Using a role template for Google Cloud

Prerequisite

Your account must have the iam.roles.create permission. If you are a Google Cloud project or organization owner, you have this permission by default. If you are not an owner, you must have either the Organization Role Administrator or the IAM Role Administrator role assigned.

Procedure

  1. Download the R‑Cloud service role template that contains the role definitions. The template is available at the following location:

    https://storage.googleapis.com/hycu-public/custom-role/hycu_service_role.yaml

  2. Create a role and grant it the permissions required by R‑Cloud. To do so, run the following command:

    gcloud iam roles create <RoleID> --project=<ProjectID> --file=<RoleDefinitionFilePath>

    In this command, <RoleID> is the name of the role (for example hycuRole), <ProjectID> is the name of your Google Cloud project, and <RoleDefinitionFilePath> is the path to the location of the downloaded template that contains the custom role definition.

For details on creating and managing custom roles, see Google Cloud documentation.

Google Cloud permissions required by R‑Cloud

Depending on your data protection environment needs, you can add a Google Cloud project to R‑Cloud as a source or as compute. Each option requires a different set of Google Cloud permissions.
Service Permissions
Mandatory for all services iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list

Google Compute Engine

compute.acceleratorTypes.get
compute.addresses.create
compute.addresses.createInternal
compute.addresses.get
compute.addresses.list
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.get
compute.firewalls.list
compute.firewalls.update
compute.globalOperations.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.setIamPolicy
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.detachDisk
compute.instances.get
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.setLabels
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.update
compute.instances.use
compute.licenses.get
compute.machineImages.useReadOnly
compute.machineTypes.get
compute.machineTypes.list
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regionOperations.get
compute.regions.get
compute.regions.list
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.list
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zones.get
compute.zones.list

Google Kubernetes Engine

container.clusterRoleBindings.list
container.clusterRoles.list
container.configMaps.list
container.controllerRevisions.list
container.cronJobs.list
container.customResourceDefinitions.list
container.daemonSets.list
container.deployments.list
container.endpoints.list
container.jobs.list
container.limitRanges.list
container.networkPolicies.list
container.podTemplates.list
container.replicationControllers.list
container.resourceQuotas.list
container.roleBindings.list
container.roles.list
container.secrets.list
container.statefulSets.list
container.thirdPartyObjects.list

Google Cloud Storage

storage.buckets.create
storage.buckets.createTagBinding
storage.buckets.delete
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.listTagBindings
storage.buckets.setIamPolicy
storage.buckets.update
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.setIamPolicy
storage.objects.update

Service Permissions
Mandatory for all services iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list

Google Compute Engine

compute.addresses.create
compute.addresses.createInternal
compute.addresses.get
compute.addresses.list
compute.disks.create
compute.disks.createSnapshot
compute.disks.delete
compute.disks.get
compute.disks.list
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.globalOperations.get
compute.images.getFromFamily
compute.images.getIamPolicy
compute.images.setIamPolicy
compute.images.useReadOnly
compute.instances.attachDisk
compute.instances.create
compute.instances.delete
compute.instances.deleteAccessConfig
compute.instances.detachDisk
compute.instances.get
compute.instances.getSerialPortOutput
compute.instances.list
compute.instances.setLabels
compute.instances.setMachineType
compute.instances.setMetadata
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.update
compute.instances.use
compute.licenses.get
compute.machineImages.useReadOnly
compute.machineTypes.get
compute.machineTypes.list
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.projects.get
compute.regionOperations.get
compute.regions.get
compute.regions.list
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.list
compute.snapshots.setLabels
compute.snapshots.useReadOnly
compute.subnetworks.get
compute.subnetworks.list
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zones.get
compute.zones.list