| Info |
|---|
This article explains how to set up a service account in Google Cloud Platform. Ensure you have the necessary permissions in Google Cloud. |
| Table of Contents | ||
|---|---|---|
|
Summary
To integrate Google Cloud Platform with Cloudaware:
Create a new service account
...
for Cloudaware
Assign the Project Viewer role. Create and assign a custom role for tagging & backups (optional).
Download a service account key (
json).Enable Google APIs:
Compute Engine API
Identity and Access Management (IAM) API
Cloud Resource Manager API
Kubernetes Engine API
Cloud Billing API
For detailed setup instructions, refer to the in-depth guidelines below.
Create service account
Log in to the Google console. Select the Google project. Go to 'IAM & admin'→Service accounts → +CREATE SERVICE ACCOUNT.
Use a meaningful name, e.g.
...
cloudaware-service-account
...
. Click
...
CREATE AND CONTINUE.
...
Assign the role Project
...
...
Viewer* to the service account
...
.
...
Organization Role Viewer
Folder Viewer
Organization Viewer
Organization Policy Viewer
Project Viewer
Click Save.
Assign the 'Project Viewer' role on the organization level for Cloudaware to automatically add and collect Google Projects within a Google Organization:
Create a key
...
Click DONE.
*This is the minimum access role required. For more detailed access information, refer to the guide Additional permissions in Google.
Create service account key
Select the service account
...
that will be added to Cloudaware. Go to the tab 'Keys' → +Create key.
Select 'JSON' →
...
CREATE.
...
A
.jsonfile will be automatically downloaded
...
.
Save the key in a secure location as it is is required for further setup in Cloudaware.
Enable Google APIs
...
for Google Project
Go back to
...
Google Organization → 'APIs & Services'.
...
Select the Google Project where the service account for Cloudaware was created. Click +ENABLE APIS AND SERVICES.
...
...
Using the search bar,
...
find and enable the following APIs:
Compute Engine API
Identity and Access Management (IAM) API
Cloud Resource Manager API
Kubernetes Engine API (learn more)
Cloud Billing API (learn more)
...
...
For Cloudaware to be able to collect the list of Google Billing Accounts, assign the role 'Billing Account Viewer' to the service account* that has access to billing accounts in question.
1. Go to Billing.
...
2. Go to the tab 'My Billing Accounts'. Check the box near the billing account. Click Add Principal on the right to manage permissions.
...
3. Select the service account* and assign the role Billing Account Viewer → Save.
...
*Note that the service account should be added to Cloudaware.
...
A custom role is necessary if you are going to use backups and labels.
Go to IAM & admin, select "Roles" and click +Create Role.
...
Add the name and the description of the custom role. Set 'Role launch stage' as General Availability and click + Add Permissions.
...
Select the following permissions:
...
For backups
...
For labels
...
compute.disks.get
compute.disks.createSnapshot
compute.disks.list
compute.disks.setLabels
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.list
compute.snapshots.setLabels
compute.zones.get
compute.zones.list
...
bigquery.datasets.update
bigquery.tables.update
cloudsql.instances.update
compute.addresses.setLabels
compute.disks.setLabels
compute.forwardingRules.setLabels
compute.globalAddresses.setLabels
compute.globalForwardingRules.setLabels
compute.images.setLabels
compute.instances.setLabels
compute.snapshots.setLabels
compute.targetVpnGateways.setLabels
compute.vpnTunnels.setLabels
dataproc.clusters.update
dataproc.jobs.update
cloudkms.cryptoKeys.update
storage.buckets.update
...
! Next step - Google setup in Cloudaware