Ensure Access & Identity in Google Cloud: Challenge Lab



You must complete a series of tasks within the allocated time period. Instead of following step-by-step instructions, you’ll be given a scenario and a set of tasks — you figure out how to complete it on your own! An automated scoring system (shown on this page) will provide feedback on whether you have completed your tasks correctly.

To score 100% you must complete all tasks within the time period!

When you take a Challenge Lab, you will not be taught Google Cloud concepts. To build the solution to the challenge presented, use skills learned from the labs in the quest this challenge lab is part of. You will be expected to extend your learned skills; you will be expected to change default values, but new concepts will not be introduced.

Topics tested


Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This Qwiklabs hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

What you need

To complete this lab, you need:

Note: If you already have your own personal Google Cloud account or project, do not use it for this lab.

Note: If you are using a Pixelbook, open an Incognito window to run this lab.

Challenge scenario

You have started a new role as a junior member of the security team for the Orca team in Jooli Inc. Your team is responsible for ensuring the security of the Cloud infrastucture and services that the company’s applications depend on.

You are expected to have the skills and knowledge for these tasks, so don’t expect step-by-step guides to be provided.

Your challenge

You have been asked to deploy, configure, and test a new Kubernetes Engine cluster that will be used for application development and pipeline testing by the the Orca development team.

As per the organisation’s security standards you must ensure that the new Kubernetes Engine cluster is built according to the organisation’s most recent security standards and thereby must comply with the following:

From a previous project you know that the minimum permissions required by the service account that is specified for a Kubernetes Engine cluster is covered by these three built in roles:

These roles are sepcified in the documentation for hardening cluster security.

You must bind the above roles to the service account used by the cluster as well as a custom role that you must create in order to provide access to any other services specified by the development team. Initially you have been told that the development team requires that the service account used by the cluster should have the permissions necessary to add and update objects in Google Cloud Storage buckets. To do this you will have to create a new custom IAM role that will provide the following permissions:

Once you have created the new private cluster you must test that it is correctly configured by connecting to it from the jumphost, orca-jumphost, in the management subnet orca-mgmt-subnet. As this compute instance is not in the same subnet as the private cluster you must make sure that the master authorized networks for the cluster includes the internal ip-address for the instance, and you must specify the — internal-ip flag when retrieving cluster credentials using the gcloud container clusters get-credentials command.

All new cloud objects and services that you create should include the “orca-” prefix.

Your final task is to validate that the cluster is working correctly by deploying a simple application to the cluster to test that management access to the cluster using the kubectl tool is working from the orca-jumphost compute instance.

Task 1: Create a custom security role.

The first task is to create a new custom IAM security role called orca_storage_update that will provide the Google Cloud storage bucket and object permissions required to be able to create and update storage objects.

- create a role definition file (yaml file) for the custom role:

$ vi role_orca_storage.yaml

i : INSERT to edit the file

Insert the below content in the file:

:wq : to write and quit to save fhe file

- create role from file

Role creation documentation :


Task 2: Create a service account.

For the second task, we need to create the dedicated service account that will be used as the service account for your new private cluster.

The name of this account to create : orca-private-cluster-sa.

IAM Service Account creation documentation


Task 3: Bind a custom security role to a service account.

In the third task we need to bind the Cloud Operations logging and monitoring roles that are required for Kubernetes Engine Cluster service accounts as well as the custom IAM role you created for storage permissions to the Service Account you created earlier.

Roles and permissions documentations :[https://cloud.google.com/monitoring/access-control]

IAM Policy binding documentation :


Task 4: Create and configure a new Kubernetes Engine private cluster

For the fourth task, we need to create a new Kubernetes Engine private cluster and use the service account we have configured.

The new cluster configuration must include the following:

Once the cluster is configured we must add the internal ip-address of the orca-jumphost compute instance to the master authorized network list.

Go at Google Cloud Plateform -> Compute Engine -> VM Instances to see the jumphost IP

gcloud container clusters creation documentations :


Task 5: Deploy an application to a private Kubernetes Engine cluster.

You have a simple test application that can be deployed to any cluster to quickly test that basic container deployment functionality is working and that basic services can be created and accessed. You must configure the environment so that you can deploy this simple demo to the new cluster using the jumphost orca-jumphost.

In this fifth task, we need to deploy a simpte demo application using the orca-jumphost jumphost

Get information for the running cluster


This deploys an application that listens on port 8080 that can be exposed using a basic load balancer service for testing.


System Engineer