Both SBC instances and HFE instance must be be run from the same service account. This account is allowed minimal permissions and is used to access information from the Google servers.

 

Ribbon recommends that the Service Account used by the instances only contain the permissions outlined below, so they instances do not have more access than required.

Setting up a Service Account for SBC and HFE Nodes

This section details setting up permissions for the service account used for running the SBC and HFE nodes.

  1. Create the Roles:
    1. Go to IAM & admin > Roles
    2. Click CREATE ROLE.
    3. Add Title and ID.
    4. Add these permissions:
      1. compute.instances.get
      2. compute.instances.list
      3. storage.objects.get
      4. storage.objects.list
    5. Click CREATE.

       

      Create role



  1. Create the Service Account
    1. Go to IAM & admin > Service accounts
    2. Click CREATE SERVICE ACCOUNT.
    3. Enter Service account name. Optionally fill in the description
    4. Click CREATE.

      Service account details


    5. On the next screen set the role created in step 1.

    6. Click CONTINUE.

       

      Service account permissions

    7. Click DONE.

 

Account Permissions for Terraform

Refer to the following section to run terrafrom and spawn instances in the GCP.

Service Account for Terraform

This section outlines the permissions needed to be attached to the service Account that is used for running Terrarform modules. These have been tested for running terraform apply and terraform destroy.

Specific

These permissions are the minimum amount of permissions needed in the Role that is added to the service account used to run Terraform:

compute.addresses.create
compute.addresses.createInternal
compute.addresses.delete
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.get
compute.disks.resize
compute.disks.use
compute.diskTypes.get
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.update
compute.images.get
compute.images.useReadOnly
compute.images.getFromFamily
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.setMetadata
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.addAccessConfig
compute.machineTypes.get
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.use
compute.networks.updatePolicy
compute.networks.useExternalIp
compute.routes.create
compute.routes.delete
compute.routes.get
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.update
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zones.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get

 

The role can be created via other APIs, to avoid use of the Google cloud console. YAML files can be used with gcloud to create the role. Refer to Creating a custom role for details.

gcloud iam roles create {ROLE ID} --project {PROJECT ID} --file {FILE NAME}

This role can then be attached to a new service account.

Default Roles

Instead of creating a new role the following Roles attached to a service account will allow creation:

  • Service Account User

  • Compute Instance Admin (v1)

  • Compute Network Admin

This will grant more permissions than needed.

Creating Buckets

To create the Google storage bucket, upload the HFE_GCE.sh, and set the IAM permissions on the file: a user requires the role of Service Account Admin.

Creating Service Accounts

To create the needed service accounts, you must have have the role of Service Account Admin.