Let’s take a moment to review some key concepts that will be used throughout this book.
Environment Files
Throughout the projects, values are stored in environment variables. This is a common pattern in the world of DevOps. It allows you to easily change values without having to change code. It also allows you to keep sensitive values out of your code and version control. Rather than setting the environment variables each time you start a new terminal session, you can store them in a file and then load them into your environment. This is what the .env file is for. Each project has a .env.template file that you can copy to .env and then fill in the values. At the root, there is also an environment file that holds common environment variables.
In each project, execute the set-env.sh script to set environment variables for you. This will apply the values in the .env file in the current directory together with the shared environment variables in the root .env file.
Enabling Services
Upon the initial creation of a project in Google Cloud, a number of services are not active by default. Attempting to utilize these services may result in an error. These services, however, can be easily activated using either the Google Cloud Console or the gcloud CLI. For instance, if you wish to activate the Cloud Run API, you can do so by executing the following command:
gcloud
services
enable
run.googleapis.com
Whenever you use a service for the first time, you will see the command to enable it.
Identity and Access Management
Every Google Cloud Platform project has an identity and access management (IAM) policy. This policy specifies who has what type of access to which resources. Unlike what may be the case for an on-premises system, almost every resource or service in Google Cloud needs implicit permission to be accessed. This is a powerful and flexible system that allows you to control access to your resources.
In general, a principal (user) has roles that grant them permission to perform actions on resources.
Tip
It is important to understand that changes to IAM roles and permissions are eventually consistent and can take several minutes. This means that if you revoke a role or permission, it may still be available for a few minutes. Similarly, if you grant a role or permission, it may not be available for a few minutes.
Service Accounts
Service accounts are a special type of account used by applications acting as the principal to access Google Cloud services and resources. They are not intended for use by humans. They are used by the Google Cloud services themselves. As you start to join up services, you will be using service accounts to allow services to access other services. While you can use a default service account for this, it is better to create a specific service account for each service. This allows you to control access to resources more granular. To follow this best practice, you will be using a service account for each service created in the projects.