ARC134

Overview

In a challenge lab you’re given a scenario and a set of tasks. Instead of following step-by-step instructions, you will use the skills learned from the labs in the course to figure out how to complete the tasks on your own! An automated scoring system (shown on this page) will provide feedback on whether you have completed your tasks correctly.

When you take a challenge lab, you will not be taught new Google Cloud concepts. You are expected to extend your learned skills, like changing default values and reading and researching error messages to fix your own mistakes.

To score 100% you must successfully complete all tasks within the time period!

In this challenge lab, you will be taking help of Duet AI to complete the given tasks.

Duet AI for Google Cloud is an always-on AI collaborator that provides help to users of all skill levels where they need it. In this lab, you use Duet AI to get information you need to create resourses in the tasks.

Setup and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).

Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.

• Time to complete the lab---remember, once you start, you cannot pause a lab.

Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

Challenge scenario

You are starting your career as a junior cloud architect. In this role, you have been assigned to work on a team project that requires you to use service accounts, configure IAM permission using the gcloud command line interface (CLI), add custom roles, and use the client libraries to access BigQuery from a service account.

You are expected to have the skills and knowledge to complete the tasks that follow. Also, you can take help from Duet AI to identify CLI commands or steps to complete the tasks.

Your challenge

For this challenge, you are asked to create a service account, assign required roles, configure IAM permissions using the gcloud CLI, create a custom role using a YAML file, and use the client libraries to access BigQuery from a service account.

You are asked to:

• Configure a service account using the gcloud CLI.
• Grant IAM permissions to a service account using the gcloud CLI.
• Create a compute instance using the service account.
• Create a custom role using a YAML file.
• Use the client libraries to access BigQuery from a service account.

For this challenge lab, a virtual machine (VM) instance named has been configured for you to complete tasks 2 to 6.

Create all the resources in region and zone.

Each task is described in detail below, good luck!

Task 1. Enable and Explore Duet AI (optional)

Note: If you want to use Duet AI, follow the steps given below to enable it otherwise you can go directly to Task 2.

Since you are going to use Duet AI, let's quickly enable and explore the Duet AI.

In this task, you use the Duet AI pane to enter prompts and view the responses from Duet AI. Prompts are questions or statements that describe the help that you need. Prompts can include context from existing code that Google Cloud analyzes to provide more useful or complete responses. For more information on writing prompts to generate good responses, see Write better prompts for Duet AI

To prompt Duet AI about Google Cloud services, perform these steps:

1. Sign in to the Google Cloud Console.

2. Click on the Duet AI icon () in the top-right corner of the Google Cloud console toolbar.

3. Click on Enable to enable the Cloud AI Companion API.

4. Click Start Chatting.

Enter the following prompt:

What is service account? What is the difference between predefined roles and custom roles? Note: Duet AI doesn't use your prompts or its responses as data to train its model. For more information, see How Duet AI in Google Cloud uses your data. Note: As an early-stage technology, Duet AI can generate output that seems plausible but is factually incorrect. We recommend that you validate all output from Duet AI before you use it. For more information, see Duet AI in Google Cloud and responsible AI.

Task 2. Create a service account using the gcloud CLI

For this task, a VM named lab-vm has already been configured for you to use as you perform the tasks that follow. You will create a service account by taking the help of the Duet AI.

1. Authenticate in gcloud

2. SSH into the lab-vm VM and configure the gcloud environment for a user, then switch your gcloud configuration to the default.

3. Create a service account named devops inside the SSH.

Note: To create the following resources, you need to click on Click here for hint! and use the prompt in the Duet AI to fetch the commands to create the resource.

Click Check my progress to verify the objective. Create a service account using gcloud CLI

Task 3. Grant IAM permissions to a service account using the gcloud CLI

1. Since you will be using the project id and the service account multiple times so it is good idea to export the project id and service account into the local variable.

For this task, you need to assign the required roles to a service account using the gcloud CLI.

2. Similarly store the service account email address in a local variable called SA.

3. To complete this task, SSH into the lab-vm VM, and give the service account the role of iam.serviceAccountUser with the permissions compute.instanceAdmin.

Note: To create the following resources, you need to click on Click here for hint! and use the prompt in the Duet AI to fetch the commands to create the resource.

Click Check my progress to verify the objective. Grant IAM permissions to a service account using gcloud CLI

Task 4. Create a compute instance with a service account attached using gcloud

For this task, a VM named lab-vm has already been configured for you. SSH into the lab-vm VM to start.

1. Create a compute instance named vm-2 with the devops service account attached that you created in Task 2.

2. SSH into the vm-2 VM instance. Try to create and list an instance from vm-2 to verify you have the necessary permissions via the service account.

Note: To create the following resources, you need to click on Click here for hint! and use the prompt in the Duet AI to fetch the commands to create the resource.

Click Check my progress to verify the objective. Create a compute instance with a service account attached using gcloud

Task 5. Create a custom role using a YAML file

1. Create a YAML file named role-definition.yaml that has a custom role definition with the permissions cloudsql.instances.connect and cloudsql.instances.get using Duet AI.

3. Execute the gcloud command to create a role at the project level using the YAML file.

Note: To create the following resources, you need to click on Click here for hint! and use the prompt in the Duet AI to fetch the commands to create the resource.

Click Check my progress to verify the objective. Create a custom role using a YAML file

Task 6. Use the client libraries to access BigQuery from a service account

For this task, you will query the BigQuery public datasets from an instance with the help of a service account which has the necessary roles configured. Login to the Google Cloud console using the username and password provided.

1. Create a service account named bigquery-qwiklab and assign it the role of BigQuery Data Viewer as BigQuery User.

2. Create a VM instance named bigquery-instance using a service account bigquery-qwiklab.

3. SSH into the bigquery-instance and install the dependencies.

4. Use the following code to create a Python file.

echo " from google.auth import compute_engine from google.cloud import bigquery credentials = compute_engine.Credentials( service_account_email='YOUR_SERVICE_ACCOUNT') query = ''' SELECT name, SUM(number) as total_people FROM "bigquery-public-data.usa_names.usa_1910_2013" WHERE state = 'TX' GROUP BY name, state ORDER BY total_people DESC LIMIT 20 ''' client = bigquery.Client( project='YOUR_PROJECT_ID', credentials=credentials) print(client.query(query).to_dataframe()) " > query.py

5. Replace the PROJECT_ID and SERVICE_ACCOUNT variables with your credentials and run the file using a Python3 command.

6. Excute the python file that is created in the above step

Note: To create the following resources, you need to click on Click here for hint! and use the prompt in the Duet AI to fetch the commands to create the resource.

Click Check my progress to verify the objective. Use the client libraries to access BigQuery from a service account

Congratulations!

You have successfully created Google Cloud service accounts, assigned roles to service accounts, configured IAM permissions using the gcloud CLI, and created a custom role by taking the help of the Duet AI Prompt.

Google Cloud training and certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual Last Updated February 5, 2024

Lab Last Tested February 25, 2024

Copyright 2024 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.