Permissions for the provisioning credential's service account
To allow CDP to access and provision resources in your Google Cloud project, you should create a service account in your Google Cloud project, assign the following roles or granular permissions. Next, you generate a JSON access key that can later be provided to CDP. CDP will assume this service account via the service account access key provided during credential creation for provisioning resources for your environment.
The service account must fulfill one of the following requirements (choose one of the options):
- Option 1: Assign the following IAM roles at the project level. This is a simpler option.
- Option 2: Alternatively, you can create custom IAM roles with the following granular IAM permissions assigned and then assign the role to the service account at the project level. This allows you to minimize the number of permissions granted to CDP.
Option 1: IAM roles
|iam.serviceAccounts.list IAM permission||Project||This is required in order for CDP to be able to list service account names that you
created in your GCP project.
You need to create a custom role in order to assign this permission.
|Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1) IAM role||Project||This is required for provisioning of Compute Engine instances, disks, and images in your VPC.|
|Storage Admin (roles/storage.admin) IAM role||Project||This is required for the creation of a storage bucket to store the Cloudbreak image objects. Delete permissions are not required.|
|Compute Network Viewer (roles/compute.networkViewer IAM role||Project||This is required for read-only access to all networking resources.|
|Cloud SQL Admin (roles/cloudsql.admin) IAM role||Project||This is required in order for CDP to have the permission for creating and deleting a Data Lake and and heavy duty flow management Data Hub clusters cleanly.|
|Compute Network User (roles/compute.networkUser) IAM role||Project||(Required for shared VPC only) If you would like to use a shared VPC, you need this additional role in the scope of the host project of the VPC.|
|Compute Public IP Admin (roles/compute.publicIpAdmin) IAM role||Project||(Only required when not using CCM) This additional role is only required if you are planning to disable CCM for your environment.|
Option 2: Granular permissions
|Granular IAM permissions||Scope||Description|
|iam.serviceAccounts.list||Project||This is required in order for CDP to be able to access service accounts that you created.|
|Project||Required for creating, stopping, starting, and deleting an external database for the Data Lake and Data Hub clusters.|
|Project||Required for creating VMs from images in your VPC.|
|Project||(Optional) Only required if public IPs are used.
You do not need these permissions if you would like to use private IPs only.
|Project||(Optional) This is not required if you are planning to pre-create the GCS bucket for storing OS images for VMs. By default, CDP creates this bucket, but you can optionally pre-create it. See Storage bucket for OS images.|