Google Cloud Platform Roles and Permissions

This article discusses creating roles and permissions in different deployment examples.

Note: Linux Server Cloud and GCP IPAM on GCP are not supported.

Overview

A role is a group of permissions that can be assigned to members. Creation of roles and assigning permissions to the roles can be done from the Google Cloud Platform (GCP) console.

The following is a list of GCP specific terminologies used in this article:

Field
Value
Virtual Private Cloud GCP Virtual Private Cloud (VPC) provides networking functionality to the GCP resources
Project A project organizes all GCP resources. A project consists of a set of users; a set of APIs; and billing, authentication, and monitoring settings for those APIs.
Shared VPC (XPN) Shared VPC allows an organization to connect resources from multiple projects to a common VPC network. When using a shared VPC, one project is designated as a host project and one or more other service projects can be attached to the host project. Shared VPC is also referred to as XPN.
Service Account A service account is a special Google account that belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved.

Roles and Permissions in GCP

When an identity calls a Google Cloud Platform API, Cloud Identity and Access Management (IAM) requires that the identity has the appropriate permissions to use the resource. You can grant permissions by granting roles to a user, a group, or a service account.

Role Types

There are three types of roles in Cloud IAM:

  • Primitive roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of Cloud IAM
  • Predefined roles, which provide granular access for a specific service and are managed by GCP

  • Custom roles, which provide granular access according to a user-specified list of permissions
    Excerpt from: cloud.google.com

    Note: In this KB, all instances of ‘Role(s)’ refer to Custom Roles.

To know more about creating custom roles, refer to Creating and Managing Custom Roles

Let us understand roles and permissions in the following cross project deployment scenarios:

Option 1: Controller, Service Engines, and XPN are in the Same Project

In this deployment scenario, the shared VPC(XPN),the Controller, and the Service Engines are all in project A.

same project

This deployment scenario is discussed under: *Roles and Permissions for the Virtual Machines (VM)

Roles and Permissions for the VM

The Controller

  1. When using a default Compute Engine service account(a project has Compute Engine Service Account enabled), select that as the service account and provide Read Write permissions for Compute Engine API as shown in the image: permissions for compute engine api

  2. When using a non-default service account, refer to Controller Service Account Configuration

Service Engine

  1. When using default Compute Engine service account(a project has Compute Engine Service Account enabled), then select that as the service account and provide Read Only permissions for Compute Engine API, as shown in the image: permissions for compute engine api

  2. When using a non-default service account, refer to Creating Service Account, Role for Service Engine

Configuring IPAM

To configure GCP IPAM,

  1. Navigate to Templates > Profiles > IPAM/DNS Profiles and click on Create.

  2. Choose the Type as Google Cloud Platform IPAM from the drop-down list.

  3. Click on Manual Configuration and enter the details for:
    • Network Host Project ID
    • Service Engine Project ID
    • Region Name
    • VPC Network Name
  4. Click on Add Usable Network to specify the network details.

The New IPAM/DNS Profile: screen is as shown below:

same project

Use the configuration specified in the following table to enter the respective fields in the New IPAM/DNS Profile: screen.

Field
Value
usable_network_uuids AVI Network ID for VIP allocation
network_host_project_id
se_project_id Project A (Project Name of the SEs)
region_name Region A (Region Name of the SEs)
vpc_network_name

Starting with NSX Advanced Load Balancer 22.1.3, the following UI is available:

Note: As a prerequisite to creating a GCP IPAM, create a cloud named GCP Cloud, with the following inputs:

  • Service Engine Project ID - Project A (Project Name of the SEs)
  • Service Engine Region - Region A (Region Name of the SEs)
  • Zones
  • VPC Project ID
  • VPC Network Name
  • VPC Subnet Name
  • Cloud Storage Project ID
  • Cloud Storage Bucket Name

  1. In the NEW IPAM/DNS PROFILE screen, specify the profile name.

  2. Select Avi Vantage IPAM option in the Type field and select the previously created cloud – GCP Cloud – for the Cloud field.

  3. Add Usable Networks and click SAVE.

same project

Option 2: The Controller and Service Engines are in Projects other than the XPN

In this deployment example Shared VPC is in Project A and the Controller, and Service Engines are in Project B.

different-projects

Roles and Permissions for the Virtual Machines (VM)

The Controller

When using a non-default service account, refer to Controller Service Account Configuration

Configuring IPAM

To configure GCP IPAM,

  1. Navigate to Templates > Profiles > IPAM/DNS Profiles and click on Create.

  2. Choose the Type as Google Cloud Platform IPAM from the drop-down list.

  3. Click on Manual Configuration and enter the details for,
    • Network Host Project ID
    • Service Engine Project ID
    • Region Name
    • VPC Network Name
  4. Click on Add Usable Network to specify the network details.

The New IPAM/DNS Profile: screen is as shown below:

same project

Use the configuration specified in the following table to enter the respective fields in the New IPAM/DNS Profile: screen.

Field
Value
usable_network_uuids AVI Network ID for VIP allocation
network_host_project_id Project A (Shared VPC Project ID)
se_project_id Project B (Project ID of the SEs)
region_name Region A (Region Name of the SEs)

Starting with NSX Advanced Load Balancer 22.1.3, the following UI is available:

same project

Note: As a prerequisite to creating a GCP IPAM, create a cloud named GCP Cloud, with the following inputs:

  • Service Engine Project ID - Project B (Project Name of the SEs)
  • Service Engine Region - Region A (Region Name of the SEs)
  • Zones
  • VPC Project ID - Project A (Shared VPC Project ID)
  • VPC Network Name
  • VPC Subnet Name
  • Cloud Storage Project ID
  • Cloud Storage Bucket Name

  1. In the NEW IPAM/DNS PROFILE screen, specify the profile name.

  2. Select Avi Vantage IPAM option in the Type field and select the previously created cloud – GCP Cloud – for the Cloud field.

  3. Add Usable Networks and click SAVE.

Configuring Controller Service Account

Follow the steps given below to configure the Service Account:

  1. Create a service account for the Controller in the Controller project
  2. Create Role for the Controller in the Network (XPN)Project and Assign the Role to a Member
  3. Create a Role for The Controller in the Service Engine Project and Add as a Member

Creating a service account for the Controller in the Controller project.

To create a service account,

  1. Open the Service Accounts page in the GCP Console and select the required Project.
  2. Click on Create Service Account and enter a service account name and select a role with desired permissions for the service account.

create service account

Creating Role for the Controller in the network (XPN)Project and assigning the role to a member.

Create a role for the service account created in the XPN project and assign networking permissions to the role. To create a role,

  1. Navigate to the Roles page in the GCP Console for the XPN project.

  2. Click on Create Role and enter the Title, and Role ID.

    create role

  3. Click on Add Permissions and select the following permissions:

    permissions

  4. Click Add.

Add the Service Account as a Member to the Project

Add the service account that was created as a member to the XPN project, with AviNetworkAdminRole.

  1. Open the IAM page in the GCP console for the XPN project.
  2. Click on Add.
  3. Select the Service Account as the New Member.
  4. Select the Role with the desired permissions.
  5. Click on Save. add-members

Create a Role for The Controller in the Service Engine Project and Add as a Member

  1. Create a role for the service account and assign permissions required to create load balancers.

    add members se

  2. Add the following permissions:

    permissions se

  3. Add the avi-controller@majestic-option-159722.iam.gserviceaccount.com service account created above as a member, to the service engine project with the AviControllerSERole that was created.

    add members se

Creating Service Account, Role for Service Engine

These operations are performed in the Service Engine project and are required only if Compute Engine Default Service Account is not there in the project.

Create a role for service engines

  1. Navigate to the Roles page in the GCP Console for the XPN project.

  2. Click on Create Role and enter the Title, and Role ID.

    create role se

  3. Click on Add Permissions and select compute.instances.get permissions service account se

Create a Service Account for the service engines and assign it the role created above.

To create a service account,

  1. Open the Service Accounts page in the GCP Console and select the required Project.

  2. Click on Create Service Account and enter a service account name and select a role with desired permissions for the service account.

    create service account

    Note: Make a note of the email ID of the service account.

  3. Click Save.
    To add this service account as a member,
  4. Open the IAM page in the GCP console for the required project.
  5. Click on Add.

  6. Select the service account as the New Member and select the Role created.

    add members se

  7. Add this service to the Service Engine Virtual Machine account as shown in the following image.

    add service account

Autoscaling Permissions for Instance Templates

Instead of individually controlling each instance in your project, in GCP, you can create and manage groups of VM instances. An instance template is used to create a group of identical instances. These are called managed instance groups.

You can automatically add or delete instances from a managed instance group based on the increase or decrease in load.

To create an instance template,

  1. From the GCP console, click on Go to Compute Engine.
  2. Click on Create Instance templates as shown below. gcp-autoscale
  3. Enter the Name of the instance.
  4. Select Small (1 shared vCPU) as the Machine Type.
  5. Select a boot disk with a CentOS 7 image and 20 GB capacity.

  6. Under Identity and API access and click on Set access for each API.

    • When using a default Compute Engine service account, if the project has Compute Engine Default Service Account enabled, then select that as the Service account, and Select Read Only permissions for the Compute Engine as shown below.

      gcp-autoscale

    • When using a non-default service account, refer to Controller Service Account Configuration .

  7. Select Read Only under Compute Engine.
  8. Click on Allow HTTP traffic under Firewall to permit outside connections.
  9. Click on Networking > Network Interfaces.
  10. Enter the network and subnetwork details.
  11. Set IP forwarding to On.
  12. Copy the public key from the machine which will be used for initiating SSH.
  13. Click on the Security tab and click on Add Item under SSH Keys.
  14. Paste the key in the text box.
  15. Click on Create.