In this section:
Ensure that the SBC instances and the HFE instance belongs to the same service account. This account has minimal permissions to access information from the Google servers.
Ribbon recommends that the Service Account used by the instances contains only the permissions described below.
Set up a Service Account for SBC and HFE Nodes
This section describes setting up permissions for the service account used for running the SBC and HFE nodes.
- Create the Roles:
- Go to IAM & admin > Roles.
- Click CREATE ROLE.
- Add Title and ID.
- Add the following permissions:
- compute.instances.get
- compute.instances.list
- storage.objects.get
- storage.objects.list
Click CREATE.
Create the Service Account
- Go to IAM & admin > Service accounts.
- Click CREATE SERVICE ACCOUNT.
- Enter Service account name. Optionally, fill in the description.
Click CREATE.
From the next screen, set the role created in step 1.
Click CONTINUE.
Click DONE.
Account Permissions for Terraform
Refer to the following section to run Terraform and spin instances in the GCP.
Service Account for Terraform
This section provides the permissions that you must attach to the Service Account (used for running Terraform modules). Ribbon tests them for running "terraform apply" and "terraform destroy".
Minimum Permissions
The permissions described below are the minimum permissions needed for the Role added to the service account (used to run Terraform):
compute.addresses.create compute.addresses.createInternal compute.addresses.delete compute.addresses.deleteInternal compute.addresses.get compute.addresses.use compute.addresses.useInternal compute.disks.create compute.disks.get compute.disks.resize compute.disks.use compute.diskTypes.get compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.update compute.images.get compute.images.useReadOnly compute.images.getFromFamily compute.instances.create compute.instances.delete compute.instances.get compute.instances.setMetadata compute.instances.setServiceAccount compute.instances.setTags compute.instances.setMachineResources compute.instances.setMachineType compute.instances.addAccessConfig compute.machineTypes.get compute.networks.create compute.networks.delete compute.networks.get compute.networks.use compute.networks.updatePolicy compute.networks.useExternalIp compute.routes.create compute.routes.delete compute.routes.get compute.subnetworks.create compute.subnetworks.delete compute.subnetworks.get compute.subnetworks.update compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.get iam.serviceAccounts.actAs iam.serviceAccounts.get
You can create the Role using other APIs, and not use the Google cloud console. For example, use YAML file rbbnGcpTerraformRole.yaml
(provided by Ribbon) with gcloud
to create the role.
gcloud iam roles create {ROLE ID} --project {PROJECT ID} --file {FILE NAME}
After executing the above command, attach the role to a new service account.
For more information, refer to the Google documentation: https://cloud.google.com/iam/docs/creating-custom-roles#creating_a_custom_role
.
Default Roles
Instead of creating a new role, You can use the following default roles attached to a service account:
Compute Instance Admin (v1)
- Compute Network Admin
These roles grant sufficient permissions.
Create Buckets
Refer to Create a Bucket in Google Cloud Storage for HFE Script Upload.
Create Service Accounts
When creating the service accounts, ensure that you are the Service Account Admin.