Grant Google Cloud Resource Permissions to CelerData
This topic will guide you on how to grant necessary permissions to CelerData for cluster deployment and scaling operations using IAM roles.
To allow CelerData to launch and manage your Google Cloud resources for your CelerData clusters, you need to grant IAM roles with specific permissions to CelerData's public service account when creating a deployment credential, either from the Cloud settings page in the CelerData Cloud BYOC console before you create a deployment or as part of the workflow of creating a deployment.
Required roles and permissions
CelerData requires the following roles and permissions to launch and manage the cloud resources on your behalf:
- Required system-defined role:
Compute Admin
- Required permissions:
iam.serviceAccounts.actAs
storage.buckets.get
Create an IAM role with necessary permissions
Follow these steps to create the IAM role:
-
Sign in to your project in the Google Cloud console.
-
Expand the left-side navigation menu, and choose IAM & Admin > Roles.
-
Click Create role.
-
On the Create role page, follow these steps:
a. Enter the title (for example
DeploymentRoleTest
), ID, and optionally a description for the new role.b. Select General Availability from the Role launch stage drop-down list.
c. Click Add permissions.
d. On the dialog box that appears, search permission listed above in the Filter, select it, and click Add. Repeat this step until you have added all the permissions listed above.
-
Click Create.
Grant IAM roles to CelerData's public service account
In each Google Cloud region, CelerData maintains a public service account for cluster deployment and scaling operations. You need to grant the IAM role you created in the previous step.
GCP region | Region ID | CelerData's Public Service Account Email |
---|---|---|
US Central (Iowa) | us-central1 | service@celerdata-byoc-1683716900563.iam.gserviceaccount.com |
Follow these steps to grant the IAM role to CelerData's public service account:
-
Sign in to your project in the Google Cloud console.
-
Expand the left-side navigation menu, and choose IAM & Admin > IAM.
-
On the Allow tab of the IAM page, click Grant access.
-
On the dialog box that appears, follow these steps:
a. Paste CelerData's public service account Email of the Google Cloud region where you want to deploy your cluster to the New principals field.
b. Search and select role you just created (
DeploymentRoleTest
) in the Role field, and click Add another role.c. Search and select the role
Compute Admin
in the Role field.d. Click Save to save the condition.
-
Click Save to grant the access.