Odyssey Platform # 09

Another exciting week in the Platform Engineering ecosystem!

July 22, 2025 • Estimated Reading Time: 8 minutes 

Editor's Note
Welcome to another edition of Odyssey Platform Weekly! This week, we’re diving into fresh insights, key events, and powerful stories shaping the future of platform engineering.

🗞️ In this newsletter

🗓️ Events

🔦 Tool Spotlight

  • Grafana is the open source standard for visualising observability data, letting teams build rich, interactive dashboards for metrics, logs and traces. With powerful query support and wide integration (Prometheus, Loki, Tempo, and more), Grafana turns your telemetry into actionable insights in real time.

🔍️ Deep Dive

  • Google Cloud's Identity and Access Management (IAM) creates a powerful hierarchy of permissions that seamlessly connects your organization's structure with granular security controls, enabling your teams to manage access across projects, folders, and resources through both standard and custom roles bound to service accounts. Learn how GCP's innovative trinity of Hierarchy, Roles, and Bindings unlocks zero-friction identity management while maintaining enterprise-grade security for modern cloud infrastructure.

🎯 Stay Inspired - Case Studies

👀 In Case you missed it

  • Latest news & events in the platform engineering domain

📆 Upcoming Events

Jul 24, 2025 – Virtual
Dive into modern identity management and access control for AI and cloud-native apps. Learn from Ory, CockroachDB, and OpenAI how to build secure, scalable systems without slowing down innovation. 🔥
👉 Register here

🔦 Tool Spotlight

  • ✅ Scalable orchestration — manage hundreds of parallel tasks using DAG or step-based workflows via Kubernetes CRDs.

  • ✅ Rich artifact and parameter support — handle inputs/outputs through S3, Git, Azure, GCS; use loops, retries, conditionals, and timeouts for robust control

  • ✅ Built-in UI & CLI — visualize workflow execution, debug, and manage via a web UI or CLI .

  • ✅ ML/Data pipelines & CI/CD — ideal for model training, data batch tasks, and Kubernetes-native CI/CD workflows.

Why It Matters:
Grafana gives teams a single pane of glass across all observability signals, helping them move from “what happened” to “why it happened” in seconds without switching tools or dashboards.

🚀 Deep Dive: GCP Roles and Bindings

GCP IAM

🎭 Act 1: The Foundation - Understanding IAM Hierarchy 

Google Cloud's IAM follows a clear hierarchy that mirrors your organizational structure. Think of it as a corporate building with different floors! 🏢

The hierarchy flows: OrganizationFolderProjectResource

gcloud organizations list
gcloud resource-manager folders list --organization=123456789
gcloud projects list --folder=987654321

What just happened?

  • Listed your organization (the building owner)

  • Explored folders (different floors/departments)

  • Viewed projects (individual offices)

  • Each level can have its own access controls that inherit downward

This is like getting a master key that opens doors at every level below! 🔑

🎪 Act 2: The Rulebook - Standard vs Custom Roles Here's where GCP shows its flexibility. You have two types of roles - pre-built and custom-tailored:

Standard Roles (Ready-to-Use):

# Grant compute admin access
gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:[email protected]" \
  --role="roles/compute.admin"

Custom Roles (Tailored Permissions):

# Create a custom role with specific permissions
gcloud iam roles create customStorageRole \
  --project=PROJECT_ID \
  --title="Custom Storage Role" \
  --description="Read-only access to specific buckets" \
  --permissions="storage.objects.get,storage.objects.list"

🎯 Role Anatomy:

  • Standard: Google's pre-defined roles (roles/compute.admin, roles/storage.viewer)

  • Custom: Your tailored permissions (custom roles start with projects/PROJECT_ID/roles/)

  • Primitive: Legacy broad roles (Owner, Editor, Viewer) - avoid these!

👮‍♂️ Permission Principle: Standard roles are like job titles with preset responsibilities, while custom roles are like creating your own job description with exactly the permissions you need!

🔄 Act 3: The Identity Bridge - Service Accounts Service accounts are your applications' digital identities in GCP: 

# Create a service account
gcloud iam service-accounts create my-app-sa \
  --display-name="My Application Service Account"

# Generate and download key
gcloud iam service-accounts keys create key.json \
  --iam-account=my-app-sa@PROJECT_ID.iam.gserviceaccount.com

Service accounts are like employee ID badges that your applications wear to prove who they are! 🆔

🎁 Act 4: The Binding Magic - Policy Members Now comes the elegant part - binding identities to roles at different levels:

Organization Level:

gcloud organizations add-iam-policy-binding ORG_ID \
  --member="serviceAccount:[email protected]" \
  --role="roles/resourcemanager.organizationViewer"

Folder Level:

gcloud resource-manager folders add-iam-policy-binding FOLDER_ID \
  --member="serviceAccount:[email protected]" \
  --role="roles/resourcemanager.folderViewer"

Project Level:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:[email protected]" \
  --role="roles/storage.objectViewer"

🔗 Binding Hierarchy Magic:

  • Organization binding: Access across all folders and projects

  • Folder binding: Access to all projects within that folder

  • Project binding: Access only within that specific project

  • Inheritance: Permissions flow downward automatically

This is like giving someone a master key (organization), floor key (folder), or room key (project) - each grants access to everything below! 🗝️

🏁 Act 5: The Security Best Practices Finally, let's implement principle of least privilege: 

# Check current bindings
gcloud projects get-iam-policy PROJECT_ID

# Remove unnecessary permissions
gcloud projects remove-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:[email protected]" \
  --role="roles/editor"

Golden Rules:

  • Use custom roles for precise permissions

  • Bind at the lowest necessary level

  • Regularly audit with gcloud projects get-iam-policy

  • Rotate service account keys regularly

  • Use workload identity when possible in GKE

Behind the scenes, every binding creates an immutable audit trail, and permissions are evaluated in real-time across the entire hierarchy!

🎯 Stay Inspired - Case Studies

🔹 Platform Engineering & CI/CD Modernization🚀

Who: Netflix, the global streaming leader, now expanding deeper into live content

What They Did:
Built a scalable, resilient platform to support live programming at Netflix, starting with events like Chris Rock: Selective Outrage. The initiative focused on:

  • Designing a global, low-latency architecture for live streaming

  • Ensuring end-to-end reliability from signal acquisition to playback

  • Integrating real-time monitoring and alerting to detect issues instantly

  • Enabling dynamic redundancy and failover mechanisms across regions

Tech Stack & Tools Used:
Amazon IVS, AWS Elemental MediaLive, Kafka, Flink, Spinnaker, custom telemetry pipelines, and Netflix’s in-house tools like Lumen and Timestream

Why It Matters

✅ Global scale, live: Netflix can now deliver smooth, high-quality live experiences to millions of viewers worldwide.
✅ Real-time observability: Deep monitoring across the stack ensures rapid incident detection and resolution.
✅ Resilience by design: Redundant workflows and failover strategies ensure live streams stay on air, no matter what..

👀 In Case You Missed It…

What’s Happening With Entry-Level Development Jobs? The market for junior developer roles is tightening, with fewer listings and rising skill expectations. Companies now prioritise hands-on experience, making internships, open source work, and personal projects essential for breaking in.

AWS Previews AI IDE to Accelerate Software Development
Amazon unveils a new AI-driven integrated development environment designed to boost productivity with code suggestions, auto-completions, and deeper integration across AWS services.

OpenAI’s $3B Windsurf deal falls through as Google steps in
OpenAI’s $3B Windsurf deal collapses as Google swoops in
The planned acquisition fell apart, with Google stepping in to hire Windsurf executives and secure licensing rights, intensifying competition in the AI infrastructure space.

Till next time,