Overview
Enterprise OS is a managed services deployment. We provision all infra, network, and storage for the Enterprise OS deployment. To effectively maintain the deployed application, the following roles and permissions need to be granted:
Access Required:
Compute Admin
Launch, terminate and troubleshoot GCP Compute Services as needed
DNS Administrator
Used to provision Internal DNS for Internal Services resolution.
Pub/Sub Editor
Used to provision compute instance status (started, running, stopped, deleted.. Etc)
Logging Admin
Used in provisioning step 3, Logging is a dependency to retrieve instance status.
Storage Admin
Used in provisioning Bebop Flex Storage Setup (Optional if Flex is not used)
Storage HMAC Key Admin
Used in provisioning Bebop Flex Storage Setup (Optional if Flex is not used)
Quota Administrator
Used to create instance quota raise requests under IAM.
Activate Identity-Aware Proxy for [email protected]
For better security we use Identity-Aware Proxy enabled to access instances using Google Authentication instead of traditional SSH keys.
Service Account User permission required for bbpsrvcuser user.
The service account is attached to instances that are launched.
Service Accounts Needed:
Username: bbpsrvcuser
Roles: Compute Admin
Used for: Read Network / Subnet Info, Launch VMs, Terminate VMs
***Please provide Service Account User permission for this service account.
Username: bbpflexsrvcuser
Optional, If Flex is not used.
Roles: Storage Admin (Used for Flex Storage Setup β Optional when Flex is not needed)
Read/Write access to GCP Storage Buckets
Single Bucket Access
Flex Based Projects
Reason for Console Access:
For troubleshooting and creating certain initial alert settings from Stack Driver to Enterprise, regarding instance statuses.
Google IAP for SSH/RDP access.
Manage Bebop Block Storage β Provision, Scale, Monitor and Backup/Restore.