Permissions

In order to operate Berlioz should have access to the GCP Project. There are three ways to do that. Choose from following three options based on your needs:

  1. Option 1. Permissive. Recommended for development or test environments.
  2. Option 2. Strict. Recommended for production environment.
  3. Option 3. Strict using automated script. Recommended for production environment and when every second is critical.

Option 1. Permissive

The simplest option. Allow full access to the project:

  • Project -> Owner

Option 2. Strict

The most strict option. If you decide to go this route make sure that you follow changes of permission requirements and update the roles accordingly. Apply following roles to berlioz-robot service account.

Download role definitions below.

Make sure to modify downloaded YAML files and set the project name in the name field.

Create custom roles using CLI:

$ gcloud iam roles create berlioz.serviceusage --project <gcp-project-name> --file berlioz-service-usage-role.yaml
$ gcloud iam roles create berlioz.cloudsql --project <gcp-project-name> --file berlioz-cloudsql-role.yaml
$ gcloud iam roles create berlioz.functions --project <gcp-project-name> --file berlioz-functions-role.yaml
$ gcloud iam roles create berlioz.iam --project <gcp-project-name> --file berlioz-iam-role.yaml
$ gcloud iam roles create berlioz.pubsub --project <gcp-project-name> --file berlioz-pubsub-role.yaml
$ gcloud iam roles create berlioz.storage --project <gcp-project-name> --file berlioz-storage-role.yaml
$ gcloud iam roles create berlioz.staticaddress --project <gcp-project-name> --file berlioz-static-address.yaml

Default Roles

Grant following default roles to berlioz-robot service account:

  • Kubernetes Engine Admin (roles/container.admin)
  • Service Account Admin (roles/iam.serviceAccountUser)

Custom Roles

Grant following custom roles to berlioz-robot service account:

Berlioz Service Usage

  • serviceusage.services.get
  • serviceusage.services.enable

Berlioz CloudSQL

  • cloudsql.instances.create
  • cloudsql.instances.delete
  • cloudsql.instances.get
  • cloudsql.instances.import
  • cloudsql.instances.list
  • cloudsql.instances.update

Berlioz Functions

  • cloudfunctions.functions.create
  • cloudfunctions.functions.delete
  • cloudfunctions.functions.get
  • cloudfunctions.functions.list
  • cloudfunctions.functions.update
  • cloudfunctions.locations.list
  • cloudfunctions.operations.get
  • cloudfunctions.operations.list

Berlioz IAM

  • iam.serviceAccountKeys.create
  • iam.serviceAccountKeys.delete
  • iam.serviceAccountKeys.get
  • iam.serviceAccountKeys.list
  • iam.serviceAccounts.create
  • iam.serviceAccounts.delete
  • iam.serviceAccounts.getIamPolicy
  • iam.serviceAccounts.setIamPolicy
  • iam.serviceAccounts.update
  • resourcemanager.projects.getIamPolicy
  • resourcemanager.projects.setIamPolicy

Berlioz Kubernetes

  • container.apiServices.create
  • container.apiServices.delete
  • container.apiServices.get
  • container.apiServices.list
  • container.apiServices.update
  • container.apiServices.updateStatus
  • container.backendConfigs.create
  • container.backendConfigs.delete
  • container.backendConfigs.get
  • container.backendConfigs.list
  • container.backendConfigs.update
  • container.bindings.create
  • container.bindings.delete
  • container.bindings.get
  • container.bindings.list
  • container.bindings.update
  • container.clusterRoleBindings.create
  • container.clusterRoleBindings.delete
  • container.clusterRoleBindings.get
  • container.clusterRoleBindings.list
  • container.clusterRoleBindings.update
  • container.clusterRoles.bind
  • container.clusterRoles.create
  • container.clusterRoles.delete
  • container.clusterRoles.get
  • container.clusterRoles.list
  • container.clusterRoles.update
  • container.clusters.get
  • container.clusters.getCredentials
  • container.clusters.list
  • container.componentStatuses.get
  • container.componentStatuses.list
  • container.configMaps.create
  • container.configMaps.delete
  • container.configMaps.get
  • container.configMaps.list
  • container.configMaps.update
  • container.controllerRevisions.create
  • container.controllerRevisions.delete
  • container.controllerRevisions.get
  • container.controllerRevisions.list
  • container.controllerRevisions.update
  • container.customResourceDefinitions.create
  • container.customResourceDefinitions.delete
  • container.customResourceDefinitions.get
  • container.customResourceDefinitions.list
  • container.customResourceDefinitions.update
  • container.customResourceDefinitions.updateStatus
  • container.daemonSets.create
  • container.daemonSets.delete
  • container.daemonSets.get
  • container.daemonSets.getStatus
  • container.daemonSets.list
  • container.daemonSets.update
  • container.daemonSets.updateStatus
  • container.deployments.create
  • container.deployments.delete
  • container.deployments.get
  • container.deployments.getScale
  • container.deployments.getStatus
  • container.deployments.list
  • container.deployments.rollback
  • container.deployments.update
  • container.deployments.updateScale
  • container.deployments.updateStatus
  • container.endpoints.create
  • container.endpoints.delete
  • container.endpoints.get
  • container.endpoints.list
  • container.endpoints.update
  • container.horizontalPodAutoscalers.create
  • container.horizontalPodAutoscalers.delete
  • container.horizontalPodAutoscalers.get
  • container.horizontalPodAutoscalers.getStatus
  • container.horizontalPodAutoscalers.list
  • container.horizontalPodAutoscalers.update
  • container.horizontalPodAutoscalers.updateStatus
  • container.ingresses.create
  • container.ingresses.delete
  • container.ingresses.get
  • container.ingresses.getStatus
  • container.ingresses.list
  • container.ingresses.update
  • container.ingresses.updateStatus
  • container.namespaces.create
  • container.namespaces.delete
  • container.namespaces.get
  • container.namespaces.getStatus
  • container.namespaces.list
  • container.namespaces.update
  • container.namespaces.updateStatus
  • container.persistentVolumeClaims.create
  • container.persistentVolumeClaims.delete
  • container.persistentVolumeClaims.get
  • container.persistentVolumeClaims.getStatus
  • container.persistentVolumeClaims.list
  • container.persistentVolumeClaims.update
  • container.persistentVolumeClaims.updateStatus
  • container.persistentVolumes.create
  • container.persistentVolumes.delete
  • container.persistentVolumes.get
  • container.persistentVolumes.getStatus
  • container.persistentVolumes.list
  • container.persistentVolumes.update
  • container.persistentVolumes.updateStatus
  • container.pods.get
  • container.pods.getStatus
  • container.pods.list
  • container.replicaSets.create
  • container.replicaSets.delete
  • container.replicaSets.get
  • container.replicaSets.getScale
  • container.replicaSets.getStatus
  • container.replicaSets.list
  • container.replicaSets.update
  • container.replicaSets.updateScale
  • container.replicaSets.updateStatus
  • container.replicationControllers.create
  • container.replicationControllers.delete
  • container.replicationControllers.get
  • container.replicationControllers.getScale
  • container.replicationControllers.getStatus
  • container.replicationControllers.list
  • container.replicationControllers.update
  • container.replicationControllers.updateScale
  • container.replicationControllers.updateStatus
  • container.roleBindings.create
  • container.roleBindings.delete
  • container.roleBindings.get
  • container.roleBindings.list
  • container.roleBindings.update
  • container.roles.bind
  • container.roles.create
  • container.roles.delete
  • container.roles.get
  • container.roles.list
  • container.roles.update
  • container.secrets.create
  • container.secrets.delete
  • container.secrets.get
  • container.secrets.list
  • container.secrets.update
  • container.serviceAccounts.create
  • container.serviceAccounts.delete
  • container.serviceAccounts.get
  • container.serviceAccounts.list
  • container.serviceAccounts.update
  • container.services.create
  • container.services.delete
  • container.services.get
  • container.services.getStatus
  • container.services.list
  • container.services.proxy
  • container.services.update
  • container.services.updateStatus
  • container.statefulSets.create
  • container.statefulSets.delete
  • container.statefulSets.get
  • container.statefulSets.getScale
  • container.statefulSets.getStatus
  • container.statefulSets.list
  • container.statefulSets.update
  • container.statefulSets.updateScale
  • container.statefulSets.updateStatus
  • container.thirdPartyObjects.create
  • container.thirdPartyObjects.delete
  • container.thirdPartyObjects.get
  • container.thirdPartyObjects.list
  • container.thirdPartyObjects.update

Berlioz PubSub

  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.getIamPolicy
  • pubsub.subscriptions.list
  • pubsub.subscriptions.setIamPolicy
  • pubsub.subscriptions.update
  • pubsub.topics.attachSubscription
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.get
  • pubsub.topics.getIamPolicy
  • pubsub.topics.list
  • pubsub.topics.setIamPolicy
  • pubsub.topics.update

Berlioz Storage

  • storage.buckets.create
  • storage.buckets.delete
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.list
  • storage.buckets.setIamPolicy
  • storage.buckets.update
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • storage.objects.list
  • storage.objects.update

Berlioz Static Address

  • compute.globalAddresses.get
  • compute.globalAddresses.create

Option 3. Strict using automated script

Initial setup using Option 2. Strict takes significant inital effort. You can make use of the script below to automate creation of service account, roles and permissions. Run using:

bash -c "$(curl -sL https://raw.githubusercontent.com/berlioz-the/automation/master/gcp/project/init.sh)"

or

bash -c "$(wget -qO- https://raw.githubusercontent.com/berlioz-the/automation/master/gcp/project/init.sh)"

Script performs following steps:

  1. Login to GCP account
  2. Create service account berlioz-robot
  3. Create necessary IAM roles describe in Option 2. Strict
  4. Assign roles to service account berlioz-robot
  5. Creates and downloads a key for service account berlioz-robot to credentials.json file. Any other existing keys for service account berlioz-robot would be deleted.

Prerequisites: