The cloud-init package must be installed on the VMs. After the virtual machine is started, the following services associated with this package must be started:

  • cloud-config.service;
  • cloud-final.service;
  • cloud-init.service.

You need to create a service account so that Deckhouse can manage resources in the Google Cloud. Below is a brief sequence of steps to create a service account. If you need detailed instructions, you can find them in the provider’s documentation.

Note! The created service account key cannot be restored, you can only delete and create a new one.

Setup using Google Cloud Console

Follow this link, select your project and create a new service account or select an existing one.

The account must be assigned several necessary roles:

Compute Admin
Service Account User
Network Management Admin

You can add roles when creating a service account or edit them here.

To create a service account key in JSON format, click on three vertical dots in the Actions column and select Manage keys. Next, click on Add key -> Create new key -> Key type -> JSON.

Setup using gcloud CLI

To configure via the command line interface, follow these steps:

  1. Export environment variables:

    export PROJECT_ID=sandbox
    export SERVICE_ACCOUNT_NAME=deckhouse
    
  2. Select a project:

    gcloud config set project $PROJECT_ID
    
  3. Create a service account:

    gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME
    
  4. Connect roles to the service account:

    for role in roles/compute.admin roles/iam.serviceAccountUser roles/networkmanagement.admin;
    do gcloud projects add-iam-policy-binding ${PROJECT_ID} --member=serviceAccount:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
       --role=${role}; done
    

    List of roles required:

    roles/compute.admin
    roles/iam.serviceAccountUser
    roles/networkmanagement.admin
    
  5. Verify service account roles:

    gcloud projects get-iam-policy ${PROJECT_ID} --flatten="bindings[].members" --format='table(bindings.role)' \
          --filter="bindings.members:${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com"
    
  6. Create a service account key:

    gcloud iam service-accounts keys create --iam-account ${SERVICE_ACCOUNT_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
          ~/service-account-key-${PROJECT_ID}-${SERVICE_ACCOUNT_NAME}.json