-
Notifications
You must be signed in to change notification settings - Fork 26
gcloud setup account iam
The scope of this section is to prepare a Google Cloud account to be ready for setting up a Cloud Dev & Run environment later on. By the end of this guide, a Principal (existing end user account or new/existing service account) will be enrolled to an existing project with the required roles attached.
-
Have a Google Cloud project already setup and Google Cloud CLI installed and configured. If it is not the case, please go back to corresponding guide.
-
A Google Cloud account with owner privileges on the project.
In case you do not have an account or it does not have owner privileges on the project, request a service account to your Google Cloud administrator asking for the following roles being attached. Then go to Check roles and permissions of a principal.
The script located at /scripts/accounts/gcloud/setup-principal-account.sh
will automatically attach the required roles to the principal, in the context of the provided project.
setup-principal-account.sh \
-g <google account> \
-s <service account name> \
-p <project id> \
[-r <roles...>] \
[-f <roles file path>] \
[-c <custom role file path>] \
[-i <custom role id>]
[-k <service account key file path>]
-g [Required] Google Account of an end user. Mutually exclusive with -s.
-s [Required] Service Account name. Mutually exclusive with -g.
-p [Required] Short project name (ID) to which the principal will be enrolled.
-r Roles (basic or predefined) to be attached to the principal in the project, splitted by comma.
-f Path to a file containing the roles (basic or predefined) to be attached to the principal in the project.
-c Path to a YAML file containing the custom role to be attached to the principal in the project. Requires -i.
-i ID to be set to the custom role provided in -c.
-k Path to the file where the service account key will be stored. Default: ./key.json.
./setup-principal-account.sh -s ExampleServiceAccount -p ExampleProject -f ./predefined-roles.txt
Note
|
Required roles are located at /scripts/accounts/gcloud/predefined-roles.txt .
|
Tip
|
You can find an example of a custom role at /scripts/accounts/gcloud/custom-role-example.yaml .
|
On success and in case of creating a new service account (as in the example), a key.json
file containing credentials will be generated. It will be used on further steps for authenticating with Google Cloud without human intervention.
Important
|
It is mandatory to store the key.json file securely at this point, as it will not be retrievable again.
|
The script located at /scripts/accounts/gcloud/verify-principal-roles-and-permissions.sh
will automatically check that the necessary roles and permissions are bound to the principal, in the context of the provided project.
verify-principal-roles-and-permissions.sh \
-g <google account> \
-s <service account name> \
-p <project id> \
[-r <roles...>] \
[-f <roles file path>] \
[-e <permissions...>] \
[-i <permissions file path>]
-g [Required] Google Account of an end user. Mutually exclusive with -s.
-s [Required] Service Account name. Mutually exclusive with -g.
-p [Required] Short project name (ID) where the roles and permissions will be checked.
-r Roles to be checked, splitted by comma.
-f Path to a file containing the roles to be checked.
-e Permissions to be checked, splitted by comma.
-i Path to a file containing the permissions to be checked.
./verify-principal-roles-and-permissions.sh -s ExampleServiceAccount -p ExampleProject -f ./predefined-roles.txt
After execution, provided policies will be shown preceded by an OK
or FAILED
depending on the attachment status.
Note
|
Required roles are located at /scripts/accounts/gcloud/predefined-roles.txt
|
Tip
|
You can find a non-comprehensive example of required permisions at /scripts/accounts/gcloud/required-permissions-example.txt .
|
This documentation is licensed under the Creative Commons License (Attribution-NoDerivatives 4.0 International).