Archives for Google Cloud Platform
Sample GKE constraints for common use cases
Sample GKE constraints for common use cases The following sections provide the syntax of some custom constraints that you might find useful: Description Constraint syntax Do not disable node auto-upgrade…
Editor Role in GCP – Beware of Service Account Privileges
While only an OWNER can create service accounts, an EDITOR too can manipulate existing service accounts. If a project contains service accounts , the Editor roles grant permission to create…
GKE Control Plane and Public IPs and Private Service Connect
By default, when you create a public cluster, GKE assigns an external IP address (external endpoint) to the control plane and provisions public nodes. This means that any VM with…
Short lived access tokens in GCP – Service account impersonation
Service account keys provide long lived access. One often has to provide short term access to GCP resources. That's what Service account impersonation does. Service account impersonation requires two service…
Using only Trusted Images in GCP Projects
Step 1 - Create a separate project - and store all hardened images in it. Step 2 - Enforce the Org Policy - Define trusted image project. This will ensure…
OS patch management on GCP Compute Engine VMs
VM Manager API is the service to use. Enable a feature called OS Patch Management in there.
Service Account Key Rotation in GCP
Create a new service account key Switch applications to use the new key Destroy the old key
Account Level IAM versus Application Level IAM access
Use Case A - You need to implement a central authorization mechanism for users of your App (say hosted on App engine) Use Case B - You need to implement…
Cloud Identity versus Google Workspace
User management in Workspace occurs through (not a cloud console) However, with cloud identity, you can now manage users directly from the GCP console. This means that there are two…
Synchronizing Users versus Federating Users in GCP
From your Corporate AD, you have two options to bring your users into GCP Federation = Use Cloud Identity to accomplish this Synchronization = Use GCP Cloud Directory Sync Service…