...
...
You need a valid Google Cloud Platform account. This account will be used to authenticate Terraform to interact with GCP resources.
The following permissions are requiredmust be given to the logged-in user account:
Editor Role
Secret Manager Admin
Storage Object Admin
Cloud Functions Admin
Create a custom role and assign the below permission to the role.
storage.buckets.get
storage.buckets.update
storage.objects.update
Google Console users must have the privilege to launch Google resources like Instances, Dataproc cluster, Google Storage, and Disks in the project.
Logged-in users must have the privilege to launch Gcloud in GCP.
To use an existing service account for deployments, add the cloudfunctions.admin role. Additionally, for specific permissions, see For additional permissions, refer to the Prerequisites for deploying Kyvos in a GCP environment using Deployment Manager section .
To use an existing VPC for deployments, it must possess specific permissions as outlined in the Prerequisites for deploying Kyvos in a GCP environment section.
To use an existing bucket for deployments, it must possess specific permissions as outlined in the Prerequisites for deploying Kyvos in a GCP environment section.
...
from Step 2 to Step 27.
Prerequisites to run Terraform form local machine
| Anchor | ||||
|---|---|---|---|---|
|
...
Encryption Key (CMK) support in GCP Terraform
| Anchor | |||
|---|---|---|---|
|
...
...
|
...
To use an existing service account for deployments, the following permissions predefined roles are needed on Kyvos Service Account:
roles/cloudkms.cryptoKeyEncrypter
roles/cloudkms.cryptoKeyDecrypter
roles/cloudkms.cryptoKeyEncrypterDecrypterCloud KMS CryptoKey Decrypter
Cloud KMS CryptoKey Encrypter
Cloud KMS CryptoKey Encrypter/Decrypter
| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||
Note
|
To use the BYOK (Bring Your Own Key) feature: The service agent must be present in the project where the user is going to deploy for Google Cloud Storage and Secret Manager. For more details, refer to Google documentation.
To use an existing key, specify cmkKeyRingName and cmkKeyName in the parameter.
To use an existing service account for deployments, the following permissions are needed:
roles/cloudkms.cryptoKeyEncrypter
roles/cloudkms.cryptoKeyDecrypter
Roles/cloudkms.cryptoKeyEncrypterDecrypter
...
Click Roles > Create new role. Provide a name like Kyvos- role for storage service, and assign the following permissions.
|
|
|
Click Edit to add roles in the service account and add the following roles.
Kyvos-role (created in step 1)
BigQuery data viewer
BigQuery user
Dataproc Worker
Cloud Functions Invoker
Cloud Scheduler Admin
Cloud Scheduler Service Agent
Service Account User
Logs Writer
Permissions for Cross-Project Datasets Access with BigQuery:
Use the same service account that is being used by Kyvos VMs.
Give the following roles to the above-created service account on the BigQuery Project.
BigQuery Data Viewer
BigQuery User
Prerequisites for Cross-Project BigQuery setup and Kyvos VMs.
Use the same service account that is being used by Kyvos VMs.
To the service account used by Kyvos VMs, give the following roles on the BigQuery Project:
BigQuery Data Viewer
BigQuery User
For accessing BigQuery Views, add the following permissions to the Kyvos custom role (created above).
bigquery.tables.create
bigquery.tables.delete
bigquery.tables.update
bigquery.tables.updateData
Permissions to generate Temporary Views in Separate Dataset when performing the validation/preview operation from Kyvos on Google BigQuery.
bigquery.tables.create = permissions to create a new table
bigquery.tables.updateData = to write data to a new table, overwrite a table, or append data to a table
Additional permission required to run Auto scaling for GCP Enterprise
Apart from existing permissions mentioned in the Creating a service account from Google Cloud Console section, you must need the following permissions for GCP Enterprise:
Permissions required in GCP
compute.instanceGroups.get
compute.instances.create
compute.disks.create
compute.disks.use
compute.subnetworks.use
compute.instances.setServiceAccount
compute.instances.delete
compute.instanceGroups.update
compute.instances.use
compute.instances.detachDisk
compute.disks.delete
Conditional permission if using network in the project other than Kyvos resources
compute.subnetworks.use (on the Kyvos service account in the project where your network resides)
Prerequisites to deploy Kyvos using Kubernetes
Prerequisites to deploy Kyvos using Dataproc section for the complete set of permissions required for deploying Kyvos.
Additionally, for creating a GKE cluster, you must complete the following prerequisites.
Create a GKE cluster
Ensure that the GKE service agent’s default service account (service-PROJECT_NUMBER@container-engine-robot.iam.gserviceaccount.com) has the Kubernetes Engine Service Agent role attached to it.
Existing Virtual Network
If using an existing Virtual Network for creating a GKE Cluster requires two secondary IPV4 addresses in the subnet. Additionally, if using a shared Virtual Network, following roles and permissions are required for by Default service account of Kubernetes (service-PROJECT_NUMBER@container-engine-robot.iam.gserviceaccount.com) on the project of Shared Virtual Network.
Compute Network User
kubernetes_role: You must create a custom role. To do this, click Roles > Create new role. Provide a name like kubernetes_role; assign the following permissions, and then attach to the service account:
The 2181,45460,6903 ports must be allowed in the Firewall inbound rules for all internal communication between the Kubernetes cluster and Kyvos.
Existing (IAM) Service account
Add the following predefined roles to the existing IAM service account:
Service Account Token Creator
Kubernetes Engine Developer
Kubernetes Engine Cluster Admin
Add the following permissions to the kubernetes_role custom role that you created above.
compute.instanceGroupManagers.update
Compute.instanceGroupManagers.get