In this section:
Ensure that the SBC instances and the HFE instance belongs to the same service account. This account has minimal permissions to access information from the Google servers.
Ribbon recommends that the Service Account used by the instances contains only the permissions described below.
This section describes setting up permissions for the service account used for running the SBC and HFE nodes.
Click CREATE.
Create the Service Account
Click CREATE.
From the next screen, set the role created in step 1.
Click CONTINUE.
Click DONE.
Refer to the following section to run Terraform and spin instances in the GCP.
This section provides the permissions that you must attach to the Service Account (used for running Terraform modules). Ribbon tests them for running "terraform apply" and "terraform destroy".
The permissions described below are the minimum permissions needed for the Role added to the service account (used to run Terraform):
compute.addresses.create compute.addresses.createInternal compute.addresses.delete compute.addresses.deleteInternal compute.addresses.get compute.addresses.use compute.addresses.useInternal compute.disks.create compute.disks.get compute.disks.resize compute.disks.use compute.diskTypes.get compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.update compute.images.get compute.images.useReadOnly compute.images.getFromFamily compute.instances.create compute.instances.delete compute.instances.get compute.instances.setMetadata compute.instances.setServiceAccount compute.instances.setTags compute.instances.setMachineResources compute.instances.setMachineType compute.instances.addAccessConfig compute.machineTypes.get compute.networks.create compute.networks.delete compute.networks.get compute.networks.use compute.networks.updatePolicy compute.networks.useExternalIp compute.routes.create compute.routes.delete compute.routes.get compute.subnetworks.create compute.subnetworks.delete compute.subnetworks.get compute.subnetworks.update compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.get iam.serviceAccounts.actAs iam.serviceAccounts.get
You can create the Role using other APIs, and not use the Google cloud console. For example, use YAML file rbbnGcpTerraformRole.yaml
(provided by Ribbon) with gcloud
to create the role.
gcloud iam roles create {ROLE ID} --project {PROJECT ID} --file {FILE NAME}
After executing the above command, attach the role to a new service account.
For more information, refer to the Google documentation: https://cloud.google.com/iam/docs/creating-custom-roles#creating_a_custom_role
.
Instead of creating a new role, You can use the following default roles attached to a service account:
Compute Instance Admin (v1)
These roles grant sufficient permissions.
Refer to Create a Bucket in Google Cloud Storage for HFE Script Upload.
When creating the service accounts, ensure that you are the Service Account Admin.