Advanced Clusters > Setting up Google Cloud > Step 7. Create roles and service accounts
  

Step 7. Create roles and service accounts

Create a Secure Agent role and service account to grant the agent permissions to create and manage an advanced cluster on Google Cloud. You can include the master node and worker node permissions in the Secure Agent role, or you can create separate roles and service accounts for the cluster nodes.
Create the following roles and Google service accounts:
A Google Cloud service account is always linked to a Google Cloud project. Make sure that you use only one set of credentials for both the source and target when you run an advanced job.

Create a Secure Agent role and service account

Create a Secure Agent role and service account to grant permissions to the Secure Agent.

Create a Secure Agent role

Create a Secure Agent role to define the set of permissions for the Secure Agent.
  1. 1In the Google Cloud web console, navigate to IAM & Admin > Roles.
  2. 2Create a role.
  3. 3Enter a role title, description, and ID.
    4. You can use <username-agent-role> as a format for the ID.
  4. 4Add permissions for the role.
    5. For more information about permissions, see Permissions for the Secure Agent role.

Create a Secure Agent service account

Create a Secure Agent service account that uses the Secure Agent role.
  1. 1In the Google Cloud web console, navigate to IAM & Admin > Service Accounts.
  2. 2Create a service account.
  3. 3Enter service account details such as name, ID, and description.
  4. 4Enter details for the service account access to the project.
  5. 5Select the Secure Agent role <username-agent-role>.
  6. 6Set the Secure Agent service account as the default service account on the Secure Agent machine.

Permissions for the Secure Agent role

The following table lists the minimum required permissions for the Secure Agent role:
Operations
Permissions
  • - Create an external static IP address
  • - Delete or release an IP address
compute.addresses.create
compute.addresses.delete
compute.addresses.get
compute.addresses.list
compute.addresses.use
  • - Create a target pool
  • - Get details for a target pool
  • - Delete a target pool
compute.targetPools.addInstance
compute.targetPools.create
compute.targetPools.delete
compute.targetPools.get
compute.targetPools.list
compute.targetPools.removeInstance
compute.targetPools.update
compute.targetPools.use
  • - Create a forwarding rule
  • - Get details for a rule creation
  • - Delete a forwarding rule
compute.forwardingRules.create
compute.forwardingRules.delete
compute.forwardingRules.get
compute.forwardingRules.list
compute.forwardingRules.setTarget
compute.forwardingRules.update
  • - Create an instance template
  • - Get details for an instance template
  • - Delete an instance template
  • - Add a disk to an instance
compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.list
compute.instanceTemplates.useReadOnly
compute.disks.create
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.resize
compute.disks.setLabels
compute.disks.update
compute.disks.use
  • - Create a regional and zonal group
  • - Get details or description of regional instance groups
  • - Delete a regional instance group
compute.addresses.create
compute.addresses.delete
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.instanceGroupManagers.create
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.get
compute.instanceGroupManagers.list
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use
compute.instances.addAccessConfig
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.detachDisk
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.list
compute.instances.osAdminLogin
compute.instances.osLogin
compute.instances.reset
compute.instances.resume
compute.instances.setDiskAutoDelete
compute.instances.setLabels
compute.instances.setMachineResources
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setMinCpuPlatform
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateNetworkInterface
compute.instances.updateSecurity
compute.instances.use
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.subnetworks.get
  • - Delete, upload, and list Google Cloud Storage metadata and logs
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
storage.buckets.get
  • - Create, use, and delete a resource within a VPC and subnet
compute.subnetworks.get
compute.subnetworks.use
compute.subnetworks.useExternalIp
  • - Work with a project
resourcemanager.projects.get
  • - Use a service account
iam.serviceAccounts.actAs
  • - Create, use, and delete an internal IP address
compute.addresses.createInternal
compute.addresses.deleteInternal
compute.addresses.useInternal
  • - Create, use, and delete a regional backend service
compute.regionBackendServices.create
compute.regionBackendServices.delete
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.regionBackendServices.update
compute.regionBackendServices.use
  • - Create, use, and delete a regional health check
compute.regionHealthChecks.create
compute.regionHealthChecks.delete
compute.regionHealthChecks.get
compute.regionHealthChecks.list
compute.regionHealthChecks.update
compute.regionHealthChecks.use
compute.regionHealthChecks.useReadOnly
To allow the Secure Agent to create a VPC network and subnets, add the following permissions to the Secure Agent role:
Operations
Permissions
  • - Create, use, and delete a VPC network
compute.networks.access
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.list
compute.networks.use
  • - Create, use, and delete a subnetwork
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.update
compute.subnetworks.use
compute.subnetworks.useExternalIp
  • - Create, use, and delete a Cloud Router
compute.routers.create
compute.routers.delete
compute.routers.get
compute.routers.list
compute.routers.use
  • - Create, use, and delete a firewall rule
  • - Add a firewall rule to a VPC network
compute.firewalls.create
compute.firewalls.delete
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.networks.updatePolicy
If you do not create separate roles and service accounts for the cluster nodes, add the following permissions to the Secure Agent role:
Node type
Operations
Permissions
Master
  • - Scale up or down an instance group for worker nodes
compute.regions.get
compute.instanceGroups.list
compute.instanceGroups.update
compute.instanceGroups.use
compute.instanceGroups.get
Worker
  • - Upload initialization script notification to the staging location
  • - Upload initialization script logs to the log location
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update

Create a master role and service account

Optionally, you can create a separate master role and service account to reduce the number of permissions that are assigned to the Secure Agent role. The master role will grant the permissions only to the master node.

Create a master role

Create a master role to define the set of permissions for the master node.
  1. 1In the Google Cloud web console, navigate to IAM & Admin > Roles.
  2. 2Create a role.
  3. 3Enter a role title, description, and ID.
    4. You can use <username-master-role> as a format for the ID.
  4. 4Add permissions to the role.
    5. The following table describes the permissions that the role needs:
    Operations
    Permissions
    • - Scale up or down an instance group for worker nodes
    compute.regions.get
    compute.instanceGroups.list
    compute.instanceGroups.update
    compute.instanceGroups.use
    compute.instanceGroups.get

Create a master service account

Create a master service account that uses the master role.
  1. 1In the Google Cloud web console, navigate to IAM & Admin > Service Accounts.
  2. 2Create a service account.
  3. 3Enter service account details such as name, ID, and description.
  4. 4Enter details for the service account access to the project.
  5. 5Select the master role <username-master-role>.

Create a worker node role and service account

Optionally, you can create a separate worker node role and service account to reduce the number of permissions that are assigned to the Secure Agent role. The worker role will grant the permissions only to the worker nodes.

Create a worker role

Create a worker role to define the set of permissions for the worker nodes.
  1. 1In the Google Cloud web console, navigate to IAM & Admin > Roles.
  2. 2Create a role.
  3. 3Enter a role title, description, and ID.
    4. You can use <username-worker-role> as a format for the ID.
  4. 4Add permissions to the role.
    5. The following table describes the permissions that the role needs:
    Operations
    Permissions
    • - Upload initialization script notification to the staging location
    • - Upload initialization script logs to the log location
    storage.objects.create
    storage.objects.delete
    storage.objects.get
    storage.objects.list
    storage.objects.update

Create a worker service account

Create a worker service account that uses the worker role.
  1. 1In the Google Cloud web console, navigate to IAM & Admin > Service Accounts.
  2. 2Create a service account.
  3. 3Enter service account details such as name, ID, and description.
  4. 4Enter details for the service account access to the project.
  5. 5Select the worker role <username-worker-role>.