Google Cloud
Compute Engine API
For access to the Compute Engine API, it has to be enabled at the Google APIs console.
User Roles
The user for the Google Service Account that has to be created has to have three roles:
Compute Admin:
roles/compute.admin
Service Account User:
roles/iam.serviceAccountUser
Viewer:
roles/viewer
If the gcloud
CLI is installed, a service account can be created like follow:
Google Service Account
A Google Service Account for the platform has to be created, see Creating and managing service accounts. The result is a JSON file containing the fields
type
project_id
private_key_id
private_key
client_email
client_id
auth_uri
token_uri
auth_provider_x509_cert_url
client_x509_cert_url
The private key is BASE64 containing the newlines as non-escaped strings "\n”. So to avoid the resulting troubles the machine controller expects the whole service account encoded in BASE64.
Passing the Google Service Account
The base64 encoded secret of the service account will be passed in the field serviceAccount
of the cloudProviderSpec
of the machine deployment. The encoded secret can be entered in the UI field Service Account
Last updated