Google Cloud Platform

The tutorial provides instructions on how to set up a service account key that clients have the option to integrate EMCP into their GCP environment.

Prerequisites

In Google Cloud Platform (GCP), a service account key is a type of credential used to authenticate and authorize applications and virtual machines (VMs) to access GCP services programmatically. Service account keys are associated with service accounts, which are identities used by applications running on GCP to interact with other services and resources securely.

Service Account Keys: To authenticate as a service account, applications typically use a service account key, which is a JSON file that contains authentication credentials. This key file is downloaded from GCP and is used by the application to authenticate itself when making API requests.

Create Service Account Keys

In this section, we will create a Service Account and a Service Account Keys that we will use in EMCP.

Sign in to the GCP console.
Next, you need to navigate to the "Service Accounts" tab.

After that, you need to create a Service Account for EMCP. To do this, click on the "+ CREATE SERVICE ACCOUNT" button.

After successfully creating the Service Account, you will be able to see the account listed in the table displaying all accounts.

Next, you need to navigate to the page with detailed information about the Service Account you created earlier. To do this, click on the email address associated with the Service Account in the table.

After you navigate to the detailed information page of the Service Account, you should select the 'KEYS' tab.

The next step is to select the "ADD KEY" button and then choose "Create new key" from the dropdown list. In the modal window that appears, select the key format (JSON) and click the "CREATE" button.

After doing this, the key will be automatically generated and downloaded to your device.

Manual Configuration of Permissions

To use this key in EMCP, ensure that your service account is assigned a role that grants the following permissions:

billing.resourceCosts.get
compute.disks.create
compute.firewallPolicies.create
compute.firewallPolicies.delete
compute.firewallPolicies.get
compute.firewallPolicies.update
compute.firewallPolicies.use
compute.globalOperations.get
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.setMetadata
compute.instances.start
compute.instances.stop
compute.networks.create
compute.networks.delete
compute.networks.get
compute.networks.setFirewallPolicy
compute.networks.updatePolicy
compute.projects.get
compute.subnetworks.create
compute.subnetworks.delete
compute.subnetworks.get
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zones.get
resourcemanager.projects.get

You can use predefined roles provided by GCP or create your own custom role and assign it the necessary access permissions.

Enable Compute Engine API

At this step, you need to select the "Compute Engine" tab and click the "Enable" button to enable the creation of VMs.

Add credentials

The final step is to add the key that you previously created and downloaded to your device into EMCP.

in the EMCP, go to vHSM -> Vault -> Cloud Keys to add the API key. Once you finish everything, fill in the details of all the IDs and secrets you saw above.

Last updated 5 months ago