Posted by Grace Mollison, Solutions Architect
We here at Google Cloud Platform have been busy working on resources to help you manage identity and security on GCP. Here’s what we’ve been up to.
First off, we’ve been listening to customers and have curated a Google Cloud Identity and Access Management FAQ that answers questions such as ‘What does a Cloud IAM policy look like?’ or “To what identities can I grant IAM roles?” The FAQ already lists almost 40 questions, but if you think there’s something missing please let us know.
Google Cloud Resource Manager’s new Organization resource
Several features of Google Cloud Resource Manager are now generally available, including the ability to use the Organization resource. When you use an Organization resource, the projects belong to the business instead of to the employee who created the project. This means that if that employee leaves the company, his or her projects will still belong to the organization. Further, because Organization admins can view and manage all your company’s projects, this eliminates shadow projects and rogue admins.
You can grant roles at the Organization level that apply to all projects under the Organization resource. For example, if you grant the Network Admin role to your networking team at the Organization level, they’ll be able to manage all the networks in all projects in your company, instead of having to grant them the role for individual projects.
Project provisioning fun with the Cloud Resource Manager API
The Google Cloud Resource Manager API now includes a project.create() feature, which allows you to use scripts and applications to automate project provisioning. Maybe you want to plug into a self-service system to allow developers to request new projects, or perhaps you want to integrate the creation of a new project as part of your CI/CD set-up. Using the project.create() API allows you to standardise the configuration of your projects.
Developers should consider creating different templates for different projects. For example, a data analysis project will have a different composition than a compute project. Using different templates simplifies project creation and management by allowing you to simply run the correct script or template to set up the proper project environment. These scripts can also be treated as code amendments to the standard project creation scripts. You can also version control templates, and revert back to them if need be.
The Cloud Resource Manager project.create() API supports the REST interface, RPC interface, client libraries or gcloud library.
Automating project creation with Python
Let’s look at how to use the project.create() API with Python scripts or templates to automate project creation with a user or service account.
A common scenario for automating project creation is within large organizations that have set up an Organization resource.This example focuses on using a service account to automatically create projects.
Create a service account in a designated project under your Organization resource. We recommended a designated project to contain resources that will be used across the projects in your Organization resource. And because service accounts are associated with a project, creating them in a central designated project will help you manage them.
At a minimum the service account needs to have the resourcemanager.projectCreator IAM role. If you need to enable APIs beyond the default, this will require granting the service account the billing user role at the Organization resource level, so that it can attach projects to the organization resource’s billing account. The service account can then enable the required APIs against the project. The billing account must be associated to the organization resource.
Now that you have a service account that you can use to automatically create scripts, go ahead and create a script that follows this flow:
Create a client with the correct scopes. Here’s a code snippet showing how to create a client:
def create_client(http=None):
credentials = oauth2client.GoogleCredentials.get_application_default()
if credentials.create_scoped_required():
credentials = credentials.create_scoped(CRM_SCOPES)
if not http:
http = httplib2.Http()
credentials.authorize(http)
return discovery.build(CRM_SERVICE_NAME, CRM_VERSION, http=http)
Pass your organization ID and a uniquely generated project ID to a function that checks if the project exists by listing projects and looping through them:
Organization_id = str(YOUR-ORG_NUMERIC_ID)
proj_prefix = “your-proj-prefix-” # must be lower case!
proj_id = proj_prefix+”-“+str(random_with_N_digits(6))
#************************
Here’s a snippet showing how to list the projects in your organization:
def List_projects(org_id):
crm = create_client()
project_filter = ‘parent.type:organization parent.id:%s’ % org_id
print(project_filter)
projects = crm.projects().list(filter=project_filter).execute()
#while projects is not None:
print(projects)
Create a project with the generated name if it does not already exist, with this code snippet:
def create_project(proj_id):
crm = create_client()
print “org id in function is :n”
print(organization_id)
new_project = crm.projects().create(
body={
‘project_id': proj_id,
‘name': proj_id,
‘parent': {
‘type': ‘organization’,
‘id': organization_id
}
}).execute()
And finally, programmatically launch the resources and assign IAM policies.
Now that you can use a script to automatically create projects, the next thing to do is to expand on these steps to automate setting of IAM policies and creating resources for your automation pipeline. Google Deployment Manager does that using declarative templates and is a good tool for automatically creating project resources. Stay tuned for a blog post on the topic.
Quelle: Google Cloud Platform
Published by