Skip to main content
Skip table of contents

GCP Roles

Service accounts are a special type of Google account that grant permissions to virtual machines instead of end users. Service accounts are primarily used to ensure safe, managed connections to APIs and Google Cloud services.

These roles are needed when creating an image using Konvoy Image Builder.

GCP Prerequisite Roles

If you are creating your image on either a non-GCP instance or one that does not have the required roles (Editor role), you must either:

  • Create a GCP service account.

  • If you have already created a service account, retrieve the credentials for an existing service account.

  • Export the static credentials that will be used to create the cluster:

    CODE 
    export GCP_B64ENCODED_CREDENTIALS=$(base64 < "${GOOGLE_APPLICATION_CREDENTIALS}" | tr -d '\n')

Make sure to rotate static credentials for increased security.

  • (option 1) Create a GCP Service Account using the following gcloud commands:

    CODE 
    export GCP_PROJECT=<your GCP project ID>
export GCP_SERVICE_ACCOUNT_USER=<some new service account user>
export GOOGLE_APPLICATION_CREDENTIALS="$HOME/.gcloud/credentials.json"

gcloud iam service-accounts create "$GCP_SERVICE_ACCOUNT_USER" --project=$GCP_PROJECT
gcloud projects add-iam-policy-binding $GCP_PROJECT --member="serviceAccount:$GCP_SERVICE_ACCOUNT_USER@$GCP_PROJECT.iam.gserviceaccount.com" --role=roles/editor
gcloud iam service-accounts keys create $GOOGLE_APPLICATION_CREDENTIALS --iam-account="$GCP_SERVICE_ACCOUNT_USER@$GCP_PROJECT.iam.gserviceaccount.com"

  • (option 2) Retrieve the credentials for an existing service account using the following gcloud commands:

    CODE 
    export GCP_PROJECT=<your GCP project ID>
export GCP_SERVICE_ACCOUNT_USER=<existing service account user>
export GOOGLE_APPLICATION_CREDENTIALS="$HOME/.gcloud/credentials.json"

gcloud iam service-accounts keys create $GOOGLE_APPLICATION_CREDENTIALS --iam-account="$GCP_SERVICE_ACCOUNT_USER@$GCP_PROJECT.iam.gserviceaccount.com"

  • Export the static credentials that will be used to create the cluster:

    BASH 
    export GCP_B64ENCODED_CREDENTIALS=$(base64 < "${GOOGLE_APPLICATION_CREDENTIALS}" | tr -d '\n')

Refer to DKP Documentation regarding roles and minimum permission for use with Konvoy Image Builder: GCP Roles

To create a GCP Service Account with the Editor role, the user creating the GCP Service Account needs the Editor, RoleAdministrator, and SecurityAdmin roles. However, those pre-defined roles grant more permissions than the minimum set needed to create a DKP cluster.

For DKP cluster creation, a minimal set of roles and permissions needed for the user creating the GCP Service Account is the Editor role plus the following additional permissions:

  • compute.disks.setIamPolicy

  • compute.instances.setIamPolicy

  • iam.roles.create

  • iam.roles.delete

  • iam.roles.update

  • iam.serviceAccounts.setIamPolicy

  • resourcemanager.projects.setIamPolicy

For more information on GCP service accounts, see GCP’s documentation:

Next Topic

GCP Using Konvoy Image Builder

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close