GCP VPC
Objective
This document explains the various types of required policies that grant permissions for users to create or modify resources as part of deploying F5® Distributed Cloud Sites on GCP. This document also provides instructions to create a service account using the GCP cloud formation templates.
Note: Refer to the GCP IAM Documentation for information on the various GCP roles.
GCP VPC Policies
The required policies are managed in the IAM section of GCP portal. The following is the list of permissions required for deploying a GCP VPC site:
GCP Permissions
compute.addresses.create
compute.addresses.delete
compute.addresses.get
compute.addresses.use
compute.backendServices.create
compute.backendServices.delete
compute.backendServices.get
compute.backendServices.list
compute.disks.create
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.forwardingRules.list
compute.forwardingRules.setLabels
compute.globalOperations.get
compute.healthChecks.create
compute.healthChecks.delete
compute.healthChecks.get
compute.healthChecks.list
compute.healthChecks.useReadOnly
compute.images.create
compute.images.get
compute.images.list
compute.images.useReadOnly
compute.instanceGroupManagers.create
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.use
compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.list
compute.instanceTemplates.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.detachDisk
compute.instances.get
compute.instances.list
compute.instances.reset
compute.instances.resume
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateNetworkInterface
compute.instances.use
compute.interconnectAttachments.get
compute.machineTypes.list
compute.networkEndpointGroups.attachNetworkEndpoints
compute.networks.access
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.list
compute.networks.update
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regionBackendServices.create
compute.regionBackendServices.delete
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionBackendServices.use
compute.regions.get
compute.regionOperations.get
compute.routes.create
compute.routes.delete
compute.routes.get
compute.routes.list
compute.routers.get
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.setPrivateIpGoogleAccess
compute.subnetworks.update
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zones.get
iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
Note: The
resourcemanager.projects.listpermission is supported for organization-level custom roles. See Known Limitations of GCP IAM documentation for more information.
Create Role and Apply to Service Account
Perform the steps listed in this chapter to create role with permissions and apply it to a service account.
Prerequisite: Install gcloud command-line tool. See gcloud command-line tool for more information.
The following video tutorial shows how to create a GCP role and apply to service account:
Perform the following steps from CLI:
Step 1: Create the GCP role and permissions required to create F5 Distributed Cloud’s GCP VPC site.
gcloud iam roles create <ROLE_ID> --project=<GCP_PROJECT_ID> --file=f5xc_gcp_vpc_role.yaml
ROLE_ID- The ID of the custom role to create. For example:f5xc_gcp_vpc_role.GCP_PROJECT_ID- The project of the role you want to create.f5xc_gcp_vpc_role.yaml- Download the cloud formation template file here.
Step 2: Create the GCP service account.
gcloud iam service-accounts create <SERVICE_ACCOUNT_NAME> --display-name=<SERVICE_ACCOUNT_NAME>
SERVICE_ACCOUNT_NAME - The internal name of the new service account. For example: f5xc-gcp-vpc-service-account.
Step 3: Get the IAM internal email address for the above-created service account.
gcloud iam service-accounts list | grep <SERVICE_ACCOUNT_NAME> | awk '{print \$2}'
SERVICE_ACCOUNT_NAME - the service account name used in the previous step.
Step 4: Attach the role created on Step 1 to the IAM service account email address received from Step 3.
gcloud projects add-iam-policy-binding <PROJECT_ID> --member='serviceAccount:<SERVICE_ACCOUNT_IAM_EMAIL_ADDRESS>' --role=projects/<PROJECT_ID>/roles/<ROLE_ID>
SERVICE_ACCOUNT_IAM_EMAIL_ADDRESS- the output of Step 3.PROJECT_ID- the project ID.ROLE_ID- the Role ID used in Step 1.
Step 5: Create the service account key.
gcloud iam service-accounts keys create --iam-account <SERVICE_ACCOUNT_IAM_EMAIL_ADDRESS> key.json
SERVICE_ACCOUNT_IAM_EMAIL_ADDRESS- the output of Step 3key.jsonis the output of the above command and will be used to create GCP Cloud Credentials on F5® Distributed Cloud Console.
Note: Enter the contents of the
key.jsonfile in the GCP cloud credential'sSecret Infosection.