Implement Cloud Security Fundamentals on Google Cloud: Challenge Lab: GSP342

Implement Cloud Security Fundamentals on Google Cloud: Challenge Lab: GSP342

📌 Lab Reference: Implement Cloud Security Fundamentals on Google Cloud: Challenge Lab (Lab Code: GSP342).

A concise walkthrough to complete the GSP342 challenge lab with a 100% score. The following configuration settings are used throughout this guide:

export PROJECT_ID="qwiklabs-gcp-01-8c1086536ffa"
export REGION="us-west1"
export ZONE="us-west1-b"
export CUSTOM_ROLE="orca_storage_editor_330"
export SA_NAME="orca-private-cluster-410-sa"
export CLUSTER_NAME="orca-cluster-412"

Architecture Requirements

  • IAM: Dedicated service account with least-privilege logging/monitoring roles and a custom storage role.
  • Network: Private GKE cluster with public endpoints disabled, restricted to the orca-jumphost management IP.

Step 1: Run Infrastructure Commands in Cloud Shell

Open Cloud Shell and execute the following script to create the custom role, service account, policy bindings, and the private GKE cluster:

# Set environment defaults
gcloud config set compute/zone $ZONE
gcloud config set compute/region $REGION

# Task 1: Create Custom IAM Security Role
cat > role-definition.yaml <<EOF
title: "$CUSTOM_ROLE"
description: "Permissions for Orca Storage Editor"
stage: "GA"
includedPermissions:
- storage.buckets.get
- storage.objects.get
- storage.objects.list
- storage.objects.update
- storage.objects.create
EOF

gcloud iam roles create $CUSTOM_ROLE --project $PROJECT_ID --file role-definition.yaml

# Task 2: Create Service Account
gcloud iam service-accounts create $SA_NAME --display-name "Orca Private Cluster Service Account"

# Task 3: Bind IAM Roles to Service Account
gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com --role roles/monitoring.viewer
gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com --role roles/monitoring.metricWriter
gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com --role roles/logging.logWriter
gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com --role projects/$PROJECT_ID/roles/$CUSTOM_ROLE

# Task 4: Deploy Private GKE Cluster
JUMPHOST_IP=$(gcloud compute instances describe orca-jumphost --zone=$ZONE --format='get(networkInterfaces[0].networkIP)')

gcloud container clusters create $CLUSTER_NAME \
  --zone=$ZONE \
  --num-nodes 1 \
  --master-ipv4-cidr=172.16.0.64/28 \
  --network orca-build-vpc \
  --subnetwork orca-build-subnet \
  --enable-master-authorized-networks \
  --master-authorized-networks=$JUMPHOST_IP/32 \
  --enable-ip-alias \
  --enable-private-nodes \
  --enable-private-endpoint \
  --service-account=$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com
Note: Cluster provisioning takes 3 to 5 minutes due to network isolation rules.

Step 2: Deploy Application via Management Jumphost (SSH)

CRITICAL: Because this cluster has a private endpoint, running deployment commands directly from Cloud Shell will cause an i/o timeout or credential error. You must run them inside the authorized management instance.

1. Connect to the management instance by running this command in Cloud Shell:

gcloud compute ssh orca-jumphost --zone=us-west1-b

(Alternatively, go to Compute Engine > VM Instances in the Console and click SSH next to orca-jumphost.)

2. Once connected inside the VM terminal session, paste and run this entire block to install the required GKE authentication tools and complete Task 5:

export PROJECT_ID="qwiklabs-gcp-01-8c1086536ffa"
export ZONE="us-west1-b"
export CLUSTER_NAME="orca-cluster-412"

# Install GKE auth plugin inside the VM
sudo apt-get update && sudo apt-get install -y google-cloud-sdk-gke-gcloud-auth-plugin
echo "export USE_GKE_GCLOUD_AUTH_PLUGIN=True" >> ~/.bashrc
source ~/.bashrc

# Fetch internal cluster credentials using internal-ip flag
gcloud container clusters get-credentials $CLUSTER_NAME --internal-ip --project=$PROJECT_ID --zone=$ZONE

# Task 5: Deploy and expose the test application
kubectl create deployment hello-server --image=gcr.io/google-samples/hello-app:1.0
kubectl expose deployment hello-server --name orca-hello-service --type LoadBalancer --port 80 --target-port 8080

Troubleshooting: ACCESS_TOKEN_TYPE_UNSUPPORTED

If Cloud Shell drops authentication sync during IAM assignment, run:

gcloud auth login

Authenticate via the URL provided, or click the three dots in the Cloud Shell toolbar and select Restart.

Comments are closed.