# Prerequisites for executing the Jupyter Notebooks in this repository


## Background:
All Jupyter Notebook files in this repository are intended to be executed in a Vertex AI Workbench Notebook.

In various chapters, we discuss the importance of the the [least privilege](https://cloud.google.com/iam/docs/using-iam-securely#least_privilege) security principle, and we highlight specific [IAM roles](https://cloud.google.com/iam/docs/roles-overview) that need to be assigned for particular activities.

However, to simplify the testing process in the various examples provided in this repository, the examples assume you are running them in a Vertex AI Workbench Notebook Instance that has been assigned the Google Cloud [Compute Engine default service account](https://cloud.google.com/compute/docs/access/service-accounts#default_service_account) (the instructions in the book for setting up the Vertex AI Workbench Notebook Instance include the steps to do this).

The prerequisite steps here ensure that the Compute Engine default service account is assigned the relevant roles to perform all activities in the example notebooks in this repository.

## Tools

### gcloud CLI
Google Cloud provides a tool named gcloud, which enables us to interact with Google Cloud services by executing text-based commands. This is particularly useful if we wish to automate sequences of Google Cloud service API actions by composing scripts that run multiple commands in order. 

### Google Cloud Shell
The Google Cloud Shell is a convenient way to use the gcloud CLI. It’s a tool that provides a Linux-based environment in which you can issue commands towards Google Cloud service APIs.

## Step 1: Open the Google Cloud Shell

You can open the Cloud Shell by clicking on the Cloud Shell symbol in the top right corner of the Google Cloud console screen, as shown in the following image:

![cloud-shell-icon](images/cloud-shell.png)

## Step 2: Assign required roles to the Compute Engine default service account

In this section, we will also clone our GitHub repository to your Google Cloud Shell environment. To do this, copy and paste the following commands into the Cloud Shell (**Note:** just click "Authorize" when prompted by the Cloud Shell):

```bash
# Get the project number of our current project:
export PROJECT_NUMBER=`gcloud projects describe $DEVSHELL_PROJECT_ID --format='value(projectNumber)'`

# Add required roles to the Compute Engine default service account
for role in "roles/editor" "roles/bigquery.admin"; do gcloud projects add-iam-policy-binding $DEVSHELL_PROJECT_ID --member="serviceAccount:$PROJECT_NUMBER-compute@developer.gserviceaccount.com" --role="$role"; done
```

## Step 3: Verify

Run the following command to view the role assignments for the Compute Engine default service account:

```bash
gcloud projects get-iam-policy $DEVSHELL_PROJECT_ID --flatten="bindings[].members" --format="table(bindings.role,bindings.members)" --filter="bindings.members:$PROJECT_NUMBER-compute@developer.gserviceaccount.com"
```

The output should look similar to the following (the order of the list can vary and is not important, just verify that each role exists):

```
ROLE: roles/bigquery.admin
MEMBERS: serviceAccount:YOUR-PROJECT-ID-compute@developer.gserviceaccount.com

ROLE: roles/editor
MEMBERS: serviceAccount:YOUR-PROJECT-ID-compute@developer.gserviceaccount.com
```