...
To create Kyvos resources, read the following:
Prerequisites to
...
deploy Kyvos
Anchor | ||||
---|---|---|---|---|
|
You need a valid Google Cloud Platform account. This account will be used to authenticate Terraform to interact with GCP resources.
The following permissions must be given to the logged-in user account:
Editor
Secret Manager Admin
Storage Object Admin
Cloud Functions Admin
Service Account Token Creator
Kubernetes Engine Developer
Kubernetes Engine Cluster AdminWorkload Identity User
Create a custom role and assign the below permission to the role.
storage.buckets.get
storage.buckets.update
storage.objects.update
compute.instanceGroupManagers.update
compute.instanceGroupManagers.getiam.roles.create
iam.serviceAccounts.setIamPolicy
resourcemanager.projects.setIamPolicy
Ensure that custom role must be attached to logged-in user account.
For additional permissions, refer to the Prerequisites for deploying Kyvos in a GCP environment using Deployment Manager section from Step 2 to Step 27.
When using an existing VPC, the subnet must have a minimum mask range of /22
Subnets in which Kubernetes cluster is launched should have connectivity to the subnets in which Kyvos instances are launched.
When using an existing VPC, ensure that the subnet has two secondary IP ranges with valid mask ranges, as these will be used by the Kubernetes cluster.
Click Roles > Create new role. Provide a name like Kyvos-role for storage service, and assign the following permissions. This role should be attached to Kyvos service account.
|
|
|
Prerequisites to run Terraform form local machine
Anchor | ||||
---|---|---|---|---|
|
Download and install Terraform on your local machine.
To install Terraform, refer to the Terraform documentation.
Execute Terraform init command to verify successful installation of Terraform.
Jq should be installed on your local machine.
You need a GCP account to create and manage resources. Ensure that you have the necessary permissions.
Configure GCP on your local machine.
For gcloud initialization, refer to the Google documentation.
...
Prerequisites to use Customer Managed Key (CMK
...
) or Bring Your Own Key (BYOK) deployment
Anchor | ||||
---|---|---|---|---|
|
To use an existing service account for deployments, the following predefined roles are needed on Kyvos Service Account:
Cloud KMS CryptoKey Decrypter
Cloud KMS CryptoKey Encrypter
Cloud KMS CryptoKey Encrypter/Decrypter
Panel | ||||||
---|---|---|---|---|---|---|
| ||||||
Note
|
...
To use the BYOK (Bring Your Own Key) feature:
The service agent must be present in the project where the user is going to deploy for create Google Cloud Storage and Secret Manager. For more details, refer to Google documentation.Click Roles > Create new role. Provide a name like Kyvos- role for storage service, and assign the following permissions.
...
deploymentmanager.deployments.list
deploymentmanager.resources.list
deploymentmanager.manifests.list
cloudfunctions.functions.get
dataproc.clusters.list
dataproc.clusters.get
compute.disks.setLabels
compute.instances.start
compute.instances.stop
compute.instances.list
...
compute.instances.setLabels
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.buckets.update
compute.disks.get
compute.instances.get
dataproc.clusters.update
storage.objects.get
...
storage.objects.list
...
storage.objects.update
.
...
...
compute.subnetworks.get
...
resourcemanager.projects.getIamPolicy
...
compute.firewalls.list
...
iam.roles.get
...
compute.machineTypes.get
...
compute.machineTypes.list
...
compute.instances.setMachineType
...
compute.instances.setMetadata
Click Edit to add roles in the service account and add the following roles.
Kyvos-role (created in step 1)
BigQuery data viewer
BigQuery user
Dataproc Worker
Cloud Functions InvokerAdmin
Cloud Scheduler Admin
Cloud Scheduler Service Agent
Service Account User
Logs Writer
Workload Identity User
Permissions for Cross-Project Datasets Access with BigQuery:
Use the same service account that is being used by Kyvos VMs.
Give the following roles to the above-created service account on the BigQuery Project.
BigQuery Data Viewer
BigQuery User
Prerequisites for Cross-Project BigQuery setup and Kyvos VMs.
Use the same service account that is being used by Kyvos VMs.
To the service account used by Kyvos VMs, give the following roles on the BigQuery Project:
BigQuery Data Viewer
BigQuery User
For accessing BigQuery Views, add the following permissions to the Kyvos custom role (created above).
bigquery.tables.create
bigquery.tables.delete
bigquery.tables.update
bigquery.tables.updateData
Permissions to generate Temporary Views in Separate Dataset when performing the validation/preview operation from Kyvos on Google BigQuery.
bigquery.tables.create = permissions to create a new table
bigquery.tables.updateData = to write data to a new table, overwrite a table, or append data to a table
...
compute.instanceGroups.get
compute.instances.create
compute.disks.create
compute.disks.use
compute.subnetworks.use
compute.instances.setServiceAccount
compute.instances.delete
compute.instanceGroups.update
compute.instances.use
compute.instances.detachDisk
compute.disks.delete
compute.instances.attachDisk
Conditional permission needed if using network in the project other than Kyvos resourcesShared Network
compute.subnetworks.use (on the Kyvos service account in the project where your network resides)
...