Kyvos now supports automated resource creation for GCP using Terraform.
To create Kyvos resources, read the following:
You need a valid Google Cloud Platform account. This account will be used to authenticate Terraform to interact with GCP resources.
The following permissions must be given to the logged-in user account:
Editor
Secret Manager Admin
Storage Object Admin
Create a custom role and assign the below permission to the role. Ensure that custom role must be attached to logged-in user account.
iam.roles.create
iam.serviceAccounts.setIamPolicy
resourcemanager.projects.setIamPolicy
For additional permissions, refer to the Prerequisites for deploying Kyvos in a GCP environment using Deployment Manager section from Step 2 to Step 27.
When using an existing VPC, the subnet must have a minimum mask range of /22
Subnets in which Kubernetes cluster is launched should have connectivity to the subnets in which Kyvos instances are launched.
When using an existing VPC, ensure that the subnet has two secondary IP ranges with valid mask ranges, as these will be used by the Kubernetes cluster.
Click Roles > Create new role. Provide a name like Kyvos-role for storage service, and assign the following permissions. This role should be attached to Kyvos service account.
|
|
|
Add the below predefined roles in service account used by Kyvos cluster.
BigQuery data viewer
BigQuery user
Dataproc Worker
Cloud Functions Admin
Cloud Scheduler Admin
Cloud Scheduler Service Agent
Service Account User
Logs Writer
Workload Identity User
Permissions for Cross-Project Datasets Access with BigQuery:
Use the same service account that is being used by Kyvos VMs.
Give the following roles to the above-created service account on the BigQuery Project.
BigQuery Data Viewer
BigQuery User
Prerequisites for Cross-Project BigQuery setup and Kyvos VMs.
Use the same service account that is being used by Kyvos VMs.
To the service account used by Kyvos VMs, give the following roles on the BigQuery Project:
BigQuery Data Viewer
BigQuery User
For accessing BigQuery Views, add the following permissions to the Kyvos custom role (created above).
bigquery.tables.create
bigquery.tables.delete
bigquery.tables.update
bigquery.tables.updateData
Permissions to generate Temporary Views in Separate Dataset when performing the validation/preview operation from Kyvos on Google BigQuery.
bigquery.tables.create = permissions to create a new table
bigquery.tables.updateData = to write data to a new table, overwrite a table, or append data to a table
In the API and identity management section of VM, for Cloud API access scopes, the Allow full access to all Cloud APIs must be set.
Download and install Terraform on your local machine.
To install Terraform, refer to the Terraform documentation.
Execute Terraform init command to verify successful installation of Terraform.
Jq should be installed on your local machine.
You need a GCP account to create and manage resources. Ensure that you have the necessary permissions.
For gcloud initialization, refer to the Google documentation.
To use an existing service account for deployments, the following predefined roles are needed on Kyvos Service Account:
Cloud KMS CryptoKey Decrypter
Cloud KMS CryptoKey Encrypter
Cloud KMS CryptoKey Encrypter/Decrypter
Note
|
To use the BYOK (Bring Your Own Key):
The service agent must be present in the project where the user is going to create Google Cloud Storage and Secret Manager. For more details, refer to Google documentation.
Apart from existing permissions mentioned in the Creating a service account from Google Cloud Console section, you must need the following permissions for GCP Enterprise:
Permissions required in GCP
compute.instanceGroups.get
compute.instances.create
compute.disks.create
compute.disks.use
compute.subnetworks.use
compute.instances.setServiceAccount
compute.instances.delete
compute.instanceGroups.update
compute.instances.use
compute.instances.detachDisk
compute.disks.delete
compute.instances.attachDisk
Conditional permission needed if using Shared Network
compute.subnetworks.use (on the Kyvos service account in the project where your network resides)
Prerequisites to deploy Kyvos using Dataproc section for the complete set of permissions required for deploying Kyvos.
Additionally, for creating a GKE cluster, you must complete the following prerequisites.
Ensure that the GKE service agent’s default service account (service-PROJECT_NUMBER@container-engine-robot.iam.gserviceaccount.com) has the Kubernetes Engine Service Agent role attached to it.
Existing Virtual Network
If using an existing Virtual Network for creating a GKE Cluster requires two secondary IPV4 addresses in the subnet. Additionally, if using a shared Virtual Network, following roles and permissions are required for by Default service account of Kubernetes (service-PROJECT_NUMBER@container-engine-robot.iam.gserviceaccount.com) on the project of Shared Virtual Network.
Compute Network User
kubernetes_role: You must create a custom role. To do this, click Roles > Create new role. Provide a name like kubernetes_role; assign the following permissions, and then attach to the service account:
The 2181,45460,6903 ports must be allowed in the Firewall inbound rules for all internal communication between the Kubernetes cluster and Kyvos.
Existing (IAM) Service account
Add the following predefined roles to the existing IAM service account:
Service Account Token Creator
Kubernetes Engine Developer
Kubernetes Engine Cluster Admin
Add the following permissions to the kubernetes_role custom role that you created above.
compute.instanceGroupManagers.update
Compute.instanceGroupManagers.get