The cloud-init package must be installed on the VMs. After the virtual machine is started, the following services associated with this package must be started:

  • cloud-config.service;
  • cloud-final.service;
  • cloud-init.service.

You need to create a service account so that Deckhouse can manage resources in the Google Cloud. Below is a brief sequence of steps to create a service account. If you need detailed instructions, you can find them in the provider’s documentation.

Note! The created service account key cannot be restored, you can only delete and create a new one.

Setup using Google Cloud Console

Follow this link, select your project and create a new service account or select an existing one.

The account must be assigned several necessary roles:

Compute Admin
Service Account User
Network Management Admin

You can add roles when creating a service account or edit them here.

To create a service account key in JSON format, click on three vertical dots in the Actions column and select Manage keys. Next, click on Add key -> Create new key -> Key type -> JSON.

Setup using gcloud CLI

To configure via the command line interface, follow these steps:

  1. Export environment variables:

    export PROJECT_ID=sandbox
export SERVICE_ACCOUNT_NAME=deckhouse

  2. Select a project:

    gcloud config set project $PROJECT_ID

  3. Create a service account:

    gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME

  4. Connect roles to the service account:

    for role in roles/compute.admin roles/iam.serviceAccountUser roles/networkmanagement.admin;
do gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
   --role=${role}; done

    List of roles required:

    roles/compute.admin
roles/iam.serviceAccountUser
roles/networkmanagement.admin

  5. Verify service account roles:

    gcloud projects get-iam-policy ${PROJECT_ID} --flatten="bindings[].members" --format='table(bindings.role)' \
      --filter="bindings.members:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"

  6. Create a service account key:

    gcloud iam service-accounts keys create --iam-account ${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
      ~/service-account-key-${PROJECT_ID}-${SERVICE_ACCOUNT_NAME}.json