Both SBC instances and HFE instance must be be run from the same service account. This account is allowed minimal permissions and is used to access information from the Google servers.
Ribbon recommends that the Service Account used by the instances only contain the permissions outlined below, so they instances do not have more access than required.
This section details setting up permissions for the service account used for running the SBC and HFE nodes.
Click CREATE.
On the next screen set the role created in step 1.
Click CONTINUE.
Refer to the following section to run terrafrom and spawn instances in the GCP.
This section outlines the permissions needed to be attached to the service Account that is used for running Terrarform modules. These have been tested for running terraform apply and terraform destroy.
These permissions are the minimum amount of permissions needed in the Role that is added to the service account used to run Terraform:
compute.addresses.create compute.addresses.createInternal compute.addresses.delete compute.addresses.deleteInternal compute.addresses.get compute.addresses.use compute.addresses.useInternal compute.disks.create compute.disks.get compute.disks.resize compute.disks.use compute.diskTypes.get compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.update compute.images.get compute.images.useReadOnly compute.images.getFromFamily compute.instances.create compute.instances.delete compute.instances.get compute.instances.setMetadata compute.instances.setServiceAccount compute.instances.setTags compute.instances.setMachineResources compute.instances.setMachineType compute.instances.addAccessConfig compute.machineTypes.get compute.networks.create compute.networks.delete compute.networks.get compute.networks.use compute.networks.updatePolicy compute.networks.useExternalIp compute.routes.create compute.routes.delete compute.routes.get compute.subnetworks.create compute.subnetworks.delete compute.subnetworks.get compute.subnetworks.update compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.get iam.serviceAccounts.actAs iam.serviceAccounts.get
The role can be created via other APIs, to avoid use of the Google cloud console. YAML files can be used with gcloud to create the role. Refer to Creating a custom role for details.
gcloud iam roles create {ROLE ID} --project {PROJECT ID} --file {FILE NAME}
This role can then be attached to a new service account.
Instead of creating a new role the following Roles attached to a service account will allow creation:
Compute Instance Admin (v1)
This will grant more permissions than needed.
To create the Google storage bucket, upload the HFE_GCE.sh, and set the IAM permissions on the file: a user requires the role of Service Account Admin.
To create the needed service accounts, you must have have the role of Service Account Admin.