Week 1 β Day 1: GCP Fundamentals & IAM π―
Taruniyaa Sπ Day 1: GCP Fundamentals & IAM
πΉ 1. What is GCP?
GCP (Google Cloud Platform) is Googleβs public cloud offering that provides services for:
Compute (e.g., VMs, Kubernetes)
Storage (e.g., Cloud Storage, Cloud SQL)
Networking (e.g., VPC, Load Balancer)
AI/ML, Big Data, DevOps tools
β Pay-as-you-go, scalable, reliable, and secure.
πΉ 2. GCP Global Infrastructure
| Term | Meaning |
| Region | A geographical area (e.g., us-central1, asia-south1) |
| Zone | A deployment area inside a region (e.g., us-central1-a) |
| Multi-region | Services that replicate data across multiple regions |
π Best Practice: Use multi-zone or multi-region services for high availability.
πΉ 3. GCP Resource Hierarchy
scssCopyEditOrganization (Optional)
βββ Folder (Optional)
βββ Project (Mandatory)
βββ Resources (VMs, Buckets, etc.)
A Project is the main boundary for billing, APIs, permissions, and quotas.
Resources must belong to a project.
Each project has a Project ID, Project Name, and Project Number.
πΉ 4. Billing in GCP
Billing is linked at the project level.
You can set budgets, alerts, and quotas to control costs.
Use Billing Reports to track usage.
One billing account can be shared across multiple projects.
π§ Try this later:
Go to Billing β Budgets & alerts and create a budget with 50% and 90% thresholds.
πΉ 5. Identity & Access Management (IAM)
IAM controls who can do what on which resource.
β³οΈ IAM Components
| Component | Description |
| Member | User, group, service account, or domain |
| Role | Set of permissions (e.g., compute.instances.list) |
| Policy | Binds members to roles on a resource |
β³οΈ IAM Role Types
| Role Type | Use Case |
| Primitive | Owner, Editor, Viewer (legacy β broad access) |
| Predefined | GCP-built (e.g., roles/compute.admin) |
| Custom | You define exactly which permissions are included |
β Principle of Least Privilege: Always give minimum required permissions.
π§ Example:
You want a user to just read storage objects in a bucket:
- Assign the Storage Object Viewer role:
roles/storage.objectViewer
π Service Accounts
Used by applications/VMs, not humans.
Acts as an identity for apps to access GCP services securely.
Attach a service account to a VM or GKE pod to grant it access to APIs (like writing to Cloud Storage).
π§ͺ Practice/Review Questions
What is the fundamental boundary for billing and resources in GCP?
A. Folder
B. Organization
β C. Project
D. Region
Which IAM role is more secure and specific?
A. Owner
B. Viewer
β C. Predefined role (e.g., Compute Viewer)
D. Editor
What's the best way to allow a VM to access Cloud Storage securely?
- β Use a service account with storage access role
β Summary: Day 1 Key Takeaways
Understand the resource hierarchy and billing basics.
Projects are the core unit of work.
IAM is how access is controlled (Members + Roles + Resources).
Always apply the least privilege principle.
Service accounts = app identity.
π§ GCP Day 1 Cheat Sheet: Fundamentals + IAM
π 1. GCP Global Infrastructure
β Key Concepts:
| Term | Example | Description |
| Region | us-central1 | A specific geographical location (e.g., Iowa, USA). |
| Zone | us-central1-a | A deployment area within a region. Each region has multiple zones. |
| Multi-region | us or asia | Logical location that spans multiple regions. Used for redundancy. |
π§ Why this matters:
Deploying across multiple zones = High Availability.
Multi-region = Great for services needing global redundancy (e.g., Cloud Storage multi-regional buckets).
π 2. GCP Resource Hierarchy
scssCopyEdit(Optional) Organization
βββ (Optional) Folders (for grouping teams/departments)
βββ Project (Required)
βββ Resources (VMs, Buckets, Databases, etc.)
β Key Points:
Every resource must be in a project.
Projects are the core unit for:
Billing
API enablement
Access control
Resource management
Each project has:
Project ID (unique, unchangeable)
Project Name (editable label)
Project Number (system-generated)
π° 3. Billing
Billing is tied to projects.
You can:
Set budgets and alerts
Use labels to track costs by team/service
Link multiple projects to one billing account
β Tools:
Billing Reports: Visualize usage.
Budgets & Alerts: Get notified at 50%, 90%, 100% usage.
Cost Table Reports: CSV-style data export.
π 4. Identity and Access Management (IAM)
IAM = Who can do What on Which resource
π― Components:
| Component | Description |
| Member | A user (abc@gmail.com), group, domain, or service account |
| Role | A collection of permissions (e.g., compute.instances.start) |
| Policy | A set of role bindings (i.e., member-role-resource links) |
π Role Types
| Type | Description | Example |
| Primitive | Broad, legacy roles | Viewer, Editor, Owner |
| Predefined | Google-created, fine-grained | roles/compute.viewer, roles/storage.admin |
| Custom | User-defined | Specific to org needs (e.g., read-only logs access) |
β Always prefer Predefined roles unless your use case is highly specific.
βοΈ How IAM Works
Policy Structure:
jsonCopyEdit{
"bindings": [
{
"role": "roles/storage.admin",
"members": [
"user:john@example.com"
]
}
]
}
Policies are attached to resources (project, bucket, VM).
Permissions flow down the hierarchy:
- If a user has
roles/storage.adminon the project, they can manage all buckets inside.
- If a user has
π€ 5. Service Accounts (SA)
Used for apps/scripts/services to interact with GCP securely.
A non-human identity.
Has IAM roles just like users.
Can be attached to:
VMs
GKE pods
Cloud Functions
GCP uses OAuth tokens or signed keys for SA auth.
π Best Practices Summary
| Principle | Best Practice |
| Least Privilege | Give minimum access needed, no broad Editor role. |
| Use Service Accounts | For app-to-GCP access. Never share user credentials. |
| Use Predefined Roles | Safer and clearer than primitive roles. |
| Organize with Folders | Helpful in large orgs to group related projects. |
β Quick Quiz for You
Whatβs the smallest deployable unit in GCP?
- β Project (everything is created inside it)
Can you create a resource (e.g., VM) without a project?
- β No β Every resource needs a project.
How do you grant a VM access to Cloud Storage?
- β
Create a Service Account, assign
roles/storage.objectViewerand attach to VM.
- β
Create a Service Account, assign
Subscribe to my newsletter
Read articles from Taruniyaa S directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by