Understanding Service Accounts on Google Compute Engine

30 minutes
  • 4 Learning Objectives

About this Hands-on Lab

In this lab, we create a custom service account with granular IAM permissions, then use the service account when creating a Compute Engine instance that will run the WordPress blogging software connected to a Cloud SQL database.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create a Cloud SQL Instance
  1. Create a new Cloud SQL MySQL instance with the name wordpress-db.
  2. Generate a root password and note it for later.
  3. Make sure you have the Region set as us-central1 and the Zone as Any.
  4. Under Connectivity, tick Private IP.
  5. Enable Service Networking API.
  6. Untick Public IP to remove public IP connections from this instance.
  7. Change the machine type to db-g1-small.
Create a Custom Service Account
  1. Create a new service account named wordpress-app.
  2. When prompted to Grant this service account access to project, type SQL in the Select a role box to search roles, then select Cloud SQL Client.
Create the WordPress Instance on Compute Engine
  1. Create a new instance named wordpress.
  2. Set the Region to us-central1 (the console will choose a zone for you).
  3. Change the Machine type to e2-small.
  4. Have the instance deploy a container to the VM instance, and use the container wordpress.
  5. For our service account, make sure to select wordpress-app.
  6. Allow all HTTP traffic on the instance.
  7. Use the VM’s External IP link to see the WordPress language selection screen.
Set Up WordPress and the Database

Before we configure WordPress, we must first create the database inside our new Cloud SQL instance.

  1. Take note of the private IP for our wordpress-db instance.
  2. Create a new database with the name wordpress.

Complete the rest of these steps in WordPress:

  1. Choose your preferred language, then on the next screen click Let’s go!.
  2. Update the connection details to match the following:
    • Database name: wordpress
    • Username: root
    • Password: The root password you noted earlier.
    • Database Host: The private IP you noted earlier.
    • Table Prefix: wp_
  3. Run the installation.

Additional Resources

Compute Engine instances run with a default service account unless you specify otherwise. The default service account itself has the Project Editor role. As you can imagine, this presents quite a large attack vector should an instance — or an application running on that instance — become compromised. Additionally, the default service account doesn't have some service permissions, such as access to Cloud SQL, so it won't work for some scenarios despite its broad level of access.

To get started, log in to Google Cloud Platform by opening https://console.cloud.google.com/ in a private browser window, then sign in using the credentials provided on the lab page.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?