In this section:
Ensure that the SBC instances and the HFE instance belongs to the same service account. This account has minimal permissions and is used to access information from the Google servers.
Note
Ribbon recommends that the Service Account used by the instances contains only the permissions described below.
Set up a Service Account for SBC and HFE Nodes
This section describes setting up permissions for the service account used for running the SBC and HFE nodes.
- Create the Roles:
- Go to IAM & admin > Roles.
- Click CREATE ROLE.
- Add Title and ID.
- Add the following permissions:
- compute.instances.get
- compute.instances.list
- storage.objects.get
- storage.objects.list
- Click CREATE.
Create role
Create the Service Account
- Go to IAM & admin > Service accounts.
- Click CREATE SERVICE ACCOUNT.
- Enter Service account name. Optionally, fill in the description
Click CREATE.
Service account details
On the next screen set the role created in step 1.
Click CONTINUE.
Service account permissions
Click DONE.
Account Permissions for Terraform
Refer to the following section to run Terraform and spin instances in the GCP.
Service Account for Terraform
This section describes the permissions that you must attach to the Service Account (used for running Terraform modules). Ribbon tests them for running "terraform apply" and "terraform destroy".
Specific
The permissions described below are the minimum permissions needed for the Role added to the service account (used to run Terraform):
compute.addresses.create compute.addresses.createInternal compute.addresses.delete compute.addresses.deleteInternal compute.addresses.get compute.addresses.use compute.addresses.useInternal compute.disks.create compute.disks.get compute.disks.resize compute.disks.use compute.diskTypes.get compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.update compute.images.get compute.images.useReadOnly compute.images.getFromFamily compute.instances.create compute.instances.delete compute.instances.get compute.instances.setMetadata compute.instances.setServiceAccount compute.instances.setTags compute.instances.setMachineResources compute.instances.setMachineType compute.instances.addAccessConfig compute.machineTypes.get compute.networks.create compute.networks.delete compute.networks.get compute.networks.use compute.networks.updatePolicy compute.networks.useExternalIp compute.routes.create compute.routes.delete compute.routes.get compute.subnetworks.create compute.subnetworks.delete compute.subnetworks.get compute.subnetworks.update compute.subnetworks.use compute.subnetworks.useExternalIp compute.zones.get iam.serviceAccounts.actAs iam.serviceAccounts.get
You may create the Role using other APIs, and not use the Google cloud console. For example, you may use YAML file rbbnGcpTerraformRole.yaml (provided by Ribbon) with gcloud to create the role.
gcloud iam roles create {ROLE ID} --project {PROJECT ID} --file {FILE NAME}
After executing the above command, attach the role to a new service account.
For more information, refer to the Google documentation: https://cloud.google.com/iam/docs/creating-custom-roles#creating_a_custom_role.
Default Roles
Instead of creating a new role, the following Roles attached to a service account allows creation:
Compute Instance Admin (v1)
- Compute Network Admin
These roles grant sufficient permissions.
Create Buckets
To create the Google storage bucket, upload the script HFE_GCE.sh, and set the IAM permissions on the file. Assign a user the role of Service Account Admin.
Create Service Accounts
To create the service accounts, ensure that you are the Service Account Admin.
Overview
Content Tools