No results found.

    Configure Service Accounts and IAM Roles for Google Cloud

    Test and share your knowledge with our community!
    Get access to over 700 hands-on labs, skill badges, and courses

    Configure Service Accounts and IAM for Google Cloud: Challenge Lab

    Lab 45 minutes universal_currency_alt 1 Credit show_chart Introductory
    info This lab may incorporate AI tools to support your learning.
    Test and share your knowledge with our community!
    Get access to over 700 hands-on labs, skill badges, and courses


    Google Cloud self-paced labs logo


    In a challenge lab you’re given a scenario and a set of tasks. Instead of following step-by-step instructions, you will use the skills learned from the labs in the course to figure out how to complete the tasks on your own! An automated scoring system (shown on this page) will provide feedback on whether you have completed your tasks correctly.

    When you take a challenge lab, you will not be taught new Google Cloud concepts. You are expected to extend your learned skills, like changing default values and reading and researching error messages to fix your own mistakes.

    To score 100% you must successfully complete all tasks within the time period!

    In this challenge lab, you will be taking help of Gemini to complete the given tasks.

    Gemini for Google Cloud is an always-on AI collaborator that provides help to users of all skill levels where they need it. In this lab, you use Gemini to get information you need to create resourses in the tasks.

    Setup and requirements

    Before you click the Start Lab button

    Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

    This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

    To complete this lab, you need:

    • Access to a standard internet browser (Chrome browser recommended).
    Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.
    • Time to complete the lab---remember, once you start, you cannot pause a lab.
    Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

    Challenge scenario

    You are starting your career as a junior cloud architect. In this role, you have been assigned to work on a team project that requires you to use service accounts, configure IAM permission using the gcloud command line interface (CLI), add custom roles, and use the client libraries to access BigQuery from a service account.

    You are expected to have the skills and knowledge to complete the tasks that follow. Also, you can take help from Gemini to identify CLI commands or steps to complete the tasks.

    Your challenge

    For this challenge, you are asked to create a service account, assign required roles, configure IAM permissions using the gcloud CLI, create a custom role using a YAML file, and use the client libraries to access BigQuery from a service account.

    You are asked to:

    • Configure a service account using the gcloud CLI.
    • Grant IAM permissions to a service account using the gcloud CLI.
    • Create a compute instance using the service account.
    • Create a custom role using a YAML file.
    • Use the client libraries to access BigQuery from a service account.

    For this challenge lab, a virtual machine (VM) instance named has been configured for you to complete tasks 2 to 6.

    Create all the resources in region and zone.

    Each task is described in detail below, good luck!

    Task 1. Enable and Explore Gemini (optional)

    Note: If you want to use Gemini, follow the steps given below to enable it otherwise you can go directly to Task 2.

    Since you are going to use Gemini, let's quickly enable and explore the Gemini.

    In this task, you use the Gemini pane to enter prompts and view the responses from Gemini. Prompts are questions or statements that describe the help that you need. Prompts can include context from existing code that Google Cloud analyzes to provide more useful or complete responses. For more information on writing prompts to generate good responses, see Write better prompts for Gemini

    To prompt Gemini about Google Cloud services, perform these steps:

    1. Sign in to the Google Cloud Console.

    2. Click on the Gemini icon (Gemini icon) in the top-right corner of the Google Cloud console toolbar.

    Note: the Gemini for Google Cloud Console API (formerly named the Cloud AI Companion API) was enabled for your project when you started the lab.
    1. Click Start Chatting.

    Enter the following prompt:

    What is service account? What is the difference between predefined roles and custom roles? Note: Gemini doesn't use your prompts or its responses as data to train its model. For more information, see How Gemini in Google Cloud uses your data. Note: As an early-stage technology, Gemini can generate output that seems plausible but is factually incorrect. We recommend that you validate all output from Gemini before you use it. For more information, see Gemini in Google Cloud and responsible AI.

    Task 2. Create a service account using the gcloud CLI

    For this task, a VM named lab-vm has already been configured for you to use as you perform the tasks that follow. You will create a service account by taking the help of the Gemini.

    1. Authenticate in gcloud
    1. SSH into the lab-vm VM and configure the gcloud environment for a user, then switch your gcloud configuration to the default.

    2. Create a service account named devops inside the SSH.

    Note: To create the following resources, you need to click on Click here for hint! and use the prompt in the Gemini to fetch the commands to create the resource.

    Click Check my progress to verify the objective. Create a service account using gcloud CLI

    Task 3. Grant IAM permissions to a service account using the gcloud CLI

    1. Since you will be using the project id and the service account multiple times so it is good idea to export the project id and service account into the local variable.

    For this task, you need to assign the required roles to a service account using the gcloud CLI.

    1. Similarly store the service account email address in a local variable called SA.
    1. To complete this task, SSH into the lab-vm VM, and give the service account the role of iam.serviceAccountUser with the permissions compute.instanceAdmin.
    Note: To create the following resources, you need to click on Click here for hint! and use the prompt in the Gemini to fetch the commands to create the resource.

    Click Check my progress to verify the objective. Grant IAM permissions to a service account using gcloud CLI

    Task 4. Create a compute instance with a service account attached using gcloud

    For this task, a VM named lab-vm has already been configured for you. SSH into the lab-vm VM to start.

    1. Create a compute instance named vm-2 with the devops service account attached that you created in Task 2.

    2. SSH into the vm-2 VM instance. Try to create and list an instance from vm-2 to verify you have the necessary permissions via the service account.

    Note: To create the following resources, you need to click on Click here for hint! and use the prompt in the Gemini to fetch the commands to create the resource.

    Click Check my progress to verify the objective. Create a compute instance with a service account attached using gcloud

    Task 5. Create a custom role using a YAML file

    1. Create a YAML file named role-definition.yaml that has a custom role definition with the permissions cloudsql.instances.connect and cloudsql.instances.get using Gemini.
    1. Execute the gcloud command to create a role at the project level using the YAML file.
    Note: To create the following resources, you need to click on Click here for hint! and use the prompt in the Gemini to fetch the commands to create the resource.

    Click Check my progress to verify the objective. Create a custom role using a YAML file

    Task 6. Use the client libraries to access BigQuery from a service account

    For this task, you will query the BigQuery public datasets from an instance with the help of a service account which has the necessary roles configured. Login to the Google Cloud console using the username and password provided.

    1. Create a service account named bigquery-qwiklab and assign it the role of BigQuery Data Viewer as BigQuery User.
    1. Create a VM instance named bigquery-instance using a service account bigquery-qwiklab.
    1. SSH into the bigquery-instance and install the dependencies.
    1. Use the following code to create a Python file.
    echo " from google.auth import compute_engine from google.cloud import bigquery credentials = compute_engine.Credentials( service_account_email='YOUR_SERVICE_ACCOUNT') query = ''' SELECT name, SUM(number) as total_people FROM "bigquery-public-data.usa_names.usa_1910_2013" WHERE state = 'TX' GROUP BY name, state ORDER BY total_people DESC LIMIT 20 ''' client = bigquery.Client( project='YOUR_PROJECT_ID', credentials=credentials) print(client.query(query).to_dataframe()) " > query.py
    1. Replace the PROJECT_ID and SERVICE_ACCOUNT variables with your credentials and run the file using a Python3 command.

    2. Excute the python file that is created in the above step

    Note: To create the following resources, you need to click on Click here for hint! and use the prompt in the Gemini to fetch the commands to create the resource.

    Click Check my progress to verify the objective. Use the client libraries to access BigQuery from a service account


    Congratulations! You have successfully created Google Cloud service accounts, assigned roles to service accounts, configured IAM permissions using the gcloud CLI, and created a custom role by taking the help of the Gemini Prompt.

    Configure Service Accounts and IAM for Google Cloud badge

    Google Cloud training and certification

    ...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

    Manual Last Updated July 17, 2024

    Lab Last Tested July 17, 2024

    Copyright 2024 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.

    Previous Next

    Before you begin

    1. Labs create a Google Cloud project and resources for a fixed time
    2. Labs have a time limit and no pause feature. If you restart it, you'll have to start from the beginning.
    3. On the top left of your screen, click Start lab to begin

    Use private browsing

    1. Copy the provided Username and Password for the lab
    2. Click Open console in private mode

    Sign in to the Console

    1. Sign in using your lab credentials. Using other credentials might cause errors or incur charges.
    2. Accept the terms, and skip the recovery resource page
    3. Don't click End lab unless you've finished the lab or want to restart it, as it will clear your work and remove the project

    This content is not currently available

    We will notify you via email when it becomes available


    We will contact you via email if it becomes available

    One lab at a time

    Confirm to end all existing labs and start this one

    Setup your console before you begin

    Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.