Step 1: Create a provisioning credential

The first step is to create a provisioning credential. The CDP credential is the mechanism that allows CDP to create resources inside of your GCP account.

Steps

  1. Log in to the CDP console and navigate to the Management Console > Environments> Shared Resources > Credentials.

  2. Click on the "Create Credential" button and select the (Google Cloud Platform) tab.

  3. Give your credential a name and description.

  4. Navigate to the GCP console.
  5. Verify that you are in the project that you would like to use for CDP. Switch projects if needed:
  6. Open the Cloud Shell (available from upper right corner):
    The Cloud Shell window opens in the bottom of the browser window.
  7. Copy the following script:
    SERVICE_ACCOUNT_NAME=cp-gcp-quick-cdp-credential
    PROJECT_ID=$(gcloud config get-value project)
    echo "Enabling Compute and Runtimeconfig APIs"
    gcloud services enable compute.googleapis.com runtimeconfig.googleapis.com
    echo "Creating service account for CDP"
    gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME --display-name "A CDP Service Account" --quiet
    echo "Binding Instance Admin role to the service account"
    gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com --role roles/compute.instanceAdmin.v1 --quiet --no-user-output-enabled --condition=None
    echo "Binding Network Admin role to the service account"
    gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com --role roles/compute.networkAdmin --quiet --no-user-output-enabled --condition=None
    echo "Binding Security Admin role to the service account"
    gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com --role roles/compute.securityAdmin --quiet --no-user-output-enabled --condition=None
    echo "Binding Image User role to the service account"
    gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com --role roles/compute.imageUser --quiet --no-user-output-enabled --condition=None
    echo "Binding Storage Admin role to the service account"
    gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com --role roles/compute.storageAdmin --quiet --no-user-output-enabled --condition=None
    gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com --role roles/storage.admin --quiet --no-user-output-enabled --condition=None
    gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com --role roles/iam.serviceAccountUser --quiet --no-user-output-enabled --condition=None
    echo "Binding RuntimeConfig Admin role to the service account"
    gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com --role roles/runtimeconfig.admin --quiet --no-user-output-enabled --condition=None
    echo "Binding Cloud KMS Admin role to the service account"
    gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com --role roles/cloudkms.admin --quiet --no-user-output-enabled --condition=None
    echo "Binding Cloud SQL role to the service account"
    gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com --role roles/cloudsql.admin --quiet --no-user-output-enabled --condition=None
    
    echo "Create Role for iam.serviceAccounts.list"
    rolePrefix="${SERVICE_ACCOUNT_NAME//-/_}"
    gcloud iam roles create ${rolePrefix}_salist_role --project=$PROJECT_ID --title=${SERVICE_ACCOUNT_NAME}-salist-role --description=${SERVICE_ACCOUNT_NAME}-salist-role  --permissions=iam.serviceAccounts.list --stage=ALPHA
    echo "Binding Custom serviceAccounts.list role to the service account"
    gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com --role="projects/$PROJECT_ID/roles/${rolePrefix}_salist_role" --quiet --no-user-output-enabled --condition=None
    
    echo "Creating key for the service account"
    gcloud iam service-accounts keys create --iam-account=$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com $SERVICE_ACCOUNT_NAME-gcp-cred.json
    if cloudshell --help > /dev/null 2>&1; then
      cloudshell download-file $SERVICE_ACCOUNT_NAME-gcp-cred.json
    fi
  8. Paste the script directly into the Cloud Shell terminal.
  9. When prompted, click Authorize.
  10. The script will run and then end by prompting you to download the credential file to your local machine. Click Download to download the file:
  11. Head back to the CDP console and upload the JSON credential file you just downloaded from the GCP console:
  12. Click the "Create" button and you're done!