Configure Google Cloud Platform
Required GCP permissions
The GCP account performing this integration had the following permissions. These were granted by the project admin. Not all these permissions are required to perform this integration.
-
Cloud Build Editor
-
Cloud KMS Admin
-
Compute Admin
-
Deployment Manager Editor
-
Private Logs Viewer
-
Service Account Admin
-
Service Account Key Admin
-
Service Account User
-
Service Management Administrator
-
Service Usage Admin
-
Storage Admin
-
Viewer
Create a service account in GCP
A service account needs to be created in a GCP IAM. This service account will be used by KeyControl Vault to access the GCP key rings. Once created, this service account needs permissions that have to be granted by the project admin.
-
Open a browser and sign in to the GCP portal https://console.cloud.google.com.
-
Select IAM & Admin on Google Cloud Menu.
-
Select Service Accounts in the left-hand pane.
-
Select CREATE SERVICE ACCOUNT.
-
Enter the Service account details.
For example:
-
Select CREATE AND CONTINUE
-
In the Grant this service account access to project section, select Continue.
-
In the Grant users access to this service account section, select DONE.
-
Service Account Permissions
-
Open a browser and sign in to the GCP portal https://console.cloud.google.com.
-
Select IAM & Admin on Google Cloud Menu.
-
Select Service Accounts in the left-hand pane.
-
Select the service account that you have just created.
-
In the DETAILS tab.
-
Take note of the Account Name.
-
Take note of the Unique ID.
-
-
The following roles were given to this service account by the system admin after it was created:
-
Browser
-
Cloud KMS Admin
-
Service Account Key Admin
-
Create a key for the service account
A key needs to be created for the service account created in Create a service account in GCP. This key will be used by KeyControl Vault to access the GCP service account.
-
Open a browser and sign in to the GCP portal: https://console.cloud.google.com.
-
Select IAM & Admin on Google Cloud Menu.
-
Select Service Accounts in the left-hand pane.
-
Select the service account created in Create a service account in GCP from the list.
-
Select the KEYS tab.
-
Select ADD KEY and then select Create new key.
-
Select JSON from the available Key type options.
-
Select CREATE. A pop-up message appears indicating that the key created was downloaded to your computer.
-
Verify by checking your
Downloadsfolder that a .json file was created in the Downloads folder. -
Take note of the new key in the GCP console.
For example:
Create a GCP key ring
This key ring will be used to store keys managed by KeyControl Vault. A new GCP key ring was created for this integration to show the entire process. You can use an existing key ring instead.
If you are using an existing GCP key ring, proceed to section configure-kc-as-gcp-csp.adoc#create-keycontrol-csp-account directly, skipping this section entirely.
-
Open a browser and sign in to the GCP portal: https://console.cloud.google.com.
-
In the navigation menu select Security > Key Management.
-
Select + CREATE KEY RING.
-
Enter the Key ring name and select the Location type.
For example:
-
Select CREATE to create the key ring
-
Select CANCEL in the Create key pane.