mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
OSDOCS-4157: GCP Role Administrator role
This commit is contained in:
Jeana Routh
committed by
openshift-cherrypick-robot
openshift-cherrypick-robot
parent
f5a80bcc3e
commit
a24ff53f79
@@ -51,10 +51,15 @@ The credential you provide for mint mode in Google Cloud Platform (GCP) must hav
|
||||
* `serviceusage.services.list`
|
||||
* `iam.serviceAccountKeys.create`
|
||||
* `iam.serviceAccountKeys.delete`
|
||||
* `iam.serviceAccountKeys.list`
|
||||
* `iam.serviceAccounts.create`
|
||||
* `iam.serviceAccounts.delete`
|
||||
* `iam.serviceAccounts.get`
|
||||
* `iam.roles.create`
|
||||
* `iam.roles.get`
|
||||
* `iam.roles.list`
|
||||
* `iam.roles.undelete`
|
||||
* `iam.roles.update`
|
||||
* `resourcemanager.projects.getIamPolicy`
|
||||
* `resourcemanager.projects.setIamPolicy`
|
||||
====
|
||||
|
||||
@@ -275,6 +275,50 @@ ifdef::azure-workload-id[]
|
||||
====
|
||||
endif::azure-workload-id[]
|
||||
|
||||
//GCP permissions needed when running ccoctl during install.
|
||||
ifdef::google-cloud-platform[]
|
||||
* You have added one of the following authentication options to the GCP account that the installation program uses:
|
||||
|
||||
** The **IAM Workload Identity Pool Admin** role.
|
||||
|
||||
** The following granular permissions:
|
||||
+
|
||||
.Required GCP permissions
|
||||
[%collapsible]
|
||||
====
|
||||
* compute.projects.get
|
||||
* iam.googleapis.com/workloadIdentityPoolProviders.create
|
||||
* iam.googleapis.com/workloadIdentityPoolProviders.get
|
||||
* iam.googleapis.com/workloadIdentityPools.create
|
||||
* iam.googleapis.com/workloadIdentityPools.delete
|
||||
* iam.googleapis.com/workloadIdentityPools.get
|
||||
* iam.googleapis.com/workloadIdentityPools.undelete
|
||||
* iam.roles.create
|
||||
* iam.roles.delete
|
||||
* iam.roles.list
|
||||
* iam.roles.undelete
|
||||
* iam.roles.update
|
||||
* iam.serviceAccounts.create
|
||||
* iam.serviceAccounts.delete
|
||||
* iam.serviceAccounts.getIamPolicy
|
||||
* iam.serviceAccounts.list
|
||||
* iam.serviceAccounts.setIamPolicy
|
||||
* iam.workloadIdentityPoolProviders.get
|
||||
* iam.workloadIdentityPools.delete
|
||||
* resourcemanager.projects.get
|
||||
* resourcemanager.projects.getIamPolicy
|
||||
* resourcemanager.projects.setIamPolicy
|
||||
* storage.buckets.create
|
||||
* storage.buckets.delete
|
||||
* storage.buckets.get
|
||||
* storage.buckets.getIamPolicy
|
||||
* storage.buckets.setIamPolicy
|
||||
* storage.objects.create
|
||||
* storage.objects.delete
|
||||
* storage.objects.list
|
||||
====
|
||||
endif::google-cloud-platform[]
|
||||
|
||||
.Procedure
|
||||
|
||||
ifndef::update[]
|
||||
|
||||
@@ -70,7 +70,8 @@ $ ccoctl {cp-name} delete \
|
||||
ifdef::aws-sts[ --region=<{cp-name}_region> <2>]
|
||||
ifdef::gcp-workload-id[]
|
||||
--project=<{cp-name}_project_id> \// <2>
|
||||
--credentials-requests-dir=<path_to_credentials_requests_directory>
|
||||
--credentials-requests-dir=<path_to_credentials_requests_directory> \
|
||||
--force-delete-custom-roles <3>
|
||||
endif::gcp-workload-id[]
|
||||
ifdef::azure-workload-id[]
|
||||
--region=<{cp-name}_region> \// <2>
|
||||
@@ -81,7 +82,10 @@ endif::azure-workload-id[]
|
||||
+
|
||||
<1> `<name>` matches the name that was originally used to create and tag the cloud resources.
|
||||
ifdef::aws-sts,azure-workload-id[<2> `<{cp-name}_region>` is the {cp} region in which to delete cloud resources.]
|
||||
ifdef::gcp-workload-id[<2> `<{cp-name}_project_id>` is the {cp} project ID in which to delete cloud resources.]
|
||||
ifdef::gcp-workload-id[]
|
||||
<2> `<{cp-name}_project_id>` is the {cp} project ID in which to delete cloud resources.
|
||||
<3> Optional: This parameter deletes the custom roles that the `ccoctl` utility creates during installation. GCP does not permanently delete custom roles immediately. For more information, see GCP documentation about link:https://cloud.google.com/iam/docs/creating-custom-roles#deleting-custom-role[deleting a custom role].
|
||||
endif::gcp-workload-id[]
|
||||
ifdef::azure-workload-id[<3> `<{cp-name}_subscription_id>` is the {cp} subscription ID for which to delete cloud resources.]
|
||||
ifdef::aws-sts[]
|
||||
+
|
||||
|
||||
@@ -48,6 +48,26 @@ ifeval::["{context}" == "installing-restricted-networks-azure-installer-provisio
|
||||
:azure-workload-id:
|
||||
endif::[]
|
||||
|
||||
//GCP install assemblies
|
||||
ifeval::["{context}" == "installing-gcp-customizations"]
|
||||
:google-cloud-platform:
|
||||
endif::[]
|
||||
ifeval::["{context}" == "installing-gcp-network-customizations"]
|
||||
:google-cloud-platform:
|
||||
endif::[]
|
||||
ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"]
|
||||
:google-cloud-platform:
|
||||
endif::[]
|
||||
ifeval::["{context}" == "installing-gcp-vpc"]
|
||||
:google-cloud-platform:
|
||||
endif::[]
|
||||
ifeval::["{context}" == "installing-gcp-shared-vpc"]
|
||||
:google-cloud-platform:
|
||||
endif::[]
|
||||
ifeval::["{context}" == "installing-gcp-private"]
|
||||
:google-cloud-platform:
|
||||
endif::[]
|
||||
|
||||
:_mod-docs-content-type: PROCEDURE
|
||||
[id="cco-ccoctl-install-creating-manifests_{context}"]
|
||||
= Incorporating the Cloud Credential Operator utility manifests
|
||||
@@ -62,6 +82,28 @@ To implement short-term security credentials managed outside the cluster for ind
|
||||
|
||||
.Procedure
|
||||
|
||||
ifdef::google-cloud-platform[]
|
||||
. Add the following granular permissions to the GCP account that the installation program uses:
|
||||
+
|
||||
.Required GCP permissions
|
||||
[%collapsible]
|
||||
====
|
||||
* compute.machineTypes.list
|
||||
* compute.regions.list
|
||||
* compute.zones.list
|
||||
* dns.changes.create
|
||||
* dns.changes.get
|
||||
* dns.managedZones.create
|
||||
* dns.managedZones.delete
|
||||
* dns.managedZones.get
|
||||
* dns.managedZones.list
|
||||
* dns.networks.bindPrivateDNSZone
|
||||
* dns.resourceRecordSets.create
|
||||
* dns.resourceRecordSets.delete
|
||||
* dns.resourceRecordSets.list
|
||||
====
|
||||
endif::google-cloud-platform[]
|
||||
|
||||
. If you did not set the `credentialsMode` parameter in the `install-config.yaml` configuration file to `Manual`, modify the value as shown:
|
||||
+
|
||||
.Sample configuration file snippet
|
||||
@@ -131,4 +173,24 @@ ifeval::["{context}" == "installing-azure-vnet"]
|
||||
endif::[]
|
||||
ifeval::["{context}" == "installing-restricted-networks-azure-installer-provisioned"]
|
||||
:!azure-workload-id:
|
||||
endif::[]
|
||||
|
||||
//GCP install assemblies
|
||||
ifeval::["{context}" == "installing-gcp-customizations"]
|
||||
:!google-cloud-platform:
|
||||
endif::[]
|
||||
ifeval::["{context}" == "installing-gcp-network-customizations"]
|
||||
:!google-cloud-platform:
|
||||
endif::[]
|
||||
ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"]
|
||||
:!google-cloud-platform:
|
||||
endif::[]
|
||||
ifeval::["{context}" == "installing-gcp-vpc"]
|
||||
:!google-cloud-platform:
|
||||
endif::[]
|
||||
ifeval::["{context}" == "installing-gcp-shared-vpc"]
|
||||
:!google-cloud-platform:
|
||||
endif::[]
|
||||
ifeval::["{context}" == "installing-gcp-private"]
|
||||
:!google-cloud-platform:
|
||||
endif::[]
|
||||
@@ -21,6 +21,7 @@ When you attach the `Owner` role to the service account that you create, you gra
|
||||
|
||||
.Required roles for the installation program
|
||||
* Compute Admin
|
||||
* IAM Role Administrator
|
||||
* IAM Security Admin
|
||||
* Service Account Admin
|
||||
* Service Account Key Admin
|
||||
@@ -30,18 +31,17 @@ When you attach the `Owner` role to the service account that you create, you gra
|
||||
.Required roles for creating network resources during installation
|
||||
* DNS Administrator
|
||||
|
||||
.Required roles for using passthrough credentials mode
|
||||
.Required roles for using the Cloud Credential Operator in passthrough mode
|
||||
* Compute Load Balancer Admin
|
||||
* IAM Role Viewer
|
||||
|
||||
ifdef::template[]
|
||||
.Required roles for user-provisioned GCP infrastructure
|
||||
* Deployment Manager Editor
|
||||
endif::template[]
|
||||
|
||||
The roles are applied to the service accounts that the control plane and compute machines use:
|
||||
The following roles are applied to the service accounts that the control plane and compute machines use:
|
||||
|
||||
.GCP service account permissions
|
||||
.GCP service account roles
|
||||
[cols="2a,2a",options="header"]
|
||||
|===
|
||||
|Account
|
||||
|
||||
@@ -160,6 +160,28 @@ endif::cco-manual-mode[]
|
||||
|
||||
.Procedure
|
||||
|
||||
ifdef::google-cloud-platform[]
|
||||
. Add the following granular permissions to the GCP account that the installation program uses:
|
||||
+
|
||||
.Required GCP permissions
|
||||
[%collapsible]
|
||||
====
|
||||
* compute.machineTypes.list
|
||||
* compute.regions.list
|
||||
* compute.zones.list
|
||||
* dns.changes.create
|
||||
* dns.changes.get
|
||||
* dns.managedZones.create
|
||||
* dns.managedZones.delete
|
||||
* dns.managedZones.get
|
||||
* dns.managedZones.list
|
||||
* dns.networks.bindPrivateDNSZone
|
||||
* dns.resourceRecordSets.create
|
||||
* dns.resourceRecordSets.delete
|
||||
* dns.resourceRecordSets.list
|
||||
====
|
||||
endif::google-cloud-platform[]
|
||||
|
||||
ifdef::cco-multi-mode[]
|
||||
. If you did not set the `credentialsMode` parameter in the `install-config.yaml` configuration file to `Manual`, modify the value as shown:
|
||||
+
|
||||
|
||||
Reference in New Issue
Block a user