This task explains how to use a service account to authenticate and authorize the Avi Load Balancer.
To create a service account:
Prerequisites
Avi Load Balancer needs a GCP service account to authenticate and authorize access to GCP APIs. The service account can be created in any GCP Project.
Procedure
- From the Google Cloud Console, select the required project.
- Navigate to and click CREATE SERVICE ACCOUNT.
- The service account details can be provided to the Controller using either one of the following ways:
- Providing just the service account email ID.
Note:
In this case, the service account has to be attached to the Controller virtual machine in GCP. This is done while creating the Controller.
This option works only when the Controller virtual machine is running inside GCP.
- Adding the service account JSON key to the Avi Load Balancer cloud.
Note:
This option can be used irrespective of where the Controller is running (inside GCP or outside).
The service account JSON Key has to be specified in Avi Load Balancer while creating GCP Cloud in the Controller.
The private key is created and downloaded to your computer.
- The same service account has to be added in all the GCP projects as mentioned in GCP Project Selection.
Add this service account as a member with the required GCP role in the required project. For instance, add this service account as a member in the network project and grant it the Avi Load Balancer role.
Refer to Roles and Permissions (GCP Full Access) to know how to create roles with the required permissions in projects as per the deployment topology.