The secrets are the ultimate piece to protect: password, API Keys, private keys, root certificates,… There are several types of secrets but all needs to be kept safe and private. On Google Cloud, Secret Manager service helps to achieve this by keeping the secrets encrypted and protected by IAM.

IAM secret protection

Out of the box, Secret Manager offers a fine grained policy to grant access on individual secrets to enforce the least privilege principle. Like this, only the accounts (user account, or service account) that need to access to some secrets are allowed to reach them, but they can’t access the other…

The cloud has many benefits and one of them is the innovation speed with the motto “Fail fast, iterate faster”. Indeed, the cloud providers propose tons of services to easily test and experiment, when the same would be expensive, or impossible, on premise environment.

  • Create a cluster with Hadoop or Kubernetes
  • Use graphic accelerator for AI training
  • Deploy a global application,…

The cloud platforms are wonderful sandboxes where you can spend hours to experiment and try out. However, resources aren’t free!

There is periodic bad news on specialized websites about bad uses (or misuse) that led to huge bills.


I tried in Node (and I'm bad in Node) and I can propose you this piece of working code

const {WorkflowsClient} = require('@google-cloud/workflows');
const client = new WorkflowsClient();
const [workflows] = await client.listWorkflows({
parent: client.locationPath("<PROJECT_ID>", "us-central1"),
for (const workflow of workflows) {`name: ${}`);
const {ExecutionsClient} = require('@google-cloud/workflows');
const execclient = new ExecutionsClient();
const [resp] = await execclient.createExecution({
parent: client.workflowPath("<PROJECT_ID>", "us-central1", "run-long-process"),
execution: {
argument: '{"wait":5}'
});`name: ${}`);

Cloud components are useful and powerful. However, they are all disconnected from the others and when you want to deploy a full pipeline, you need to glue them. You can achieve this with PubSub and Cloud Functions.
However, it quickly becomes a spaghetti design with a lot of topics and functions. Having a centralized place to see, manage and configure your pipeline workflow could be great!

Google Workflows

Google Workflows takes place here. It has been announced since summer 2020 at Cloud Next on Air and is now generally available (GA) since January 2021. It’s a fully managed solution with a pay-as-you-use…

Security on Google Cloud is paramount but it’s strangely an unpopular topic. Actually, the security is often a boring topic! To fill the gap, I wrote articles about the 2 limits of IAM services and about workarounds and new use cases offer by Service Account Credential API. In both cases, my main concern was still the same: to avoid the users to download service account key files to improve the security.

However, the latest blog post on accessing Drive API of Gabe Weiss uses service account key files. That’s why I reached him out and the discussion was very interesting.

Gabe use case

With a difficult year 2020, companies are more focused on what they spend, and, because the cloud becomes bigger and bigger every year in companies, the cloud billing is getting a lot of interest.
For all the companies, the ideal model is to pay only what they use; and not more. The serverless products perfectly fit this expectation.

However, some services can’t adopt this model, especially for technical reason. Relational databases for example are liked for their low latency achieved thank to, at least, 2 factors

  • Instances are always running to avoid cold start
  • Indexes are kept in memory, and…

Routing and load balancing are the pillars of the Internet and its scalability. On Google Cloud, these aspects are great due to a global networks and anycast IP deployed on Global HTTPS load balancers.
Like the other cloud services, serverless compute products (App Engine, Cloud Functions and Cloud Run) have been getting the load balancing capacity few month ago.

One of the most interesting load balancing feature is the capacity to route the traffic from the Load Balancer to the deployed services the closest to the user location. And thus to have the best latency, wherever the users are.

Serverless NEG for serverless load balancing


The data are the new goldmine of all companies, and this treasure must be kept secure and protected. That’s why, for many years, a common good practice of any database administrator is to remove all public access to the database, especially the public IP, and to grant only access from the private IP.
This “golden” rule is enforced by all security teams and they requires the same pattern for any cloud deployment.

Cloud SQL service, the managed database service on Google Cloud, allows you to:

Serverless paradigm, in its ultimate design, allows to pay only when you use the service. With Cloud Run, you pay only with a request is being processed. The rest of the time, you pay nothing. It’s the same with other services such as Cloud Functions, App Engine (standard), or even on other clouds Azure Functions or AWS Lambda.

To make this possible and sustainable, Cloud providers need to save the resources when the service is idle, and thus to stop the idle instances and, therefore, to scale down to 0. From 0, when a new request comes in, your app…

Container packaging is very popular today: it allows a full customization of the execution environment and is language agnostic. More and more applications use it.
So now, to validate the production environment behavior, the developers need to test the containers, not only the workload with unit tests.

In some cases, the containerized app can required to access to Google Cloud API and thus, to be authenticated. When deployed on Google Cloud services, metadata server is reachable and provides the Application Default Credentials (ADC).

How to get authenticated locally with ADC for testing?

By definition, the container run in an isolated…

guillaume blaquiere

GDE Google Cloud Platform, scrum master, speaker, writer and polyglot developer, Google Cloud platform 3x certified, serverless addict and Go fan.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store