Skip to main content
GCP Private Region Access Roles

What are the GCP Private Region Access Roles?

Owen Badger avatar
Written by Owen Badger
Updated over 2 months ago

Overview

Enterprise OS is a managed services deployment. We provision all infra, network, and storage for the Enterprise OS deployment. To effectively maintain the deployed application, the following roles and permissions need to be granted:

Access Required:

  1. Compute Admin

    • Launch, terminate and troubleshoot GCP Compute Services as needed

  2. DNS Administrator

    • Used to provision Internal DNS for Internal Services resolution.

  3. Pub/Sub Editor

    • Used to provision compute instance status (started, running, stopped, deleted.. Etc)

  4. Logging Admin

    • Used in provisioning step 3, Logging is a dependency to retrieve instance status.

  5. Storage Admin

    • Used in provisioning Bebop Flex Storage Setup (Optional if Flex is not used)

  6. Storage HMAC Key Admin

    • Used in provisioning Bebop Flex Storage Setup (Optional if Flex is not used)

  7. Quota Administrator

    • Used to create instance quota raise requests under IAM.

  8. Activate Identity-Aware Proxy for [email protected]

    • For better security we use Identity-Aware Proxy enabled to access instances using Google Authentication instead of traditional SSH keys.

  9. Service Account User permission required for bbpsrvcuser user.

    • The service account is attached to instances that are launched.

Service Accounts Needed:

  1. Username: bbpsrvcuser

    • Roles: Compute Admin

      • Used for: Read Network / Subnet Info, Launch VMs, Terminate VMs

    • ***Please provide Service Account User permission for this service account.

  2. Username: bbpflexsrvcuser

    • Optional, If Flex is not used.

    • Roles: Storage Admin (Used for Flex Storage Setup – Optional when Flex is not needed)

      • Read/Write access to GCP Storage Buckets

      • Single Bucket Access

      • Flex Based Projects

Reason for Console Access:

  1. For troubleshooting and creating certain initial alert settings from Stack Driver to Enterprise, regarding instance statuses.

  2. Google IAP for SSH/RDP access.

  3. Manage Bebop Block Storage – Provision, Scale, Monitor and Backup/Restore.

Did this answer your question?