What you need

To complete this lab, you need:

Internet access

Access to a supported Internet browser:

What you do

What you learn

Step 1

Navigate to the IAM & Admin console.

Console: Products and Services > IAM & Admin > IAM

Step 2

Click the add icon and explore the roles in the drop-down menu.

Step 3

Note the various roles associated with each resource by navigating the roles menu.

In this lab you are going to assign narrow permissions to service accounts and learn how to use the service account actor role.

Step 1 Create a bucket

Create a GCS bucket with a unique name.

Console: Products and Services > Storage > Browser

Click on [+ Create Bucket].

Property

Value

Name:

globally unique name

Default storage class:

Multi-Regional

Note the bucket name. It will be used in a later step.

Step 2 Upload a sample file

Click on [Upload Files].

Upload a sample file (any text or html file will do).

Click on the three dots at the end of the line containing the file and select Rename.

Rename the file to sample.txt

Step 3 Create a service account

Create a new service account called "read-bucket-objects" by navigating to the service account menu. Create an account, and grant it the Storage Object Viewer role.

Console: Products and Services > IAM & Admin > Service Accounts

Click on [+ Create Service Account]

Property

Value

Service account name:

read-bucket-objects

Role:

Storage > Storage Object Viewer

Click [Create].

Step 4 Add the user to the service account

Select the service account you just created.

Click [Permissions].

Click [Add Members].

Property

Value

Add members:

altostrat.com

Role: (pull-down menu)

Service Account Actor

Click [Add].

Step 5 Grant Compute Engine access

Give the entire organization the Compute Engine Instance Admin role.

Console: Products and Services > IAM & Admin > IAM

Click [Add].

Property

Value

Add members:

altostrat.com

Role: (pull-down menu)

Compute Engine > Compute Instance Admin

Click [Add].

Step 6 Create a VM with Service Account Actor

Console: Products and Services > Compute Engine > VM instances

Click on [Create Instance]

Property

Value

Name:

demoiam

Zone:

us-central1-c

Machine type:

micro (1 shared vCPU)

Service account:

read-bucket-objects

Step 1 Use the Service Account Actor

SSH into the instance from the console.

Try the following:

$ gcloud compute instances list
ERROR: (gcloud.compute.instances.list) Some requests did not succeed:
 - Required 'compute.instances.list' permission for 'projects/train-infra'

What happened? Why?

Now try to copy the sample.txt file from the bucket you created earlier.

$ gsutil cp gs://<bucket_name>/sample.txt .
Copying gs://train-test-iam/sample.txt...
/ [1 files][    0.0 B/    0.0 B]    

Rename the file you copied.

$ mv sample.txt sample2.txt

Copy it back to the bucket.

$ gsutil cp sample2.txt gs://<bucket_name>
AccessDeniedException: 403 Caller does not have storage.objects.create access to bucket train-test-iam.

Step 2 What happened?

Because you SSH'ed into the instance, you can "act as the service account" essentially assuming the same permissions.

The service account the instance was started with had the storage viewer role which permits downloading objects from GCS buckets in the project.

To list instances in a project, you need to grant the compute.instance.list permission. As the Service account did not have this permission, you were unable to list instances running in the project.

As the service account did have permission to download objects, it could download an object from the bucket. It did not have permission to write objects so you got a 403 access denied.

┬ęGoogle, Inc. or its affiliates. All rights reserved. Do not distribute.