github.com/openshift/installer@v1.4.17/docs/user/gcp/iam.md

github.com/openshift/installer@v1.4.17/docs/user/gcp/iam.md (about)

     1  # GCP Service Account
     2  To install OpenShift to your GCP project, the installer requires a service account, which provides authentication and authorization to access data in the Google APIs. You can use an existing IAM service account that contains the required roles or create one by following these steps:
     3  
     4  
     5  ## Step 1: Create a Service Account
     6  
     7  Create a GCP service account using the console or the CLI
     8  
     9  [GCP: Creating a service account][sa-create]
    10  
    11  ## Step 2: Assign Project Roles to your Service Account
    12  
    13  A service account needs to be granted permission for specific APIs in order to access the services used to created a cluster. You can assign the proper roles during or after the creation of a service account. The simplest approach to assigning roles would be to make the service account an Owner of the project, but that service account would then have complete control over the project, which would be a decided risk. Note that service accounts with these roles are only required for installation (and destruction); the [post-install docs](postinstall.md) outline optional steps for removing the roles granted here.
    14  
    15  The minimum set of [roles][gcp-roles] you can assign the service account are the following:
    16  - Compute Admin
    17  - DNS Administrator
    18  - Security Admin
    19  - Service Account Admin
    20  - Service Account User
    21  - Storage Admin
    22  
    23  If you want the OpenShift cluster to create new limited credentials for its own operators, you also need the following
    24  role:
    25  - Service Account Key Admin
    26  
    27  To assign roles to your service account you may use the console or the CLI:
    28  
    29  [GCP: Assign service account roles][sa-assign]
    30  
    31  ![Add roles to a GCP service account](images/gcp-roles.png)
    32  
    33  ## Step 3: Create and save a Service Account Key
    34  
    35  You will need to create and save a service account key for your service account so you can use it with the OpenShift Installer. You should create the key in JSON format.
    36  
    37  [GCP: Creating a service account key][sa-key]
    38  
    39  [sa-create]: https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating_a_service_account
    40  [gcp-roles]: https://cloud.google.com/iam/docs/understanding-roles#predefined_roles
    41  [sa-assign]: https://cloud.google.com/iam/docs/granting-roles-to-service-accounts#granting_access_to_a_service_account_for_a_resource
    42  [sa-key]: https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating_service_account_keys