GCP connection
When you create a connection to access GCP cloud resources, you must define the scope of the connection. A GCP connection must use a Google Cloud Service account.
The DoiT console provides a step-by-step wizard to help you create a GCP connection.
Required permissions
To create a GCP connection, your DoiT account must have the CloudFlow Manager or CloudFlow Editor permission.
Setup
Once you have launched the wizard, you must set up the connection and specify the Google Service Account for which this connection determines permissions.
-
Sign in to the DoiT console, select Operate from the top navigation bar, and then select CloudFlow.
-
Select Connections.
-
From the left hand pane, select GCP.
-
Select Create connection.
-
In Connection name, enter a unique connection name that fits its usage. This connection exists in the DoiT platform and defines your users permissions to interact with the CloudFlow itself.
-
In Service account name, enter the name of the Google Service Account to use with this connection.
-
In Custom role ID, enter a name that fits its usage. This is the Google Cloud custom role that the CloudFlow assumes when it executes. Its permissions are what allows the CloudFlow to perform tasks in Google Cloud. The Google Cloud custom role does not have any permissions on the DoiT platform.
-
You must choose the Google accounts and projects that your CloudFlows run on when using this connection.
-
Select Organization. In Select Organizations, choose an organization to use with this connection.
-
Select Project. In Select projects, choose the projects to use with this connection.
-
-
When you have added all the organizations and projects for which this connection determines permissions, select Next.
Permissions
Once you have setup the GCP custom role, you must specify the permissions for the custom role that the CloudFlow assumes when it executes.
-
In GCP Predefined Roles, select the GCP predefined roles that you want to add to this connection.
-
(Optional) If a CloudFlow requires additional GCP permissions, select + Add another permission to add them to the custom role.
-
In Custom permission, enter the additional permission, for example storage.objects.get.
Repeat the steps for each additional GCP permission you want to add.
-
You must now create the Google service account that has the permissions you specified above. You do this using Google Infrastructure Manager or Terraform.
- Infrastructure Manager
- Terraform
- Copy the provided code block.
- Select Open Google Cloud Shell.
- Paste the code and run the command.
- Select Terraform.
- Copy the provided code block into your Terraform configuration.
-
Select Next.
Access
Finally, you must set which DoiT accounts have access to this connection and are authorized to use it in a CloudFlow.
-
In Email, select the email address of a DoiT account who can use this connection.
-
In Connection access level, select the access level the DoiT account has.
-
To add another account, select + Add another user.
-
Repeat these steps for each DoiT account who can use this connection.
-
Select Done. It may take a few minutes to create your connection. Once the connection is created, you can use it in your CloudFlows.