Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
This article explains how to set up a service account in Google Cloud Platform
Info
Info

The article explains how to grant Cloudaware additional permissions, such as to Google Organizations or Google Billing accounts, and create a custom role for backups and tagging. Ensure you have the necessary permissions in Google Cloud.

Table of Contents
stylenone

Configure Google Billing Account permissions

...

Google Organizations

For Cloudaware to collectGoogle Organizations and related data, assign the role Viewer to the service account added to Cloudaware. The following permissions are required:

  • Organization Role Viewer

  • Folder Viewer

  • Organization Viewer

  • Organization Policy Viewer

  • Project Viewer

Click SAVE.

Assign the Project Viewer role at the organization level for Cloudaware to add and collect Google Projects within a Google Organization automatically.

Google billing accounts

For Cloudaware to collect Google billing accounts, assign the role Billing Account Viewer to the service account* that has access to billing accounts in question.

1. Go to Billing.

...

  1. Log in to the Google console. Go to 'Billing' → 'MY BILLING ACCOUNTS'.

  2. Select the billing account by checking the check box. Click ADD PRINCIPAL on the right to manage permissions.

...

  1. Select the

...

  1. role Billing Account Viewer

...

  1. SAVE.

...

*Note that the Google service account should be added to Cloudaware.

...

See the guide

Custom role for backups or tagging
Anchor
#CreatingCustomRole(optional)
#CreatingCustomRole(optional)

A custom role is necessary if you are going to use backups and labels.

  1. Go to IAM & admin, select "Roles" and click +Create Role.

...

Add the name and the description of the custom roleTo use backups and tagging, create a custom role and assign it to the Cloudaware service account:

  1. Log in to the Google console. Go to 'IAM & admin' → 'Roles' → +CREATE ROLE.

  2. Set a meaningful name and description for the custom role, e.g. Cloudaware Custom Role. Set 'Role launch stage' as General Availability

...

  1. .

  2. Click +ADD PERMISSIONS. Select the following permissions:

For backups

For labels

  • compute.disks.get

  • compute.disks.createSnapshot

  • compute.disks.list

  • compute.disks.setLabels

  • compute.snapshots.create

  • compute.snapshots.delete

  • compute.snapshots.get

  • compute.snapshots.list

  • compute.snapshots.setLabels

  • compute.zones.get

  • compute.zones.list

For labels (tags)

  • bigquery.datasets.update

  • bigquery.tables.update

  • cloudsql.instances.update

  • compute.addresses.setLabels

  • compute.disks.setLabels

  • compute.forwardingRules.setLabels

  • compute.globalAddresses.setLabels

  • compute.globalForwardingRules.setLabels

  • compute.images.setLabels

  • compute.instances.setLabels

  • compute.snapshots.setLabels

  • compute.targetVpnGateways.setLabels

  • compute.vpnTunnels.setLabels

  • dataproc.clusters.update

  • dataproc.jobs.update

  • cloudkms.cryptoKeys.update

  • storage.buckets.update

Click CREATE.

  1. Assign the custom role to the service account

...

  1. : 'IAM & admin

...

  1. ' → IAM select the service account

...

  1. → click the pencil icon to edit principal → ADD ANOTHER ROLE → Custom → Cloudaware Custom Role → SAVE.