So this is the script I used in Cloud Shell. I know it opened all the permissions in the bucket, but other than that, what do you think, how to improve it?
gsutil mb -l us-central1 gs://thebucket
gsutil acl ch -g all:W gs://thebucket
gcloud compute instances create mychallengescriptvm2 –machine-type=f1-micro –metadata=lab-logs-bucket=gs://thebucket,startup-script-url=https://raw.githubusercontent.com/ACloudGuru/gcp-cloud-engineer/master/compute-labs/worker-startup-script.sh –zone=us-central1-a –scopes=storage-full
1 Answers
All-in-all, if it worked and did all the critical things it needed to do, that’s the most important thing (except for what you’ve already identified with your bucket permissions)
One thing you could do is use variables to make the bucket name easier to work with
bucketname=mybucket
gsutil mb -l us-central1 gs://${bucketname}
gsutil acl ch -g all:W gs://${bucketname}
gcloud compute instances create vmname --machine-type=f1-micro --metadata=lab-logs-bucket=gs://${bucketname} I haven’t tested if that exact syntax would work, but if you’re curious, it could be worth having a read about bash scripting and see what you think
I would say you can follow the "least privileged" concept and only allow bucket permissions to the service account instead of giving the allUsers groups a write permission which seems too permissive. And if you want to squeeze it all into a single line you can use the && opertor