openshift-docs/modules/ccs-gcp-iam.adoc

// Module included in the following assemblies:
//
// * osd_planning/gcp-ccs.adoc
:_mod-docs-content-type: REFERENCE
[id="ccs-gcp-iam_{context}"]

= Red Hat managed {gcp-full} resources

[role="_abstract"]
Red Hat is responsible for creating and managing the following IAM {gcp-first} resources.

[IMPORTANT]
=====
The _IAM service account and roles_ and _IAM group and roles_ topics are only applicable to clusters created using the service account authentication type.
=====

[id="ccs-gcp-iam-service-account-roles_{context}"]
== IAM service account and roles

The `osd-managed-admin` IAM service account is created immediately after taking control of the customer-provided {gcp-short} account. This is the user that will perform the {product-title} cluster installation.

The following roles are attached to the service account:

.IAM roles for osd-managed-admin
[cols="2a,3a,2a",options="header"]

|===

|Role |Console role name |Description

|Compute Admin
|`roles/compute.admin`
|Provides full control of all Compute Engine resources.

|DNS Administrator
|`roles/dns.admin`
|Provides read-write access to all Cloud DNS resources.

|Security Admin
|`roles/iam.securityAdmin`
|Security admin role, with permissions to get and set any IAM policy.

|Storage Admin
|`roles/storage.admin`
|Grants full control of objects and buckets.

When applied to an individual *bucket*, control applies only to the specified bucket and objects within the bucket.

|Service Account Admin
|`roles/iam.serviceAccountAdmin`
|Create and manage service accounts.

|Service Account Key Admin
|`roles/iam.serviceAccountKeyAdmin`
|Create and manage (and rotate) service account keys.

|Service Account User
|`roles/iam.serviceAccountUser`
|Run operations as the service account.

|Role Administrator
|`roles/iam.roleAdmin`
|Provides access to all custom roles in the project.

|===

[id="ccs-gcp-iam-group-roles_{context}"]
== IAM group and roles

The `sd-sre-platform-gcp-access` Google group is granted access to the {gcp-short} project to allow Red Hat Site Reliability Engineering (SRE) access to the console for emergency troubleshooting purposes.

[NOTE]
====
* For information regarding the roles within the `sd-sre-platform-gcp-access`  group that are specific to clusters created when using the Workload Identity Federation (WIF) authentication type, see link:https://github.com/openshift/managed-cluster-config/blob/master/resources/wif/4.19/vanilla.yaml[managed-cluster-config].
* For information about creating a cluster using the Workload Identity Federation authentication type, see _Additional resources_.
====
The following roles are attached to the group:

.IAM roles for sd-sre-platform-gcp-access
[cols="2a,3a,2a",options="header"]

|===

|Role |Console role name |Description

|Compute Admin
|`roles/compute.admin`
|Provides full control of all Compute Engine resources.

|Editor
|`roles/editor`
|Provides all viewer permissions, plus permissions for actions that modify state.

|Organization Policy Viewer
|`roles/orgpolicy.policyViewer`
|Provides access to view Organization Policies on resources.

|Project IAM Admin
|`roles/resourcemanager.projectIamAdmin`
|Provides permissions to administer IAM policies on projects.

|Quota Administrator
|`roles/servicemanagement.quotaAdmin`
|Provides access to administer service quotas.

|Role Administrator
|`roles/iam.roleAdmin`
|Provides access to all custom roles in the project.

|Service Account Admin
|`roles/iam.serviceAccountAdmin`
|Create and manage service accounts.


|Service Usage Admin
|`roles/serviceusage.serviceUsageAdmin`
|Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.

|Tech Support Editor
|`roles/cloudsupport.techSupportEditor`
|Provides full read-write access to technical support cases.

|===