Skip to content

GCP & Workspace 101

  • GCP delivers Iaas, PaaS, SaaS on the same infra as YouTube, Workspace
  • Google Workspace is Google Suite - SaaS
  • Google started Zero Trust, got Mandiant, Wiz
    • ![[Attachments/Pasted image 20260303151947.png]]
  • ![[Attachments/Pasted image 20260303152020.png]]

GCP Hierarchy

  • GCP is organized in folders.
    • Org > Folder > Project > Resources
    • ![[Attachments/Pasted image 20260303152843.png]]
    • ![[Attachments/Pasted image 20260303152445.png]]
  • Personal Accounts: Defaults
    • ![[Attachments/Pasted image 20260303152954.png]]
  • Workspace Accounts: Defaults
    • ![[Attachments/Pasted image 20260303153024.png]]
    • projectCreator role given by default which can be too much privilege

GCP IAM Principals

  • These are identities that can access and manage resources.
    • principals - users, groups, service accounts, domains are uniquely ided by an email like string
  • IAM policies define - who (principal) can perform what actions on what resources.
    • can provide fine-grained access
  • ![[Attachments/Pasted image 20260303153550.png]]

Service Accounts

  • non-human identities for apps, VMs, services to authenticate and access resources.
    • function like users within or across projects
  • A service account key file includes the project ID and can be used for authentication:
    • gcloud auth activate-service-account --key-file=key.json
  • These key file generations are disabled by default.
    • issue if exposed - as they dont expire until deleted.
  • Google recommends IAM impersonation or Workload Identity Federation instead of key files
  • It is still used in the real world as its very convenient
  • eg:
    • ![[Attachments/Pasted image 20260303155135.png]]

Service Account Authentication

  • you can use a valid access token for a service account instead of the key file
  • 2 ways to do this:
  • saving token in a file
    • gcloud projects list --access-token-file=token.txt
      • save only the token and not the json
    • gcloud config set auth/access_token_file token.txt
    • gcloud config unset auth/access_token_file

  • saving token in an env variable

    • export CLOUDSDK_AUTH_ACCESS_TOKEN="ya29..."
    • gcloud iam service-accoutns describe security-audit@gr-prod-1.iam.gserviceaccount.com

  • These access tokens are opaque - no information to be decoded from jwt.io

Keys to Workload Identity Federation

  • ![[Attachments/Pasted image 20260304143410.png]]

Interacting with GCP

  • GCP Console - click
  • gcloud - compute resources, IAM roles, networking, K8 clusters
  • gsutil - cloud storage tasks like uploads, downloads, permissions, mgmt, sync, object lifecycle configuration