mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
71 lines
2.3 KiB
Plaintext
71 lines
2.3 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * installing/installing_gcp/installing-gcp-account.adoc
|
|
// * installing/installing_gcp/installing-gcp-user-infra.adoc
|
|
// * installing/installing_gcp/installing-restricted-networks-gcp.adoc
|
|
|
|
ifeval::["{context}" == "installing-gcp-user-infra"]
|
|
:template:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-gcp"]
|
|
:template:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-gcp-user-infra-vpc"]
|
|
:template:
|
|
endif::[]
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="installation-gcp-permissions_{context}"]
|
|
= Required {gcp-short} roles
|
|
|
|
When you attach the `Owner` role to the service account that you create, you grant that service account all permissions, including those that are required to install {product-title}. If your organization's security policies require a more restrictive set of permissions, you can create a service account with the following permissions. If you deploy your cluster into an existing virtual private cloud (VPC), the service account does not require certain networking permissions, which are noted in the following lists:
|
|
|
|
.Required roles for the installation program
|
|
* Compute Admin
|
|
* Role Administrator
|
|
* Security Admin
|
|
* Service Account Admin
|
|
* Service Account Key Admin
|
|
* Service Account User
|
|
* Storage Admin
|
|
|
|
.Required roles for creating network resources during installation
|
|
* DNS Administrator
|
|
|
|
.Required roles for using the Cloud Credential Operator in passthrough mode
|
|
* Compute Load Balancer Admin
|
|
* Tag User
|
|
|
|
ifdef::template[]
|
|
.Required roles for user-provisioned {gcp-short} infrastructure
|
|
* Deployment Manager Editor
|
|
endif::template[]
|
|
|
|
The following roles are applied to the service accounts that the control plane and compute machines use:
|
|
|
|
.{gcp-short} service account roles
|
|
[cols="2a,2a",options="header"]
|
|
|===
|
|
|Account
|
|
|Roles
|
|
.5+|Control Plane
|
|
|`roles/compute.instanceAdmin`
|
|
|`roles/compute.networkAdmin`
|
|
|`roles/compute.securityAdmin`
|
|
|`roles/storage.admin`
|
|
|`roles/iam.serviceAccountUser`
|
|
.3+|Compute
|
|
|`roles/compute.viewer`
|
|
|`roles/storage.admin`
|
|
|`roles/artifactregistry.reader`
|
|
|===
|
|
|
|
ifeval::["{context}" == "installing-gcp-user-infra"]
|
|
:!template:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-gcp"]
|
|
:!template:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-gcp-user-infra-vpc"]
|
|
:!template:
|
|
endif::[] |