Skip to content


Latest commit

128234c · Jul 9, 2022


95 lines (82 loc) · 3.33 KB

File metadata and controls

95 lines (82 loc) · 3.33 KB

Ensure Access & Identity in Google Cloud: Challenge Lab


  • Create file role-definition.yaml
nano role-definition.yaml
  • Replace [Custom Security Role] with your Role
  • Paste below code in the editor
title: "[Custom Security Role]"
description: "Add and update objects in Google Cloud Storage buckets"
- storage.buckets.get
- storage.objects.get
- storage.objects.list
- storage.objects.update
- storage.objects.create

Task 1: Create a custom security role

Note: Replace [Custom Security Role] with your Role

gcloud iam roles create [Custom Security Role] \
   --project $DEVSHELL_PROJECT_ID \
   --file role-definition.yaml

Task 2: Create a service account

Note: Replace [Service Account] with your Service Account

gcloud iam service-accounts create [Security Account] \
   --display-name "Orca Private Cluster Service Account"

Task 3: Bind a custom security role to a service account

Note: Replace [Service Account] with your Service Account And Replace [Custom Security Role] with your Role

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
   --member serviceAccount:[Service Account]@$ \
   --role roles/monitoring.viewer

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
   --member serviceAccount:[Service Account]@$ \
   --role roles/monitoring.metricWriter

gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
   --member serviceAccount:[Service Account]@$ \
   --role roles/logging.logWriter
gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID \
   --member serviceAccount:[Service Account]@$ \
   --role projects/$DEVSHELL_PROJECT_ID/roles/[Custom Security Role]

Task 4: Create and configure a new Kubernetes Engine private cluster

JUMPHOST_IP=$(gcloud compute instances describe orca-jumphost \

Note: Replace [Cluster Name] with your Cluster Name and [Service Account] with your Service Account

gcloud beta container clusters create [Cluster Name] \
   --network orca-build-vpc \
   --subnetwork orca-build-subnet \
   --service-account [Security Account]@$ \
   --enable-master-authorized-networks \
   --master-authorized-networks $JUMPHOST_IP/32 \
   --enable-private-nodes \
   --master-ipv4-cidr $SUBNET_IP_RANGE \
   --enable-ip-alias \

Task 5: Deploy an application to a private Kubernetes Engine cluster

Note: Run Commands in SSH window of orca-jumphost And Replace [Cluster Name] with your Cluster Name

gcloud container clusters get-credentials [Cluster Name] --internal-ip --zone=us-east1-b
kubectl create deployment hello-server

Congratulations! You completed this challenge lab.

Stay tuned till the next blog

If you Want to Connect with Me: