Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To create Kyvos resources, read the following:

Prerequisites to

...

deploy Kyvos
Anchor
preqcloudshell
preqcloudshell

  • You need a valid Google Cloud Platform account. This account will be used to authenticate Terraform to interact with GCP resources.

  • The following permissions must be given to the logged-in user account:

    • Editor

    • Secret Manager Admin

    • Storage Object Admin

    • Cloud Functions Admin

    • Service Account Token Creator

    • Kubernetes Engine Developer

    • Kubernetes Engine Cluster AdminWorkload Identity User

    • Create a custom role and assign the below permission to the role.

    • storage.buckets.get

    • storage.buckets.update

    • storage.objects.update

    • compute.instanceGroupManagers.update

    • compute.instanceGroupManagers.get

      Ensure that custom role must be attached to logged-in user account.

      • iam.roles.create  

      • iam.serviceAccounts.setIamPolicy

      • resourcemanager.projects.setIamPolicy

  • For additional permissions, refer to the Prerequisites for deploying Kyvos in a GCP environment using Deployment Manager section from Step 2 to Step 27.

  • When using an existing VPC, the subnet must have a minimum mask range of /22

  • Subnets in which Kubernetes cluster is launched should have connectivity to the subnets in which Kyvos instances are launched.

  • When using an existing VPC, ensure that the subnet has two secondary IP ranges with valid mask ranges, as these will be used by the Kubernetes cluster.

  • Click Roles > Create new role. Provide a name like Kyvos-role for storage service, and assign the following permissions. This role should be attached to Kyvos service account.

  • deploymentmanager.deployments.list

  • deploymentmanager.resources.list

  • deploymentmanager.manifests.list

  • cloudfunctions.functions.get

  • dataproc.clusters.list

  • dataproc.clusters.get

  • compute.disks.setLabels

  • compute.instances.start

  • compute.instances.stop

  • compute.instances.list

  • compute.instances.setLabels

  • storage.buckets.get

  • storage.buckets.list

  • storage.objects.create

  • storage.objects.delete

  • storage.buckets.update

  • compute.disks.get

  • compute.instances.get

  • dataproc.clusters.update

  • storage.objects.get

  • storage.objects.list

  • storage.objects.update

  • cloudfunctions.functions.update

  • compute.subnetworks.get

  • resourcemanager.projects.getIamPolicy

  • compute.firewalls.list

  • iam.roles.get  

  • compute.machineTypes.get  

  • compute.machineTypes.list  

  • compute.instances.setMachineType

  • compute.instances.setMetadata

Prerequisites to run Terraform form local machine
Anchor
localmachine
localmachine

  • Download and install Terraform on your local machine.

  • To install Terraform, refer to the Terraform documentation.

  • Execute Terraform init command to verify successful installation of Terraform.

  • Jq should be installed on your local machine.

  • You need a GCP account to create and manage resources. Ensure that you have the necessary permissions.

  • Configure GCP on your local machine.

  • For gcloud initialization, refer to the Google documentation.

...

Prerequisites to use Customer Managed Key (CMK

...

) or Bring Your Own Key (BYOK) deployment
Anchor
cmk
cmk

  • To use an existing service account for deployments, the following predefined roles are needed on Kyvos Service Account:

    • Cloud KMS CryptoKey Decrypter

    • Cloud KMS CryptoKey Encrypter

    • Cloud KMS CryptoKey Encrypter/Decrypter

Panel
panelIconIdatlassian-note
panelIcon:note:
bgColor#DEEBFF

Note

  • Encryption will be enabled for the following components:

    • Disk

    • Cloud storage

    • Secret manager

  • The service agent must be present in the project where the user is going to deploy for create Google Cloud Storage and Secret Manager. For more details, refer to Google documentation.

  • Cloud Key Management Service (KMS) API must be enabled in the project before deployment.

  • The existing cmk CMK must be in the same region as deployment.

  • The existing cmk CMK location must be regional; global keys are not supported by GCS buckets. For more details, refer to Google documentation.

...

  • To use the BYOK (Bring Your Own Key) feature:
    The service agent must be present in the project where the user is going to deploy for create Google Cloud Storage and Secret Manager. For more details, refer to Google documentation.

  • Click Roles > Create new role. Provide a name like Kyvos- role for storage service, and assign the following permissions.

...

  • deploymentmanager.deployments.list

  • deploymentmanager.resources.list

  • deploymentmanager.manifests.list

  • cloudfunctions.functions.get

  • dataproc.clusters.list

  • dataproc.clusters.get

  • compute.disks.setLabels

  • compute.instances.start

  • compute.instances.stop

  • compute.instances.list

...

  • compute.instances.setLabels

  • storage.buckets.get

  • storage.buckets.list

  • storage.objects.create

  • storage.objects.delete

  • storage.buckets.update

  • compute.disks.get

  • compute.instances.get

  • dataproc.clusters.update

  • storage.objects.get

...

storage.objects.list

...

storage.objects.update

  • .

...

...

compute.subnetworks.get

...

resourcemanager.projects.getIamPolicy

...

compute.firewalls.list

...

iam.roles.get  

...

compute.machineTypes.get  

...

compute.machineTypes.list  

...

compute.instances.setMachineType

...

compute.instances.setMetadata

  1. Click Edit to add roles in the service account and add the following roles.

    • Kyvos-role (created in step 1)

    • BigQuery data viewer

    • BigQuery user

    • Dataproc Worker

    • Cloud Functions InvokerAdmin

    • Cloud Scheduler Admin

    • Cloud Scheduler Service Agent

    • Service Account User

    • Logs Writer

    • Workload Identity User

  2. Permissions for Cross-Project Datasets Access with BigQuery:

    1. Use the same service account that is being used by Kyvos VMs.

    2. Give the following roles to the above-created service account on the BigQuery Project.

      • BigQuery Data Viewer

      • BigQuery User

  3. Prerequisites for Cross-Project BigQuery setup and Kyvos VMs.

    1. Use the same service account that is being used by Kyvos VMs.

    2. To the service account used by Kyvos VMs, give the following roles on the BigQuery Project:

      • BigQuery Data Viewer

      • BigQuery User

  4. For accessing BigQuery Views, add the following permissions to the Kyvos custom role (created above).

    • bigquery.tables.create

    • bigquery.tables.delete

    • bigquery.tables.update

    • bigquery.tables.updateData

  5. Permissions to generate Temporary Views in Separate Dataset when performing the validation/preview operation from Kyvos on Google BigQuery.

    • bigquery.tables.create = permissions to create a new table  

    • bigquery.tables.updateData = to write data to a new table, overwrite a table, or append data to a table  

...

  • compute.instanceGroups.get

  • compute.instances.create

  • compute.disks.create

  • compute.disks.use

  • compute.subnetworks.use

  • compute.instances.setServiceAccount

  • compute.instances.delete

  • compute.instanceGroups.update

  • compute.instances.use

  • compute.instances.detachDisk

  • compute.disks.delete

  • compute.instances.attachDisk

Conditional permission needed if using network in the project other than Kyvos resourcesShared Network

  • compute.subnetworks.use (on the Kyvos service account in the project where your network resides)

...