This section discusses creating roles and permissions with different deployment examples.
A role is a group of permissions that can be assigned to members. You can create roles and assign permissions to the roles from the Google Cloud Platform (GCP) console.
The following is a list of GCP specific terminologies used in this topic:
Field |
Value |
|---|---|
Virtual Private Cloud |
GCP Virtual Private Cloud (VPC) provides networking functionality to the GCP resources. |
Project |
A project organizes all GCP resources. A project consists of a set of users, a set of APIs,and billing, authentication, and monitoring settings for those APIs. |
Shared VPC (XPN) |
Shared VPC allows an organization to connect resources from multiple projects to a common VPC network. When using a shared VPC, one project is designated as a host project and one or more other service projects can be attached to the host project. Shared VPC is also referred to as XPN. |
Service Account |
A service account is a special Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users are not directly involved. |
Roles and Permissions in GCP
When an identity calls a Google Cloud Platform API, the cloud identity and access management (IAM) need to ensure that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account.
Role Types
The following are the types of roles in Cloud IAM:
- Primitive roles:
-
This includes the Owner, Editor, and Viewer roles that existed prior to the introduction of cloud IAM.
- Predefined roles:
-
This provides granular access for a specific service and are managed by GCP.
- Custom roles:
-
This provides granular access according to a user-specified list of permissions. For more information, see cloud.google.com
In this case, all instances of Roles refer to Custom Roles.
To know more about creating custom roles, see Creating and Managing Custom Roles.
The following are the cross project deployment scenarios:
The Controller, Service Engine and XPN are in the same project.
The Controller and Service Engines are in Projects other than the XPN.
Option 1 - Controller, Service Engines, and XPN in the same Project
In this deployment scenario, the shared VPC (XPN), the Controller, and the Service Engines are in project A.
For more information on the deployment scenario, see Roles and Permissions for the Virtual Machine section below.
Roles and Permissions for the Virtual Machine
The Controller
When using a default Compute Engine service account (a project has Compute Engine Service Account enabled), select that as the service account and provide
Read Writepermissions for Compute Engine API as shown in the following image:
Service Engine
When using default Compute Engine service account (a project has Compute Engine Service Account enabled), select that as the service account and provide
Read Onlypermissions for Compute Engine API, as shown in the following image:
Configuring IPAM
Use the inputs below to configure IPAM.
Field |
Value |
|---|---|
usable_network_uuids |
Network ID for VIP allocation |
network_host_project_id |
|
se_project_id |
Project A (Project Name of the SEs) |
region_name |
Region A (Region Name of the SEs) |
vpc_network_name |
Option 2 - The Controller and Service Engines are in Projects other than the XPN
In this deployment example Shared VPC is in Project A and the Controller, and Service Engines are in Project B.
Configuring IPAM
Field |
Value |
|---|---|
usable_network_uuids |
AVI Network ID for VIP allocation |
network_host_project_id |
Project A (Shared VPC Project ID) |
se_project_id |
Project B (Project ID of the SEs) |
region_name |
Region A (Region Name of the SEs) |
