openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/minimum-required-permissions-ipi-gcp.adoc
Ben Scott e55d658b4b OSDOCS-15819 User managed firewall rules for GCP
2026-01-20 15:40:21 +00:00

316 lines
9.0 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * installing/installing_gcp/installing-gcp-account.adoc
:_mod-docs-content-type: REFERENCE
[id="minimum-required-permissions-ipi-gcp_{context}"]
= Required {gcp-short} permissions for installer-provisioned infrastructure
[role="_abstract"]
When you attach the `Owner` role to the service account that you create, you grant that service account all permissions, including those that are required to install {product-title}. If your organization's security policies require a more restrictive set of permissions, you can create link:https://cloud.google.com/iam/docs/creating-custom-roles[custom roles] with the necessary permissions.
The following permissions are required for the installer-provisioned infrastructure for creating and deleting the {product-title} cluster.
.Required permissions for creating network resources
[%collapsible]
====
* `compute.addresses.create`
* `compute.addresses.createInternal`
* `compute.addresses.delete`
* `compute.addresses.get`
* `compute.addresses.list`
* `compute.addresses.use`
* `compute.addresses.useInternal`
* `compute.firewalls.create`
** This permission is not required if you install into an existing VPC and manage your own firewall rules. See the _Managing your own firewall rules_ section.
* `compute.firewalls.delete`
** This permission is not required if you install into an existing VPC and manage your own firewall rules. See the _Managing your own firewall rules_ section.
* `compute.firewalls.get`
* `compute.firewalls.list`
* `compute.forwardingRules.create`
* `compute.forwardingRules.get`
* `compute.forwardingRules.list`
* `compute.forwardingRules.setLabels`
* `compute.globalAddresses.create`
* `compute.globalAddresses.get`
* `compute.globalAddresses.use`
* `compute.globalForwardingRules.create`
* `compute.globalForwardingRules.get`
* `compute.globalForwardingRules.setLabels`
* `compute.networks.create`
* `compute.networks.get`
* `compute.networks.list`
* `compute.networks.updatePolicy`
* `compute.networks.use`
* `compute.routers.create`
* `compute.routers.get`
* `compute.routers.list`
* `compute.routers.update`
* `compute.routes.list`
* `compute.subnetworks.create`
* `compute.subnetworks.get`
* `compute.subnetworks.list`
* `compute.subnetworks.use`
* `compute.subnetworks.useExternalIp`
====
.Required permissions for creating load balancer resources
[%collapsible]
====
* `compute.backendServices.create`
* `compute.backendServices.get`
* `compute.backendServices.list`
* `compute.backendServices.update`
* `compute.backendServices.use`
* `compute.regionBackendServices.create`
* `compute.regionBackendServices.get`
* `compute.regionBackendServices.list`
* `compute.regionBackendServices.update`
* `compute.regionBackendServices.use`
* `compute.targetPools.addInstance`
* `compute.targetPools.create`
* `compute.targetPools.get`
* `compute.targetPools.list`
* `compute.targetPools.removeInstance`
* `compute.targetPools.use`
* `compute.targetTcpProxies.create`
* `compute.targetTcpProxies.get`
* `compute.targetTcpProxies.use`
====
.Required permissions for creating DNS resources
[%collapsible]
====
* `dns.changes.create`
* `dns.changes.get`
* `dns.managedZones.create`
* `dns.managedZones.get`
* `dns.managedZones.list`
* `dns.networks.bindPrivateDNSZone`
* `dns.resourceRecordSets.create`
* `dns.resourceRecordSets.list`
====
.Required permissions for creating Service Account resources
[%collapsible]
====
* `iam.serviceAccountKeys.create`
* `iam.serviceAccountKeys.delete`
* `iam.serviceAccountKeys.get`
* `iam.serviceAccountKeys.list`
* `iam.serviceAccounts.actAs`
** This permission can be limited to act as the control plane and compute service accounts. Alternatively, you may grant the service account that the installation program uses the `iam.serviceAccountUser` role on the control plane and compute service accounts.
* `iam.serviceAccounts.create`
* `iam.serviceAccounts.delete`
* `iam.serviceAccounts.get`
* `iam.serviceAccounts.list`
* `resourcemanager.projects.get`
* `resourcemanager.projects.getIamPolicy`
* `resourcemanager.projects.setIamPolicy`
** This permission is not required if you use `credentialsMode: Manual` and supply your own service accounts for compute and control plane nodes.
====
.Required permissions for creating compute resources
[%collapsible]
====
* `compute.disks.create`
* `compute.disks.get`
* `compute.disks.list`
* `compute.disks.setLabels`
* `compute.instanceGroups.create`
* `compute.instanceGroups.delete`
* `compute.instanceGroups.get`
* `compute.instanceGroups.list`
* `compute.instanceGroups.update`
* `compute.instanceGroups.use`
* `compute.instances.create`
* `compute.instances.delete`
* `compute.instances.get`
* `compute.instances.list`
* `compute.instances.setLabels`
* `compute.instances.setMetadata`
* `compute.instances.setServiceAccount`
* `compute.instances.setTags`
* `compute.instances.use`
* `compute.machineTypes.get`
* `compute.machineTypes.list`
====
.Required for creating storage resources
[%collapsible]
====
* `storage.buckets.create`
* `storage.buckets.delete`
* `storage.buckets.get`
* `storage.buckets.list`
* `storage.objects.create`
* `storage.objects.delete`
* `storage.objects.get`
* `storage.objects.list`
====
.Required permissions for creating health check resources
[%collapsible]
====
* `compute.healthChecks.create`
* `compute.healthChecks.get`
* `compute.healthChecks.list`
* `compute.healthChecks.useReadOnly`
* `compute.httpHealthChecks.create`
* `compute.httpHealthChecks.get`
* `compute.httpHealthChecks.list`
* `compute.httpHealthChecks.useReadOnly`
* `compute.regionHealthChecks.create`
* `compute.regionHealthChecks.get`
* `compute.regionHealthChecks.useReadOnly`
====
.Required permissions to get {gcp-short} zone and region related information
[%collapsible]
====
* `compute.globalOperations.get`
* `compute.regionOperations.get`
* `compute.regions.get`
* `compute.regions.list`
* `compute.zoneOperations.get`
* `compute.zones.get`
* `compute.zones.list`
====
.Required permissions for checking services and quotas
[%collapsible]
====
* `monitoring.timeSeries.list`
* `serviceusage.quotas.get`
* `serviceusage.services.list`
====
.Required IAM permissions for installation
[%collapsible]
====
* `iam.roles.create`
* `iam.roles.get`
* `iam.roles.update`
====
.Required permissions when authenticating without a service account key
[%collapsible]
====
* `iam.serviceAccounts.signBlob`
====
.Required permissions when providing Key Management Service (KMS) key rings
[%collapsible]
====
* `cloudkms.keyRings.list`
====
.Optional Images permissions for installation
[%collapsible]
====
* `compute.images.list`
====
.Optional permission for running gather bootstrap
[%collapsible]
====
* `compute.instances.getSerialPortOutput`
====
.Required permissions for deleting network resources
[%collapsible]
====
* `compute.addresses.delete`
* `compute.addresses.deleteInternal`
* `compute.addresses.list`
* `compute.addresses.setLabels`
* `compute.firewalls.delete`
* `compute.firewalls.list`
* `compute.forwardingRules.delete`
* `compute.forwardingRules.list`
* `compute.globalAddresses.delete`
* `compute.globalAddresses.list`
* `compute.globalForwardingRules.delete`
* `compute.globalForwardingRules.list`
* `compute.networks.delete`
* `compute.networks.list`
* `compute.networks.updatePolicy`
* `compute.routers.delete`
* `compute.routers.list`
* `compute.routes.list`
* `compute.subnetworks.delete`
* `compute.subnetworks.list`
====
.Required permissions for deleting load balancer resources
[%collapsible]
====
* `compute.backendServices.delete`
* `compute.backendServices.list`
* `compute.regionBackendServices.delete`
* `compute.regionBackendServices.list`
* `compute.targetPools.delete`
* `compute.targetPools.list`
* `compute.targetTcpProxies.delete`
* `compute.targetTcpProxies.list`
====
.Required permissions for deleting DNS resources
[%collapsible]
====
* `dns.changes.create`
* `dns.managedZones.delete`
* `dns.managedZones.get`
* `dns.managedZones.list`
* `dns.resourceRecordSets.delete`
* `dns.resourceRecordSets.list`
====
.Required permissions for deleting Service Account resources
[%collapsible]
====
* `iam.serviceAccounts.delete`
* `iam.serviceAccounts.get`
* `iam.serviceAccounts.list`
* `resourcemanager.projects.getIamPolicy`
====
.Required permissions for deleting compute resources
[%collapsible]
====
* `compute.disks.delete`
* `compute.disks.list`
* `compute.instanceGroups.delete`
* `compute.instanceGroups.list`
* `compute.instances.delete`
* `compute.instances.list`
* `compute.instances.stop`
* `compute.machineTypes.list`
====
.Required for deleting storage resources
[%collapsible]
====
* `storage.buckets.delete`
* `storage.buckets.getIamPolicy`
* `storage.buckets.list`
* `storage.objects.delete`
* `storage.objects.list`
====
.Required permissions for deleting health check resources
[%collapsible]
====
* `compute.healthChecks.delete`
* `compute.healthChecks.list`
* `compute.httpHealthChecks.delete`
* `compute.httpHealthChecks.list`
* `compute.regionHealthChecks.delete`
* `compute.regionHealthChecks.list`
====
.Required Images permissions for deletion
[%collapsible]
====
* `compute.images.list`
====
View Git Blame Copy Permalink