Ensure that the SBC instances and the HFE instance belongs to the same service account. This account has minimal permissions to access information from the Google servers.

Note

Ribbon recommends that the Service Account used by the instances contains only the permissions described below.

Set up a Service Account for SBC and HFE Nodes

This section describes setting up permissions for the service account used for running the SBC and HFE nodes.

  1. Create the Roles:
    1. Go to IAM & admin > Roles.
    2. Click CREATE ROLE.
    3. Add Title and ID.
    4. Add the following permissions:
      1. compute.instances.get
      2. compute.instances.list
      3. storage.objects.get
      4. storage.objects.list
    5. Click CREATE.

      Create role

  2. Create the Service Account

    1. Go to IAM & admin > Service accounts.
    2. Click CREATE SERVICE ACCOUNT.
    3. Enter Service account name. Optionally, fill in the description.
    4. Click CREATE.

      Service account details

    5. From the next screen, set the role created in step 1.

    6. Click CONTINUE.

      Service account permissions

    7. Click DONE.


Account Permissions for Terraform

Refer to the following section to run Terraform and spin instances in the GCP.

Service Account for Terraform

This section provides the permissions that you must attach to the Service Account (used for running Terraform modules). Ribbon tests them for running "terraform apply" and "terraform destroy".

Minimum Permissions

The permissions described below are the minimum permissions needed for the Role added to the service account (used to run Terraform):

compute.addresses.create
compute.addresses.createInternal
compute.addresses.delete
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.use
compute.addresses.useInternal
compute.disks.create
compute.disks.get
compute.disks.resize
compute.disks.use
compute.diskTypes.get
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.update
compute.images.get
compute.images.useReadOnly
compute.images.getFromFamily
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.setMetadata
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.addAccessConfig
compute.machineTypes.get
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.use
compute.networks.updatePolicy
compute.networks.useExternalIp
compute.routes.create
compute.routes.delete
compute.routes.get
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.update
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zones.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get


You can create the Role using other APIs, and not use the Google cloud console. For example, use YAML file rbbnGcpTerraformRole.yaml (provided by Ribbon) with gcloud to create the role.

gcloud iam roles create {ROLE ID} --project {PROJECT ID} --file {FILE NAME}

After executing the above command, attach the role to a new service account.

For more information, refer to the Google documentation: https://cloud.google.com/iam/docs/creating-custom-roles#creating_a_custom_role.

Default Roles

Instead of creating a new role, You can use the following default roles attached to a service account:

  • Service Account User

  • Compute Instance Admin (v1)

  • Compute Network Admin

These roles grant sufficient permissions.

Create Buckets

Refer to Create a Bucket in Google Cloud Storage for HFE Script Upload.

Create Service Accounts

When creating the service accounts, ensure that you are the Service Account Admin.