Permissions for the provisioning credential's service account

To allow CDP to access and provision resources in your Google Cloud project, you should create a service account in your Google Cloud project, assign the following roles or granular permissions. Next, you generate a JSON access key that can later be provided to CDP. CDP will assume this service account via the service account access key provided during credential creation for provisioning resources for your environment.

The service account must fulfill one of the following requirements (choose one of the options):

  • Option 1: Assign the following IAM roles at the project level. This is a simpler option.
  • Option 2: Alternatively, you can create custom IAM roles with the following granular IAM permissions assigned and then assign the role to the service account at the project level. This allows you to minimize the number of permissions granted to CDP.

Option 1: IAM roles

IAM role Scope Description
iam.serviceAccounts.list IAM permission Project This is required in order for CDP to be able to list service account names that you created in your GCP project.

You need to create a custom role in order to assign this permission.

Compute Instance Admin (v1) (roles/compute.instanceAdmin.v1) IAM role Project This is required for provisioning of Compute Engine instances, disks, and images in your VPC.
Storage Admin (roles/storage.admin) IAM role Project This is required for the creation of a storage bucket to store the Cloudbreak image objects. Delete permissions are not required.
Compute Network Viewer (roles/compute.networkViewer IAM role Project This is required for read-only access to all networking resources.
Cloud SQL Admin (roles/cloudsql.admin) IAM role Project This is required in order for CDP to have the permission for creating and deleting a Data Lake and and heavy duty flow management Data Hub clusters cleanly.
Compute Network User (roles/compute.networkUser) IAM role Project (Required for shared VPC only) If you would like to use a shared VPC, you need this additional role in the scope of the host project of the VPC.
Compute Public IP Admin (roles/compute.publicIpAdmin) IAM role Project (Only required when not using CCM) This additional role is only required if you are planning to disable CCM for your environment.

Option 2: Granular permissions

You should create a custom IAM role to assign these permissions.
Granular IAM permissions Scope Description
iam.serviceAccounts.list Project This is required in order for CDP to be able to access service accounts that you created.
iam.serviceAccounts.list

cloudsql.instances.create

cloudsql.instances.delete

cloudsql.instances.get

Cloudsql.instances.list

cloudsql.databases.update

cloudsql.instances.startReplica

cloudsql.instances.stopReplica

cloudsql.instances.update

cloudsql.instances.restart

cloudsql.users.create

Project Required for creating, stopping, starting, and deleting an external database for the Data Lake and Data Hub clusters.
compute.addresses.get

compute.addresses.use

compute.disks.create

compute.disks.delete

compute.disks.setLabels

compute.disks.use

compute.firewalls.list

compute.globalOperations.get

compute.images.create

compute.images.get

compute.images.list

compute.images.useReadOnly

compute.instances.create

compute.instances.delete

compute.instances.get

compute.instances.list

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.machineTypes.list

compute.networks.get

compute.networks.list

compute.regionOperations.get

compute.regions.get

compute.regions.list

compute.subnetworks.get

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

Project Required for creating VMs from images in your VPC.
compute.addresses.create

compute.addresses.delete

compute.addresses.get

compute.addresses.use

Project (Optional) Only required if public IPs are used.

You do not need these permissions if you would like to use private IPs only.

storage.buckets.create

storage.buckets.get

storage.buckets.getIamPolicy

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.getIamPolicy

Project (Optional) This is not required if you are planning to pre-create the GCS bucket for storing OS images for VMs. By default, CDP creates this bucket, but you can optionally pre-create it. See Storage bucket for OS images.
For instructions on how to create the service account, refer to the following documentation: