# GCP projects

{% hint style="danger" %}
Cloud account usage can lead to abuse without the appropriate security policies in place. Always be sure to implement the appropriate policies and restrictions before exposing tracks with cloud accounts to the public.
{% endhint %}

{% hint style="warning" %}
Costs associated with cloud accounts are in addition to your standard Instruqt billing. Therefore, you should take extra precautions when allowing users to access tracks that have cloud accounts.&#x20;
{% endhint %}

This guide explains how to access a **Google Cloud Platform (GCP)** project from Instruqt.

> A GCP project is a set of configuration settings that define how your app interacts with Google services and what resources it uses.
>
> — [Google Cloud Platform project documentation](https://developers.google.com/workspace/marketplace/create-gcp-project)

## Before you begin

You must have already created a track or sandbox preset to which you can add access to a GCP project.

## Access GCP projects

It is best to add the Instruqt [Cloud Client](https://docs.instruqt.com/sandboxes/cloud-accounts/cloud-client) container to your sandbox to give a learner access to a GCP project. Because the Instruqt Cloud Client container:

* Exposes links to GCP Cloud Consoles for the resources configured in the `config.yml` file, with the credentials required to log in.
* Includes the `gcloud` CLI, pre-configured with the required credentials.

The GCP Cloud Console and the `gcloud` CLI make it easy for content developers and learners to access Google Cloud resources from the sandbox.

It takes the following steps to give learners access to a GCP project:

1. Add an Instruqt [Cloud Client](https://docs.instruqt.com/sandboxes/cloud-accounts/cloud-client) container to your sandbox
2. Add a GCP project to your sandbox.
3. Add tabs to your challenges where you want to expose the GCP console or `gcloud` CLI.

Additionally, you can use:

* A set of environment variables that are available in the `gcloud` CLI.
* Google Cloud APIs that you set through IAM permissions.

### Step 1: Add an Instruqt Cloud Client container to your sandbox

More information can be found in the [cloud client](https://docs.instruqt.com/sandboxes/cloud-accounts/cloud-client) section.

### Step 2: Review the security best practices

{% hint style="danger" %}
Make sure to configure the permissions for the GCP project to control unauthorized behavior within the environment. You can find more information on how to do this in [GCP IAM Permissions](https://docs.instruqt.com/sandboxes/cloud-accounts/gcp-projects/gcp-iam-permissions).
{% endhint %}

{% hint style="warning" %}
You have control over which **services** and **regions** learners can access. We highly recommend you only provide access to what is strictly needed to complete the track. See [Securing your cloud accounts](https://docs.instruqt.com/sandboxes/cloud-accounts/securing-your-cloud-accounts) for more detail.&#x20;

Only enabled **services** and **regions** configured by the team administrator at a global level can be selected and/or specified. See more details in [Global Sandbox Settings Cloud Services and Regions](https://docs.instruqt.com/sandboxes/manage/cloud-services-and-regions)
{% endhint %}

### Step 3: Add a GCP project to your sandbox

{% tabs %}
{% tab title="🌐 Web UI" %}

1. Click **+ Add a cloud account** on the *Sandbox* page.\
   ↳ The *Add cloud account* pop-up opens.
2. Select the **Google** provider.
3. In the **Name** field, enter `example-project`.
4. In the **Services** field, select the services that are going to be enabled.
5. In the **Regions** field, select the regions that are going to be enabled.
6. In the **User Roles** field, enter the desired roles for the end user.
7. In the **Admin Roles** field, enter the desired roles for the admin user.
8. Click **Save** to add the GCP project.
9. Click **Back to track** to return to the *Track dashboard* page.
   {% endtab %}

{% tab title="💻 Instruqt CLI" %}

1. Copy and paste the following code into `config.yml`:

   ```yaml
   gcp_projects:
   - name: gcpproject
     services: []
     regions: []
     roles: []
   ```

   ↳ Your `config.yml` file should be similar to this now:

   ```yaml
   version: "3"
   containers:
   - name: cloud-client
     image: gcr.io/instruqt/cloud-client
     ports: [80]
     shell: /bin/bash
     memory: 256
   gcp_projects:
   - name: gcpproject
     services: []
     regions: []
     roles: []  
   ```

{% endtab %}
{% endtabs %}

### Step 4: Add tabs to expose the GCP console and `gcloud` CLI

{% tabs %}
{% tab title="🌐 Web UI" %}

1. In the **Challenges** section, click **Add new**, and select **Assignment** from the dropdown.
2. On the new challenge page, input these values:

   <table><thead><tr><th width="150">Field</th><th>Value</th></tr></thead><tbody><tr><td><strong>Name</strong></td><td><code>GCP project</code></td></tr><tr><td><strong>URL</strong></td><td><code>gcp-project</code></td></tr><tr><td><strong>Description</strong></td><td><code>Learn to work with a GCP project</code></td></tr></tbody></table>
3. Click **Save**.
4. Click **Tabs** followed by **Add new tab**.
5. Select the **Your applications** tab type.
6. Input these values to set the GCP console:

   <table><thead><tr><th width="150">Field</th><th>Value</th></tr></thead><tbody><tr><td><strong>Tab name</strong></td><td><code>CGP project console</code></td></tr><tr><td><strong>Select your host</strong></td><td><code>cloud-client</code></td></tr><tr><td><strong>Path</strong></td><td><code>/</code></td></tr><tr><td><strong>Port</strong></td><td><code>80</code></td></tr></tbody></table>
7. Click **Save** to add the tab.
8. Click **Add new tab** again.
9. Select the **Terminal** tab type.
10. Input these values to set the `gcloud` CLI:

    <table><thead><tr><th width="150">Field</th><th>Value</th></tr></thead><tbody><tr><td><strong>Tab name</strong></td><td><code>gcloud CLI</code></td></tr><tr><td><strong>Host</strong></td><td><code>cloud-client</code></td></tr></tbody></table>
11. Click **Save** to add the tab.
12. Click **Back to track**.
13. Click **Play track** and test your GCP project track.
    {% endtab %}

{% tab title="💻 Instruqt CLI" %}

1. Open a terminal and change to your track directory.
2. Enter the following command to create a new challenge:

   ```md
   instruqt challenge create --title "GCPproject"
   ```
3. Open the `assignment.md` file in your code editor.
4. Copy and paste the following code into `assignment.md` to set the GCP console and `gcloud` CLI:

   ```md
   ---
   slug: gcp-challenge
   type: challenge
   title: GCP project
   teaser: Learn to work with a GCP project
   tabs:
   - title: GCP Console
     type: service
     hostname: cloud-client
     path: /
     port: 80
   - title: gcloud CLI
     type: terminal
     hostname: cloud-client
   difficulty: basic
   timelimit: 600
   ---

   Example assignment!
   ```
5. Save file `assignment.md`.
6. Push the track to the Instruqt platform:

   ```xml
   instruqt track push
   ```
7. Play and test the track:

   ```xml
   instruqt track open
   ```

   ↳ Your browser opens, showing the Track overview page, select **Play**.&#x20;
   {% endtab %}
   {% endtabs %}

{% hint style="success" %}
Nice job! Your learners can now access GCP projects. But there is more. You can also give them access to:

* [AWS accounts](https://docs.instruqt.com/sandboxes/cloud-accounts/aws-accounts)
* [Azure subscriptions](https://docs.instruqt.com/sandboxes/cloud-accounts/azure-subscriptions)
  {% endhint %}