The cloud-init package must be installed on the VMs. After the virtual machine is started, the following services associated with this package must be started:

  • cloud-config.service;
  • cloud-final.service;
  • cloud-init.service.

You need to create a service account so that Deckhouse can manage resources in the Google Cloud. Below is a brief sequence of steps to create a service account. If you need detailed instructions, you can find them in the provider’s documentation.

Note! The created service account key cannot be restored, you can only delete and create a new one.

The provider supports working with only one disk in the virtual machine template. Make sure the template contains only one disk.

Setup using Google Cloud Console

Follow this link, select your project and create a new service account or select an existing one.

The account must be assigned several necessary roles:

Compute Admin
Service Account User
Network Management Admin

You can add roles when creating a service account or edit them here.

To create a service account key in JSON format, click on three vertical dots in the Actions column and select Manage keys. Next, click on Add key -> Create new key -> Key type -> JSON.

Setup using gcloud CLI

To configure via the command line interface, follow these steps:

  1. Export environment variables:

    export PROJECT_ID=sandbox
export SERVICE_ACCOUNT_NAME=deckhouse

  2. Select a project:

    gcloud config set project $PROJECT_ID

  3. Create a service account:

    gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME

  4. Connect roles to the service account:

    for role in roles/compute.admin roles/iam.serviceAccountUser roles/networkmanagement.admin;
do gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
   --role=${role}; done

    List of roles required:

    roles/compute.admin
roles/iam.serviceAccountUser
roles/networkmanagement.admin

  5. Verify service account roles:

    gcloud projects get-iam-policy ${PROJECT_ID} --flatten="bindings[].members" --format='table(bindings.role)' \
      --filter="bindings.members:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"

  6. Create a service account key:

    gcloud iam service-accounts keys create --iam-account ${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
      ~/service-account-key-${PROJECT_ID}-${SERVICE_ACCOUNT_NAME}.json