Amazing, this was a very well advance concept explained in the best possible simple way. Your demo are the best attribute of your videos. Thanks again.
Does service account impersonation works for users accessing gcp resources via third party apps (say vscode or jenkins) installed on machines outside GCP or in this case it is necessary to add the keys to those third party tools? not able to map this demo for those use cases
Here is my scenario I want to create service account for each new incoming customer using terraform and based on his own service account I should be able to create gcp resources and destroy them whenever needed. After this video, I think what I can do is, simply create a service account and add new customers as members of it and using same terraform script I can tf-apply using their own token. Questions. how to use this token in terrrform?
Thanks for sharing, great stuff. I like to ask I am pretty new to GCP and I am planning to go for certification. Should I go for an Associate or Professional? I have heard from so many people that both of them cover the same level of questions. Please share your thoughts?
Hi Radhika, both do not have the same level of questions. Associate has more hands on and commands etc. Whereas GCPA has more solutioning sort of questions...you can directly go for professional if thats what you are interested :)
We want to publish events to a pub sub topic in gcp which is hosted by a different application from our application AWS (EKS). We are searching for options to access the service account tokens from AWS. We have been provided a service account by the GCP team with publish role. Will this be applicable for my scenario if I have the token creator role for the above provided service account or should I create a new service account with the token creator role for accessing the token or should I create a user specifically to be used for this purpose?. Basically I searching to see what is the user I should use for accessing from outside gcp. And any prerequisite for getting the user created and how can I tie the user to my aws application .Please provide your thoughts and suggestions for the same
Hi Sangeetha, Since this is continuous service to service communication, I would suggest using the service account itself with only pubsub permissions. Any thing that's user related could create issues when user is leaving the organization. For more security you could try using vault.
Sir I'm a fresher placed in Accenture ICI ( Intelligent Cloud & Infrastructure) IT Operations . I want to develop a career in Cloud will it be possible? Since the role is IT Operations
I have an use case where I want cloud build to ssh into VM and run gcloud commands. The vm doesn't have access to many resources. But cloud build service account has. Is there a way to do this?
Hello GK, I liked the information and the way you explained very much. I have a question for you. I couldn't find any answer no matter how many times I went through the documents. I am the only person on my project. So I am the owner of the project and have all the permissions. When I create a service account, I can set a role and give permissions to it. What is the guarantee that only that account can create and view the objects. I too can do it as I have all permissions. Can you please explain, how I can make my permissions fewer. I seem to have nearly 6000 permissions. I have project where I have read data, analyze and down load the results without downloading the data. The organization that is supplying data want OAuth 2 autherization of my account and the service account. Please help me with this. I don't have an organization. Thanks
Will service account allow to add/remove multiple users in it? Can i give service account permission to import/export images and create/delete instances?
You can generate OAuth2.0 credentials from console.developers.google.com/. This is useful when you create applications etc not in general for service communication.
you say in this video that you created key in last video.. but that is not true.. in last video you specifically mentioned that you are not going to create the key
Cloud Advocate I checked into it after commenting and it actually has an error message warning you that it doesn’t work. I then found that they’ve added a bq command to gcloud, hidden behind an alpha command. I surmised that they’re planning to deprecate bq, and the alpha bq does seem to work with impersonation.
Please go back to my terraform videos and try this out.
Amazing, this was a very well advance concept explained in the best possible simple way. Your demo are the best attribute of your videos. Thanks again.
That's a short and comprehensive video. Up to the point. Great work and keep going!!
Very informative lecture. Thankyou very much for your time towards us.
Does service account impersonation works for users accessing gcp resources via third party apps (say vscode or jenkins) installed on machines outside GCP
or in this case it is necessary to add the keys to those third party tools?
not able to map this demo for those use cases
Here is my scenario
I want to create service account for each new incoming customer using terraform and based on his own service account I should be able to create gcp resources and destroy them whenever needed.
After this video, I think what I can do is, simply create a service account and add new customers as members of it and using same terraform script I can tf-apply using their own token.
Questions. how to use this token in terrrform?
export GOOGLE_OAUTH_ACCESS_TOKEN=$(gcloud auth print-access-token)
terraform apply
Can I use this for authentication purpose as well ?
Thanks for sharing, great stuff. I like to ask I am pretty new to GCP and I am planning to go for certification. Should I go for an Associate or Professional? I have heard from so many people that both of them cover the same level of questions. Please share your thoughts?
Hi Radhika, both do not have the same level of questions. Associate has more hands on and commands etc. Whereas GCPA has more solutioning sort of questions...you can directly go for professional if thats what you are interested :)
After creation SA, you have added a member( mail) for this SA. How this mail will work for authentication purpose to gcloud.
We want to publish events to a pub sub topic in gcp which is hosted by a different application from our application AWS (EKS). We are searching for options to access the service account tokens from AWS. We have been provided a service account by the GCP team with publish role. Will this be applicable for my scenario if I have the token creator role for the above provided service account or should I create a new service account with the token creator role for accessing the token or should I create a user specifically to be used for this purpose?. Basically I searching to see what is the user I should use for accessing from outside gcp. And any prerequisite for getting the user created and how can I tie the user to my aws application .Please provide your thoughts and suggestions for the same
Hi Sangeetha, Since this is continuous service to service communication, I would suggest using the service account itself with only pubsub permissions. Any thing that's user related could create issues when user is leaving the organization. For more security you could try using vault.
Sir I'm a fresher placed in Accenture ICI ( Intelligent Cloud & Infrastructure) IT Operations . I want to develop a career in Cloud will it be possible? Since the role is IT Operations
Yes you can be operations engineer on cloud.
I have an use case where I want cloud build to ssh into VM and run gcloud commands.
The vm doesn't have access to many resources. But cloud build service account has. Is there a way to do this?
Hello GK,
I liked the information and the way you explained very much. I have a question for you. I couldn't find any answer no matter
how many times I went through the documents. I am the only person on my project. So I am the owner of the project and
have all the permissions. When I create a service account, I can set a role and give permissions to it. What is the guarantee that only that account can create and view the objects. I too can do it as I have all permissions. Can you please explain, how
I can make my permissions fewer. I seem to have nearly 6000 permissions. I have project where I have read data, analyze and down load the results without downloading the data. The organization that is supplying data want OAuth 2 autherization of my account and the service account. Please help me with this. I don't have an organization.
Thanks
How Can I use Service Account Impersonation in Production?
There I can't able to login daily.
Hi, would it be possible for you to show a demo of SA impersonation for BigQuery bq utility. I am trying but it isnot working. Thanks.
hi i learned a great thing with confidence from you and also am in the path of learning am expecting a lot from you in order to pass ACE from GCP
Thank you ☺️, I will do my best.
Hi,
After impersonated the SA how we need to ingest metadata frok other projects.
Please suggest and send me any gcloud command
What's the difference between giving the user the role of ServiceAccountUser vs ServiceAccountTokenCreator?
I can explain it here but cloud.google.com/iam/docs/service-accounts gets you solid understanding :).
Hello sir how can I use Google cloud service account credentials like private key
Will service account allow to add/remove multiple users in it? Can i give service account permission to import/export images and create/delete instances?
Yes you can assign permissions to service account
How do I create projects using service account?
Interesting
Hi, Can I generate access token from Google Cloud Console (w/o using gcloud/gsutil commands)? If yes, how?
You can generate OAuth2.0 credentials from console.developers.google.com/. This is useful when you create applications etc not in general for service communication.
Does anyone get the error:
ERROR: (gcloud.config.set) Section [auth] has no property [impersonate-service-account].
How cloud build use auto deploy on gitlab please help me
Sir did you create your own tshirt
Lol no, I got it from Google.
Do we have to learn JSON for MS Azure Cloud.
Yes
@@CloudAdvocate Thanks for your reply
you say in this video that you created key in last video.. but that is not true.. in last video you specifically mentioned that you are not going to create the key
Amazing .
What about the bq command?
Impersonation is not supported for bq yet.
Cloud Advocate I checked into it after commenting and it actually has an error message warning you that it doesn’t work. I then found that they’ve added a bq command to gcloud, hidden behind an alpha command. I surmised that they’re planning to deprecate bq, and the alpha bq does seem to work with impersonation.
Thank you, I will make a note.