diff --git a/authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc b/authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc index 2547de96b2..8b8486703a 100644 --- a/authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc +++ b/authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc @@ -51,10 +51,15 @@ The credential you provide for mint mode in Google Cloud Platform (GCP) must hav * `serviceusage.services.list` * `iam.serviceAccountKeys.create` * `iam.serviceAccountKeys.delete` +* `iam.serviceAccountKeys.list` * `iam.serviceAccounts.create` * `iam.serviceAccounts.delete` * `iam.serviceAccounts.get` +* `iam.roles.create` * `iam.roles.get` +* `iam.roles.list` +* `iam.roles.undelete` +* `iam.roles.update` * `resourcemanager.projects.getIamPolicy` * `resourcemanager.projects.setIamPolicy` ==== diff --git a/modules/cco-ccoctl-configuring.adoc b/modules/cco-ccoctl-configuring.adoc index ac59739423..d495b19103 100644 --- a/modules/cco-ccoctl-configuring.adoc +++ b/modules/cco-ccoctl-configuring.adoc @@ -275,6 +275,50 @@ ifdef::azure-workload-id[] ==== endif::azure-workload-id[] +//GCP permissions needed when running ccoctl during install. +ifdef::google-cloud-platform[] +* You have added one of the following authentication options to the GCP account that the installation program uses: + +** The **IAM Workload Identity Pool Admin** role. + +** The following granular permissions: ++ +.Required GCP permissions +[%collapsible] +==== +* compute.projects.get +* iam.googleapis.com/workloadIdentityPoolProviders.create +* iam.googleapis.com/workloadIdentityPoolProviders.get +* iam.googleapis.com/workloadIdentityPools.create +* iam.googleapis.com/workloadIdentityPools.delete +* iam.googleapis.com/workloadIdentityPools.get +* iam.googleapis.com/workloadIdentityPools.undelete +* iam.roles.create +* iam.roles.delete +* iam.roles.list +* iam.roles.undelete +* iam.roles.update +* iam.serviceAccounts.create +* iam.serviceAccounts.delete +* iam.serviceAccounts.getIamPolicy +* iam.serviceAccounts.list +* iam.serviceAccounts.setIamPolicy +* iam.workloadIdentityPoolProviders.get +* iam.workloadIdentityPools.delete +* resourcemanager.projects.get +* resourcemanager.projects.getIamPolicy +* resourcemanager.projects.setIamPolicy +* storage.buckets.create +* storage.buckets.delete +* storage.buckets.get +* storage.buckets.getIamPolicy +* storage.buckets.setIamPolicy +* storage.objects.create +* storage.objects.delete +* storage.objects.list +==== +endif::google-cloud-platform[] + .Procedure ifndef::update[] diff --git a/modules/cco-ccoctl-deleting-sts-resources.adoc b/modules/cco-ccoctl-deleting-sts-resources.adoc index f328c4664f..c74bf14f92 100644 --- a/modules/cco-ccoctl-deleting-sts-resources.adoc +++ b/modules/cco-ccoctl-deleting-sts-resources.adoc @@ -70,7 +70,8 @@ $ ccoctl {cp-name} delete \ ifdef::aws-sts[ --region=<{cp-name}_region> <2>] ifdef::gcp-workload-id[] --project=<{cp-name}_project_id> \// <2> - --credentials-requests-dir= + --credentials-requests-dir= \ + --force-delete-custom-roles <3> endif::gcp-workload-id[] ifdef::azure-workload-id[] --region=<{cp-name}_region> \// <2> @@ -81,7 +82,10 @@ endif::azure-workload-id[] + <1> `` matches the name that was originally used to create and tag the cloud resources. ifdef::aws-sts,azure-workload-id[<2> `<{cp-name}_region>` is the {cp} region in which to delete cloud resources.] -ifdef::gcp-workload-id[<2> `<{cp-name}_project_id>` is the {cp} project ID in which to delete cloud resources.] +ifdef::gcp-workload-id[] +<2> `<{cp-name}_project_id>` is the {cp} project ID in which to delete cloud resources. +<3> Optional: This parameter deletes the custom roles that the `ccoctl` utility creates during installation. GCP does not permanently delete custom roles immediately. For more information, see GCP documentation about link:https://cloud.google.com/iam/docs/creating-custom-roles#deleting-custom-role[deleting a custom role]. +endif::gcp-workload-id[] ifdef::azure-workload-id[<3> `<{cp-name}_subscription_id>` is the {cp} subscription ID for which to delete cloud resources.] ifdef::aws-sts[] + diff --git a/modules/cco-ccoctl-install-creating-manifests.adoc b/modules/cco-ccoctl-install-creating-manifests.adoc index e91c14b52f..19a2b9f15e 100644 --- a/modules/cco-ccoctl-install-creating-manifests.adoc +++ b/modules/cco-ccoctl-install-creating-manifests.adoc @@ -48,6 +48,26 @@ ifeval::["{context}" == "installing-restricted-networks-azure-installer-provisio :azure-workload-id: endif::[] +//GCP install assemblies +ifeval::["{context}" == "installing-gcp-customizations"] +:google-cloud-platform: +endif::[] +ifeval::["{context}" == "installing-gcp-network-customizations"] +:google-cloud-platform: +endif::[] +ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"] +:google-cloud-platform: +endif::[] +ifeval::["{context}" == "installing-gcp-vpc"] +:google-cloud-platform: +endif::[] +ifeval::["{context}" == "installing-gcp-shared-vpc"] +:google-cloud-platform: +endif::[] +ifeval::["{context}" == "installing-gcp-private"] +:google-cloud-platform: +endif::[] + :_mod-docs-content-type: PROCEDURE [id="cco-ccoctl-install-creating-manifests_{context}"] = Incorporating the Cloud Credential Operator utility manifests @@ -62,6 +82,28 @@ To implement short-term security credentials managed outside the cluster for ind .Procedure +ifdef::google-cloud-platform[] +. Add the following granular permissions to the GCP account that the installation program uses: ++ +.Required GCP permissions +[%collapsible] +==== +* compute.machineTypes.list +* compute.regions.list +* compute.zones.list +* dns.changes.create +* dns.changes.get +* dns.managedZones.create +* dns.managedZones.delete +* dns.managedZones.get +* dns.managedZones.list +* dns.networks.bindPrivateDNSZone +* dns.resourceRecordSets.create +* dns.resourceRecordSets.delete +* dns.resourceRecordSets.list +==== +endif::google-cloud-platform[] + . If you did not set the `credentialsMode` parameter in the `install-config.yaml` configuration file to `Manual`, modify the value as shown: + .Sample configuration file snippet @@ -131,4 +173,24 @@ ifeval::["{context}" == "installing-azure-vnet"] endif::[] ifeval::["{context}" == "installing-restricted-networks-azure-installer-provisioned"] :!azure-workload-id: +endif::[] + +//GCP install assemblies +ifeval::["{context}" == "installing-gcp-customizations"] +:!google-cloud-platform: +endif::[] +ifeval::["{context}" == "installing-gcp-network-customizations"] +:!google-cloud-platform: +endif::[] +ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"] +:!google-cloud-platform: +endif::[] +ifeval::["{context}" == "installing-gcp-vpc"] +:!google-cloud-platform: +endif::[] +ifeval::["{context}" == "installing-gcp-shared-vpc"] +:!google-cloud-platform: +endif::[] +ifeval::["{context}" == "installing-gcp-private"] +:!google-cloud-platform: endif::[] \ No newline at end of file diff --git a/modules/installation-gcp-permissions.adoc b/modules/installation-gcp-permissions.adoc index c17d0a43e5..c69c7f0fba 100644 --- a/modules/installation-gcp-permissions.adoc +++ b/modules/installation-gcp-permissions.adoc @@ -21,6 +21,7 @@ When you attach the `Owner` role to the service account that you create, you gra .Required roles for the installation program * Compute Admin +* IAM Role Administrator * IAM Security Admin * Service Account Admin * Service Account Key Admin @@ -30,18 +31,17 @@ When you attach the `Owner` role to the service account that you create, you gra .Required roles for creating network resources during installation * DNS Administrator -.Required roles for using passthrough credentials mode +.Required roles for using the Cloud Credential Operator in passthrough mode * Compute Load Balancer Admin -* IAM Role Viewer ifdef::template[] .Required roles for user-provisioned GCP infrastructure * Deployment Manager Editor endif::template[] -The roles are applied to the service accounts that the control plane and compute machines use: +The following roles are applied to the service accounts that the control plane and compute machines use: -.GCP service account permissions +.GCP service account roles [cols="2a,2a",options="header"] |=== |Account diff --git a/modules/manually-create-identity-access-management.adoc b/modules/manually-create-identity-access-management.adoc index 617eb94db8..1979f99b82 100644 --- a/modules/manually-create-identity-access-management.adoc +++ b/modules/manually-create-identity-access-management.adoc @@ -160,6 +160,28 @@ endif::cco-manual-mode[] .Procedure +ifdef::google-cloud-platform[] +. Add the following granular permissions to the GCP account that the installation program uses: ++ +.Required GCP permissions +[%collapsible] +==== +* compute.machineTypes.list +* compute.regions.list +* compute.zones.list +* dns.changes.create +* dns.changes.get +* dns.managedZones.create +* dns.managedZones.delete +* dns.managedZones.get +* dns.managedZones.list +* dns.networks.bindPrivateDNSZone +* dns.resourceRecordSets.create +* dns.resourceRecordSets.delete +* dns.resourceRecordSets.list +==== +endif::google-cloud-platform[] + ifdef::cco-multi-mode[] . If you did not set the `credentialsMode` parameter in the `install-config.yaml` configuration file to `Manual`, modify the value as shown: +