🔵 Projects & IAM
GCP resurs ierarxiyasi, Organization, Projects, IAM roles
🏗️ GCP Resurs Ierarxiyasi
Organization → Folders → Projects → Resources. Policy yuqoridan pastga inherited qiladi. Organization — kompaniya ildizi. Project — billing, API, resurslarga ega mustaqil container.
🔐 Cloud IAM
Who (Member/Principal): Google Account, Service Account, Google Group, Cloud Identity Domain. Can do what (Role): Primitive (Owner, Editor, Viewer), Predefined, Custom. On which resource: Project, Folder, Organization level.
🤖 Service Accounts
Non-human identity — applicationlar va VM'lar uchun. JSON key yoki Workload Identity Federation orqali auth. Best practice: har bir xizmat uchun alohida SA, minimal ruxsat. Instance metadata service orqali token olish.
🔑 Cloud Identity & Access Management
Condition: Attribute-based access (vaqt, IP, resource tag). IAM Policy Binding: member + role + (optional) condition. Allow Policy vs Deny Policy. Policy troubleshooting: Policy Analyzer, IAM Recommender.
💡 Asosiy nuqtalar
- Organization > Folder > Project > Resource
- IAM: Who + Role + Resource
- Service Account = non-human identity
- Policy inherited: Yuqoridan pastga
- Deny policy — Allow policydan ustun keladi
🎯 Imtihon maslahatlari
- Primitive roles (Owner/Editor/Viewer) — imtihonda "too permissive" deb hisoblanadi, predefined roles afzal
- Service Account impersonation — bir SA boshqa SA nomidan ish qilishi (JSON key SHART EMAS)
- Workload Identity Federation — GKE workloads uchun JSON key o'rniga preferred auth usuli
- Organization Policy — IAM policy emas! Resource constraint (masalan, external IP ban qilish)
- IAM Recommender — 90 kun ichida ishlatilmagan ruxsatlarni kamaytirishni tavsiya qiladi
⚠️ Ko'p adashadigan
- Organization Policy = IAM Policy deb chalg'ish — Organization Policy resurs constraints, IAM esa access control
- Service Account ga Owner role berish — minimal privilege prinsipi buziladi, predefined role ishlat
- Deny policy umuman yo'q deb o'ylash — GCP da Deny policy bor va Allow policydan USTUN keladi
🧠 Eslab qolish: "WCRR" — Who (member), Can do what (role), on which Resource — IAM 3 ta asosiy tushuncha. "OFPR" — Organization, Folder, Project, Resource — ierarxiya tartibi
Projects & IAM bo'yicha o'zingizni sinab ko'ring
Bepul interaktiv quiz, mock imtihon va to'liq darslar — CertMaster platformasida.
Bepul boshlash →