Google Cloud Platform (GCP) Configuration

Overview

To integrate your Google Cloud Platform (GCP) organization and projects, several policies need to be set in Turbot to provide Turbot the proper access. Turbot uses a service account to manage your organization, projects, and resources.

Service Account Configuration

Turbot recommends creating a service account in IAM for each project managed by Turbot. A single service account can be created in one project and then assigned roles across other projects; however, all API calls made by that service account in the other projects contribute toward a single set of quotas for the service account.

Service accounts can be created in IAM and during or after creation, a private key can also be generated. The private key type must be JSON in order to be compatible with the Turbot policy.

After the service account has been created, it should be assigned Project Owner rights.

GCP Cloud Resource Manager API Configuration

In order for Turbot to perform checks / changes in GCP we require the following API to be manually enabled before adding the project in Turbot:

  • cloudresourcemanager.googleapis.com

In order to do this, please visit the following URL (replacing with your project ID) and click Enable:

  • https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=$projectID

Policies

The following policies should be set at the cluster level or higher:

  • GCP > Organization ID: Organization ID, e.g., 212969404392.

The following policies should be set at the account level:

  • GCP > Project ID: Project ID that belongs to the organization.
  • GCP > Client Email: Service account ID, e.g., my-service-account@my-project-id.iam.gserviceaccount.com.
  • GCP > Private Key: The full private key generated for the service account. When pasting in the key’s contents, include any newline characters, e.g., \n, as well.

User Rights Management

The following policies should be set at the GCP project level:

  • GCP > IAM > Enabled to “Enabled”.
  • GCP > IAM > Directory User Rights Management to “Enforce: GCP/* Rights”.

When GCP > IAM > Directory User Rights Management is set to Enforce, custom IAM roles will be created in the project and users will be associated to these custom roles according to their Rights in Turbot.

Was this article helpful?
0 out of 0 found this helpful