Using Google Group and Google Cloud IAM Effectively for Education

Google Cloud with no doubt a better cloud platform for well established businesses to startups but is also a next-gen productivity tools for educational institutions. G Suite for Education, Google Classroom offers for seamless collaboration, track performance with better administration. In this post, we will go through using Cloud IAM for access control of cloud resources for educators, students.

Let’s walk through few cases for the need of controlling and granting access of cloud resources:

1. Educators need to share resources(eg. Cloud storage bucket object) to students which should not be available publicly
2. Give access to browse/access cloud function for a group of students
3. Allow submitting research projects from specific research group to any google cloud platform and handle further processing
4. Granular control of cloud resources(by class, research group etc.)

The control can be achieved by two ways, one by using Cloud Identity or G Suite Domain and next using Google Groups.

G Suite Domain wide email alias is bit tedious to maintain and needs access to Google Admin Console and also have to update email manually on each group. Also, there might be case where educational institutions are using Microsoft Email service but are attached to google cloud platform for research and other cloud resources.

Google Groups and Google Cloud Platform(GCP) integration could be a good fit and easy to control. Now, access to cloud resources can be given to the members of Google Groups without going through cloud IAM and adding each user manually. Also, general gmail account users can have access to specific resources.

Let’s go through a scenario. I am an educator for a research group “Distributed Computing and Systems Research Group” and want to sharing a case study with the students in the group. My institution is not using G Suite service. We sometime use Google Group for communication but don’t have the research specific Group.

Time to create a new Google Group

Go to groups.google.com create group page for creating a new group and enter the details.

After going through few options and setting update, you will get a new group ready with @googlegroups.com email. For adding new member to the group, click on gear icon on top right corner and then go to Group Settings. On the left column, there’s Invite Members link which will land you to the invitation page. Any gmail and gsuite email addresses can be sent invitation to join the group. Multiple email addresses can be added at once separating with comma.

Create Bucket on Google Cloud Storage to share case study material

Go to Google Cloud Console and click on Storage -> Browse to land on Cloud Storage page. Create a new bucket with the name, region and location.

Save the details and add let’s say a pdf doc of the case study. You can upload local file clicking on Upload Files. I have this distributed-case-study.pdf file with no public access

For adding read only permission to all the members of the google group, click on Kebab Menu at the right side of the file link and add the Google Group email as reader & hit save.

Now, the members of the Google Group can access the file. We can share the link of form https://storage.cloud.google.com/distributed-system-cs/distributed-case-study.pdf.

Likewise, if we need to give access to create compute engine to the members, you can add the group email on Cloud IAM. For that, go to Cloud IAM and Admin section and add the group email with access to specific resource.

By this way, we can easily control access to google cloud platform resources with google group members without G Suite accounts.