GCP projects
Give learners access to GCP projects.
This guide explains how to access a Google Cloud Platform (GCP) project from Instruqt.
A GCP project is a set of configuration settings that define how your app interacts with Google services and what resources it uses.
Before you begin
You must have already created a track or sandbox preset to which you can add access to a GCP project.
Access GCP projects
It is best to add the Instruqt Cloud Client container to your sandbox to give a learner access to a GCP project. Because the Instruqt Cloud Client container:
Exposes links to GCP Cloud Consoles for the resources configured in the
config.yml
file, with the credentials required to log in.Includes the
gcloud
CLI, pre-configured with the required credentials.
The GCP Cloud Console and the gcloud
CLI make it easy for content developers and learners to access Google Cloud resources from the sandbox.
It takes the following steps to give learners access to a GCP project:
Add an Instruqt Cloud Client container to your sandbox
Add a GCP project to your sandbox.
Add tabs to your challenges where you want to expose the GCP console or
gcloud
CLI.
Additionally, you can use:
A set of environment variables that are available in the
gcloud
CLI.Google Cloud APIs that you set through IAM permissions.
Step 1: Add an Instruqt Cloud Client container to your sandbox
Click the track you want to add a GCP project to. ↳ Instruqt shows the corresponding Track dashboard page.
In the Sandbox section, click Edit.
Click + Add a host. ↳ The Add host pop-up opens.
Pick the Container host type.
Enter/select these values:
Field Value Hostname
cloud-client
Image type
Choose your own
Container image
gcr.io/instruqt/cloud-client
Click Show optional settings. Enter these values:
Field Value Ports
80
Shell
/bin/bash
Click Save host to add the container.
Step 2: Add a GCP project to your sandbox
Click + Add a cloud account on the Sandbox page. ↳ The Add cloud account pop-up opens.
Select the Google provider.
In the Name field, enter
example-project
.In the Services field, select the services that are going to be enabled.
In the Regions field, select the regions that are going to be enabled.
In the User Roles field, enter the desired roles for the end user.
In the Admin Roles field, enter the desired roles for the admin user.
Click Save to add the GCP project.
Click Back to track to return to the Track dashboard page.
You have control over which services and regions learners can access. We highly recommend you only provide access to what is strictly needed to complete the track. See IAM permissions for more detail.
Only enabled services and regions configured by the team administrator can be selected and/or specified. See more details in Cloud services and regions
When specifying Admin Roles, an additional admin user and a service account will be created with the designated roles.
For setting up the cloud account in lifecycle scripts, it is recommended to use an admin user with elevated privileges. This ensures the ability to perform operations requiring higher privileges than those assigned to the end user.
Note: Admin credentials are injected exclusively into lifecycle scripts, unlike end user credentials which are exposed as environment variables on virtual machines and containers.
Step 3: Add tabs to expose the GCP console and gcloud
CLI
gcloud
CLIIn the Challenges section, click Add new, and select Assignment from the dropdown.
On the new challenge page, input these values:
Field Value Name
GCP project
URL
gcp-project
Description
Learn to work with a GCP project
Click Save.
Click Tabs followed by Add new tab.
Select the Your applications tab type.
Input these values to set the GCP console:
Field Value Tab name
CGP project console
Select your host
cloud-client
Path
/
Port
80
Click Save to add the tab.
Click Add new tab again.
Select the Terminal tab type.
Input these values to set the
gcloud
CLI:Field Value Tab name
gcloud CLI
Host
cloud-client
Click Save to add the tab.
Click Back to track.
Click Play track and test your GCP project track.
Environment variables
Adding a GCP project to your track also sets a list of environment variables that you can use in commands and scripts:
Environment variable | Description |
| A comma-separated list of project names that can be used to fill ${NAME} in the variables below |
| This injects the project display name |
| This injects the project ID |
| This injects the email address of the end user that has access to the project |
| This injects the password of the end user |
| This injects the email address of the end user services account for this project |
| This injects the Base64 encoded key for the end user services account |
| This injects the email address of the admin user (Admin credentials are only injected into lifecycle scripts) |
| This injects the password of the admin user (Admin credentials are only injected into lifecycle scripts) |
| This injects the email address of the admin services account (Admin credentials are only injected into lifecycle scripts) |
| This injects the Base64 encoded key for the admin services account (Admin credentials are only injected into lifecycle scripts) |
Example
This example shows the id of the GCP project from a terminal by using two environment variables. The value of the INSTRUQT_GCP_PROJECTS
environment variable is inserted in the INSTRUQT_GCP_PROJECT_${NAME}_PROJECT_ID
environment variable.
To follow along:
Start your GCP project track and start the first challenge.
Move over to the
Cloud CLI
terminal and enter the following command:↳ The terminal shows the id of your GCP project.
Setting IAM permissions
The services
list allows you to specify which Google Cloud APIs should be accessible in the sandbox. See Google Cloud APIs for more information. The roles
list allows you to specify which Google Cloud IAM roles should be granted to the projects Service and User account. A full list of all the Google Cloud IAM roles can be found here Understanding Roles.
Only enable a service if it is required for your track to function. You can test this by removing the service and checking whether the track still works.
Examples
Add virtual machines (outside of the standard sandbox virtual machines)
You should add compute.googleapis.com
to the services
list and roles/compute.admin
to the roles
list if your track requires virtual machines outside of the standard sandbox virtual machines.
Add a Google Kubernetes Engine (GKE) cluster
If your track needs a GKE cluster, you will also want to add the Kubernetes Engine API container.googleapis.com
to the services
list and roles/container.admin
to the roles
list.
To set these services:
To add virtual machines to your GCP project, enter the following in the Services field:
And click Add.
Then enter the following in the Roles field:
And click Add. To add a GKE cluster to your GCP project, enter the following in the Assigned Roles field:
And click Add.
Then enter the following in the Roles field:
And click Add.
Nice job! Your learners can now access GCP projects. But there is more. You can also give them access to:
Last updated