Cloud: Challenge Lab
- ARC134
- Overview
- Setup and requirements
- Challenge scenario
- Task 1. Enable and Explore Gemini (optional)
- Task 2. Create a service account using the gcloud CLI
- Task 3. Grant IAM permissions to a service account using the gcloud CLI
- Task 4. Create a compute instance with a service account attached using gcloud
- Task 5. Create a custom role using a YAML file
- Task 6. Use the client libraries to access BigQuery from a service account
- Congratulations!
ARC134
Overview
In a challenge lab you’re given a scenario and a set of tasks. Instead of following step-by-step instructions, you will use the skills learned from the labs in the course to figure out how to complete the tasks on your own! An automated scoring system (shown on this page) will provide feedback on whether you have completed your tasks correctly.
When you take a challenge lab, you will not be taught new Google Cloud concepts. You are expected to extend your learned skills, like changing default values and reading and researching error messages to fix your own mistakes.
To score 100% you must successfully complete all tasks within the time period!
In this challenge lab, you will be taking help of Gemini to complete the given tasks.
Gemini for Google Cloud is an always-on AI collaborator that provides help to users of all skill levels where they need it. In this lab, you use Gemini to get information you need to create resourses in the tasks.
Setup and requirements
Before you click the Start Lab button
Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.
This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.
To complete this lab, you need:
- Access to a standard internet browser (Chrome browser recommended).
- Time to complete the lab---remember, once you start, you cannot pause a lab.
Challenge scenario
You are starting your career as a junior cloud architect. In this role, you have been assigned to work on a team project that requires you to use service accounts, configure IAM permission using the gcloud command line interface (CLI), add custom roles, and use the client libraries to access BigQuery from a service account.
You are expected to have the skills and knowledge to complete the tasks that follow. Also, you can take help from Gemini to identify CLI commands or steps to complete the tasks.
Your challenge
For this challenge, you are asked to create a service account, assign required roles, configure IAM permissions using the gcloud CLI, create a custom role using a YAML file, and use the client libraries to access BigQuery from a service account.
You are asked to:
- Configure a service account using the gcloud CLI.
- Grant IAM permissions to a service account using the gcloud CLI.
- Create a compute instance using the service account.
- Create a custom role using a YAML file.
- Use the client libraries to access BigQuery from a service account.
For this challenge lab, a virtual machine (VM) instance named
Create all the resources in
Each task is described in detail below, good luck!
Task 1. Enable and Explore Gemini (optional)
Task 2
.
Since you are going to use Gemini, let's quickly enable and explore the Gemini.
In this task, you use the Gemini pane to enter prompts and view the responses from Gemini. Prompts are questions or statements that describe the help that you need. Prompts can include context from existing code that Google Cloud analyzes to provide more useful or complete responses. For more information on writing prompts to generate good responses, see Write better prompts for Gemini
To prompt Gemini about Google Cloud services, perform these steps:
-
Sign in to the Google Cloud Console.
-
Click on the Gemini icon () in the top-right corner of the Google Cloud console toolbar.
- Click Start Chatting.
Enter the following prompt:
Task 2. Create a service account using the gcloud CLI
For this task, a VM named lab-vm
has already been configured for you to use as you perform the tasks that follow. You will create a service account by taking the help of the Gemini.
- Authenticate in gcloud
-
SSH into the
lab-vm
VM and configure the gcloud environment for a user, then switch your gcloud configuration to the default. -
Create a service account named
devops
inside the SSH.
Click here for hint!
and use the prompt in the Gemini to fetch the commands to create the resource.
Click Check my progress to verify the objective.
Task 3. Grant IAM permissions to a service account using the gcloud CLI
- Since you will be using the project id and the service account multiple times so it is good idea to export the project id and service account into the local variable.
For this task, you need to assign the required roles to a service account using the gcloud CLI.
- Similarly store the service account email address in a local variable called
SA
.
- To complete this task, SSH into the
lab-vm
VM, and give the service account the role ofiam.serviceAccountUser
with the permissionscompute.instanceAdmin
.
Click here for hint!
and use the prompt in the Gemini to fetch the commands to create the resource.
Click Check my progress to verify the objective.
Task 4. Create a compute instance with a service account attached using gcloud
For this task, a VM named lab-vm
has already been configured for you. SSH into the lab-vm
VM to start.
-
Create a compute instance named
vm-2
with the devops service account attached that you created in Task 2. -
SSH into the
vm-2
VM instance. Try to create and list an instance fromvm-2
to verify you have the necessary permissions via the service account.
Click here for hint!
and use the prompt in the Gemini to fetch the commands to create the resource.
Click Check my progress to verify the objective.
Task 5. Create a custom role using a YAML file
- Create a YAML file named
role-definition.yaml
that has a custom role definition with the permissionscloudsql.instances.connect
andcloudsql.instances.get
using Gemini.
- Execute the gcloud command to create a role at the project level using the YAML file.
Click here for hint!
and use the prompt in the Gemini to fetch the commands to create the resource.
Click Check my progress to verify the objective.
Task 6. Use the client libraries to access BigQuery from a service account
For this task, you will query the BigQuery public datasets from an instance with the help of a service account which has the necessary roles configured. Login to the Google Cloud console using the username and password provided.
- Create a service account named
bigquery-qwiklab
and assign it the role ofBigQuery Data Viewer
asBigQuery User
.
- Create a VM instance named
bigquery-instance
using a service accountbigquery-qwiklab
.
- SSH into the
bigquery-instance
and install the dependencies.
- Use the following code to create a Python file.
-
Replace the
PROJECT_ID
andSERVICE_ACCOUNT
variables with your credentials and run the file using a Python3 command. -
Excute the python file that is created in the above step
Click here for hint!
and use the prompt in the Gemini to fetch the commands to create the resource.
Click Check my progress to verify the objective.
Congratulations!
Congratulations! You have successfully created Google Cloud service accounts, assigned roles to service accounts, configured IAM permissions using the gcloud CLI, and created a custom role by taking the help of the Gemini Prompt.
Google Cloud training and certification
...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.
Manual Last Updated July 17, 2024
Lab Last Tested July 17, 2024
Copyright 2024 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.