Creating and Assigning IAM Roles

There are two custom Identity and Access Management (IAM) roles that need to be created in Google Cloud to grant the necessary permissions to the following two types of GKE users:

  1. The first type of user is the user who sets up the K8s infrastructure, i.e., the user who configures, creates, and maintains the GKE cluster and node pools. This user role is called the GKE Cluster Admin.
  2. The second type of user is the user who connects to the GKE cluster and deploys the dynamic Anzo applications. Typically this user is Anzo. Since Anzo communicates to the K8s services that provision the applications, the Anzo service account needs to be granted certain privileges. This user role is called the GKE Cluster Developer.

    The enterprise-level Anzo service account is a requirement for the Anzo installation and is typically in place before Anzo is installed. For more information, see Anzo Service Account Requirements.

This topic provides instructions for creating the two roles and gives guidance on assigning the roles to the appropriate members or service accounts.

Create and Assign the GKE Cluster Admin Role

To ensure that the GKE cluster creator has all of the permissions needed for creating and managing K8s resources, there are four predefined Google roles in addition to the GKE Cluster Admin custom role that must be applied to the member or service account that will be used when creating the K8s infrastructure. Follow the instructions below to create the custom role and assign all necessary roles to the appropriate member or service account.

Google Cloud IAM administrator privileges are required to create and assign IAM roles. The steps below give instructions for creating the custom GKE Cluster Admin role from the workstation. For more information about creating roles, including instructions on creating roles from the Cloud Console, see Creating and Managing Custom Roles in the Google Cloud documentation.

  1. Create a JSON file on your workstation and copy the following contents to the file. For example, vi /tmp/gke-cluster-admin.json. The contents apply the minimum permissions needed for the GKE Cluster Admin.
    {
  "name": "customClusterAdminRole",
  "title": "Custom Role for GKE Cluster Admin",
  "includedPermissions": [
      "compute.addresses.create",
      "compute.addresses.delete",
      "compute.addresses.get",
      "compute.addresses.use",
      "compute.firewallPolicies.get",
      "compute.firewalls.get",
      "compute.instanceGroups.get",
      "compute.instanceGroups.list",
      "compute.instances.get",
      "compute.instances.list",
      "compute.networks.create",
      "compute.networks.delete",
      "compute.networks.get",
      "compute.networks.listPeeringRoutes",
      "compute.networks.updatePolicy",
      "compute.networks.use",
      "compute.nodeGroups.get",
      "compute.regionOperations.get",
      "compute.regionOperations.list",
      "compute.regions.get",
      "compute.routers.create",
      "compute.routers.delete",
      "compute.routers.get",
      "compute.routers.update",
      "compute.routers.use",
      "compute.subnetworks.create",
      "compute.subnetworks.delete",
      "compute.subnetworks.get",
      "compute.subnetworks.use",
      "compute.vpnTunnels.get",
      "container.clusters.create",
      "container.clusters.delete",
      "container.clusters.update",
      "container.daemonSets.create",
      "container.daemonSets.delete",
      "container.daemonSets.get",
      "container.daemonSets.getStatus",
      "container.daemonSets.list",
      "container.nodes.list",
      "container.operations.get",
      "container.operations.list",
      "container.podSecurityPolicies.create",
      "container.podSecurityPolicies.delete",
      "container.podSecurityPolicies.get",
      "container.podSecurityPolicies.list",
      "container.podSecurityPolicies.update",
      "container.roleBindings.create",
      "container.roleBindings.delete",
      "container.roleBindings.get",
      "container.roles.bind",
      "container.roles.create",
      "container.roles.delete",
      "container.roles.get",
      "container.serviceAccounts.create",
      "container.serviceAccounts.delete",
      "container.serviceAccounts.get"
      ],
        "stage": "GA"
}
  2. Once the file is created, run the following command to create the GKE Cluster Admin role, named customClusterAdminRole:
    gcloud iam roles create <role_name> --project <project_name> --file=/<path>/<file_name>.json

    Where <project_name> is the project ID that the GKE cluster will be deployed in. For example:

    gcloud iam roles create customClusterAdminRole --project cloud-project-1592 --file=/tmp/gke-cluster-admin.json
  3. Next, grant the new customClusterAdminRole and the following four predefined Compute Engine, Kubernetes Engine, Service Account, and Logging roles to the member or service account that will be used to create the GKE cluster:
    • roles/compute.networkViewer
    • roles/container.clusterViewer
    • roles/iam.serviceAccountUser
    • roles/logging.viewer

    For information about granting roles to a member, see Granting, changing, and revoking access to resources. For information about applying a role to a service account, see Creating and managing service accounts. And for details about the predefined roles, see Predefined Roles in the Google Cloud documentation.

Create and Assign the GKE Cluster Developer Role

The following IAM role applies the minimum permissions needed for the GKE Cluster Developer role. Follow the instructions below to create the role and assign it to the Anzo service account.

Google Cloud IAM administrator privileges are required to create and assign IAM roles. The steps below give instructions for creating the custom GKE Cluster Developer role from the workstation. For more information about creating roles, including instructions on creating roles from the Cloud Console, see Creating and Managing Custom Roles in the Google Cloud documentation.

  1. Create a JSON file on your workstation and copy the following contents to the file. For example, vi /tmp/gke-cluster-developer.json.
    {
  "name": "customClusterDevAnzoRole",
  "title": "Custom Role with Additional permissions required to deploy resources through Anzo",
  "includedPermissions": [
      "compute.machineTypes.list",
      "storage.buckets.get",
      "storage.buckets.list"
      ],
        "stage": "GA"
}
  2. Once the file is created, run the following command to create the GKE Cluster Developer role, named customClusterDevAnzoRole:
    gcloud iam roles create <role_name> --project <project_name> --file=/<path>/<file_name>.json

    Where <role_ID> is the unique ID to use for the role and <project_name> is the project ID that the GKE cluster will be deployed in. For example:

    gcloud iam roles create customClusterDevAnzoRole --project cloud-project-1592 --file=/tmp/gke-cluster-developer.json
  3. Next, grant the new customClusterDevAnzoRole and the following three predefined Kubernetes Engine Developer, Kubernetes Engine Service Agent, and Storage Object Viewer roles to the Anzo service account:
    • roles/container.developer
    • roles/container.serviceAgent
    • roles/storage.objectViewer

    For information about applying a role to a service account, see Creating and managing service accounts in the Google Cloud documentation. For details about the predefined roles, see Predefined Roles in the Google Cloud documentation.

Once the IAM roles are in place and users are granted access, proceed to Creating the GKE Cluster for instructions on configuring and creating the cluster.

Related Topics