Page 1 of 19 Google Cloud Platform Roles and Permissions Avi Networks — Technical Reference (18.1) Google Cloud Platform Roles and Permissions view online This article discusses creating roles and permissions in different deployment examples. Overview A role is a group of permissions that can be assigned to members. Creation of roles and assigning permissions to the roles can be done from the Google Cloud Platform (GCP) console. The following is a list of GCP specific terminologies used in this article. <td><b>Virtual Private Cloud</b></td> <td>GCP Virtual Private Cloud (VPC) provides networking functionality to the GCP resources</td> <td><b>Project</b></td> <td>A project organizes all GCP resources. A project consists of a set of users; a set of APIs; and billing, authentication, and monitoring settings for those APIs. </td> <td><b>Shared VPC (XPN)</b></td> <td>Shared VPC allows an organization to connect resources from multiple projects to a common VPC network. When using a shared VPC, one project is designated as a host project and one or more other service projects can be attached to the host project. Shared VPC is also referred to as XPN. </td> <td><b>Service Account</b></td> <td>A service account is a special Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved.</td> Terminilogy Definition Roles and Permissions in GCP When an identity calls a Google Cloud Platform API, Cloud Identity and Access Management (IAM) requires that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account. Role Types There are three types of roles in Cloud IAM: * Primitive roles, which include the owner, editor, and viewer roles that existed prior to the introduction of Cloud IAM * Predefined roles, which provide granular access for a specific service and are managed by GCP * Custom roles, which provide granular access according to a user-specified list of permissions Excerpt from:cloud.google.com Note: In this KB, all instances of 'Role(s)' refer to Custom Roles. To know more about creating custom roles, refer to Creating and Managing Custom Roles Copyright © 2020 Avi Networks, Inc. Page 2 of 19 Google Cloud Platform Roles and Permissions Avi Networks — Technical Reference (18.1) Let us understand roles and permissions in the following cross project deployment scenarios: * The Controller, Service Engine and XPN are in the same project * The Controller and Service Engines are in Projects other than the XPN Option 1: Controller, Service Engines, and XPN are in the Same Project In this deployment scenario, the shared VPC(XPN),the Controller, and the Service Engines are all in project A. Let us discuss this deployment scenario is under Roles and Permissions for the Virtual Machines (VM) Roles and Permissions for the VM The Controller 1. When using a default Compute Engine service account(a project has Compute Engine Service Account enabled), select that as the service account and provide Read Write permissions for Compute Engine API as shown in the image. Copyright © 2020 Avi Networks, Inc. Page 3 of 19 1. Google Cloud Platform Roles and Permissions Avi Networks — Technical Reference (18.1) 2. When using a non-default service account, refer to Controller Service Account Configuration Service Engine 1. When using default Compute Engine service account(a project has Compute Engine Service Account enabled), then select that as the service account and provide Read Only permissions for Compute Engine API, as shown in the image. Copyright © 2020 Avi Networks, Inc. Page 4 of 19 Google Cloud Platform Roles and Permissions Avi Networks — Technical Reference (18.1) 2. When using a non-default service account, refer to Creating Service Account, Role for Service Engine Configuring IPAM To configure GCP IPAM, 1. Navigate to Templates > Profiles > IPAM/DNS Profiles and click on Create. 2. Choose the Type as Google Cloud Platform IPAM from the drop-down list. 3. Click on Manual Configuration and enter the details for, Network Host Project ID Service Engine Project ID Region Name VPC Network Name 4. Click on Add Usable Network to specify the network details. The New IPAM/DNS Profile: screen is as shown below. Copyright © 2020 Avi Networks, Inc. Page 5 of 19 Google Cloud Platform Roles and Permissions Avi Networks — Technical Reference (18.1) Use the configuration specified in the following table to enter the respective fields in the New IPAM/DNS Profile: screen. <th width="20%"> <center>Field</center> </th> <th width="40%"> <center>Value</center> </th> <td>usable_network_uuids</td> <td>AVI Network ID for VIP allocation</td> <td>network_host_project_id</td> <td> </td> <td>se_project_id</td> <td>Project A (Project Name of the SEs)</td> <td>region_name</td> <td>Region A (Region Name of the SEs)</td> Copyright © 2020 Avi Networks, Inc. Page 6 of 19 Google Cloud Platform Roles and Permissions Avi Networks — Technical Reference (18.1) Option 2: The Controller and Service Engines are in Projects other than the XPN In this deployment example Shared VPC is in Project A and the Controller, and Service Engines are in Project B. Roles and Permissions for the Virtual Machines (VM) The Controller When using a non-default service account, refer to Controller Service Account Configuration. Service Engine 1. When using default Compute Engine service account, (a project has Compute Engine Default Service Account enabled), then select that as the service account and provide Read Only Access as shown in the image. Copyright © 2020 Avi Networks, Inc. Page 7 of 19 Google Cloud Platform Roles and Permissions Avi Networks — Technical Reference (18.1) 2. When using a non-default service account refer to to Creating Service Account, Role for Service Engine Copyright © 2020 Avi Networks, Inc. Page 8 of 19 Google Cloud Platform Roles and Permissions Avi Networks — Technical Reference (18.1) Configuring IPAM To configure GCP IPAM, 1. Navigate to Templates > Profiles > IPAM/DNS Profiles and click on Create. 2. Choose the Type as Google Cloud Platform IPAM from the drop-down list. 3. Click on Manual Configuration and enter the details for, Network Host Project ID Service Engine Project ID Region Name VPC Network Name 4. Click on Add Usable Network to specify the network details. The New IPAM/DNS Profile: screen is as shown below. Use the configuration specified in the following table to enter the respective fields in the New IPAM/DNS Profile: screen. <th width="20%"> <center>Field</center> </th> <th width="40%"> <center>Value</center> </th> Copyright © 2020 Avi Networks, Inc. Page 9 of 19 Google Cloud Platform Roles and Permissions Avi Networks — Technical Reference (18.1) <td>usable_network_uuids</td> <td>AVI Network ID for VIP allocation</td> <td>network_host_project_id</td> <td>Project A (Shared VPC Project ID) </td> <td>se_project_id</td> <td>Project B (Project ID of the SEs)</td> <td>region_name</td> <td>Region A (Region Name of the SEs)</td> Configuring Controller Service Account Follow the steps given below to configure the Service Account. 1. Create a service account for the Controller in the Controller project 2. Create Role for the Controller in the Network (XPN)Project and Assign the Role to a Member 3. Create a Role for The Controller in the Service Engine Project and Add as a Member Creating a service account for the Controller in the Controller project. To create a service account, 1. Open the Service Accounts page in the GCP Console and select the required Project. 2. Click on Create Service Account and enter a service account name and select a role with desired permissions for the service account. Copyright © 2020 Avi Networks, Inc. Page 10 of 19 Google Cloud Platform Roles and Permissions Avi Networks — Technical Reference (18.1) Creating Role for the Controller in the network (XPN)Project and assigning the role to a member. Create a role for the service account created in the XPN project and assign networking permissions to the role. To create a role, 1. Navigate to the Roles page in the GCP Console for the XPN project. 2. Click on Create Role and enter the Title, and Role ID. <a href="img/create-role.png"><img class="aligncenter" src="img/create-role.png" alt="create role" width="577" height="525"></a> 3. Click on Add Permissions and select the following permissions. Copyright © 2020 Avi Networks, Inc. Page 11 of 19 Google Cloud Platform Roles and Permissions Avi Networks — Technical Reference (18.1) 3. 4. Click on Add. Add the Service Account as a Member to the Project Add the service account that was created as a member to the XPN project, with AviNetworkAdminRole. 1. Open the IAM page in the GCP console for the XPN project. 2. Click on Add. 3. Select the Service Account as the New Member. 4. Select the Role with the desired permissions. 5. Click on Save. Create a Role for The Controller in the Service Engine Project and Add as a Member 1. Create a role for the service account and assign permissions required to create load balancers. Copyright © 2020 Avi Networks, Inc. Page 12 of 19 1. Google Cloud Platform Roles and Permissions Avi Networks — Technical Reference (18.1) 2. Add the following permissions. 3. Add the [email protected] service account created above as a member, to the service engine project with the AviControllerSERole that was created. Copyright © 2020 Avi Networks, Inc. Page 13 of 19 3. Google Cloud Platform Roles and Permissions Avi Networks — Technical Reference (18.1) Creating Service Account, Role for Service Engine These operations are performed in the Service Engine project and are required only if Compute Engine Default Service Account is not there in the project.