The cloud-init
package must be installed on the VMs.
After the virtual machine is started, the following services associated with this package must be started:
cloud-config.service
;cloud-final.service
;cloud-init.service
.
You need to create a service account so that Deckhouse can manage resources in the Google Cloud. Below is a brief sequence of steps to create a service account. If you need detailed instructions, you can find them in the provider’s documentation.
Note! The created service account key
cannot be restored, you can only delete and create a new one.
Setup using Google Cloud Console
Follow this link, select your project and create a new service account or select an existing one.
The account must be assigned several necessary roles:
Compute Admin
Service Account User
Network Management Admin
You can add roles when creating a service account or edit them here.
To create a service account key
in JSON format, click on three vertical dots in the Actions column and select Manage keys
. Next, click on Add key
-> Create new key
-> Key type
-> JSON
.
Setup using gcloud CLI
To configure via the command line interface, follow these steps:
-
Export environment variables:
export PROJECT_ID=sandbox export SERVICE_ACCOUNT_NAME=deckhouse
-
Select a project:
gcloud config set project $PROJECT_ID
-
Create a service account:
gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME
-
Connect roles to the service account:
for role in roles/compute.admin roles/iam.serviceAccountUser roles/networkmanagement.admin; do gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \ --role=${role}; done
List of roles required:
roles/compute.admin roles/iam.serviceAccountUser roles/networkmanagement.admin
-
Verify service account roles:
gcloud projects get-iam-policy ${PROJECT_ID} --flatten="bindings[].members" --format='table(bindings.role)' \ --filter="bindings.members:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"
-
Create a
service account key
:gcloud iam service-accounts keys create --iam-account ${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \ ~/service-account-key-${PROJECT_ID}-${SERVICE_ACCOUNT_NAME}.json