Roles

This is a list of roles and permissions that may be configured by the Preparation Helper script. It is also possible to manually configure custom roles, as necessary. (Learn more about working with custom roles: https://cloud.google.com/iam/docs/creating-custom-roles.)

    • cloudkms.keyRings.list, cloudkms.cryptoKeys.list, cloudkms.cryptoKeyVersions.useToDecrypt, cloudkms.cryptoKeyVersions.useToEncrypt
    • compute.addresses.use
    • compute.disks.addResourcePolicies, compute.disks.create, compute.disks.delete, compute.disks.get, compute.disks.list, compute.disks.removeResourcePolicies, compute.disks.setLabels, compute.disks.startAsyncReplication, compute.disks.stopAsyncReplication, compute.disks.stopGroupAsyncReplication, compute.disks.update, compute.disks.use, compute.disks.useReadOnly
    • compute.images.useReadOnly
    • compute.instances.addAccessConfig, compute.instances.addMaintenancePolicies, compute.instances.addResourcePolicies, compute.instances.attachDisk, compute.instances.create, compute.instances.delete, compute.instances.detachDisk, compute.instances.get, compute.instances.getGuestAttributes, compute.instances.getIamPolicy, compute.instances.list, compute.instances.setDeletionProtection, compute.instances.setDiskAutoDelete, compute.instances.setIamPolicy, compute.instances.setLabels, compute.instances.setMachineResources, compute.instances.setMachineType, compute.instances.setMetadata, compute.instances.setMinCpuPlatform, compute.instances.setName, compute.instances.setScheduling, compute.instances.setSecurityPolicy, compute.instances.setServiceAccount, compute.instances.setShieldedInstanceIntegrityPolicy, compute.instances.setShieldedVmIntegrityPolicy, compute.instances.setTags, compute.instances.simulateMaintenanceEvent, compute.instances.start, compute.instances.stop, compute.instances.update, compute.instances.updateAccessConfig, compute.instances.updateDisplayDevice, compute.instances.updateNetworkInterface, compute.instances.updateSecurity, compute.instances.updateShieldedInstanceConfig, compute.instances.updateShieldedVmConfig, compute.instances.use
    • compute.instanceTemplates.useReadOnly
    • compute.machineImages.useReadOnly
    • compute.machineTypes.get, compute.machineTypes.list
    • compute.networks.get, compute.networks.list, compute.networks.use, compute.networks.useExternalIp
    • compute.projects.get
    • compute.regionOperations.get
    • compute.regions.get
    • compute.resourcePolicies.create, compute.resourcePolicies.delete, compute.resourcePolicies.get, compute.resourcePolicies.list, compute.resourcePolicies.use, compute.resourcePolicies.useReadOnly
    • compute.serviceAttachments.getIamPolicy
    • compute.snapshots.useReadOnly
    • compute.subnetworks.get, compute.subnetworks.list, compute.subnetworks.use, compute.subnetworks.useExternalIp
    • compute.zoneOperations.get
    • compute.zones.list
    • iam.serviceAccounts.actAs, iam.serviceAccounts.get, iam.serviceAccounts.list, iam.serviceAccounts.setIamPolicy
    • logging.logEntries.create, logging.logMetrics.create
    • monitoring.timeSeries.list
    • osconfig.guestPolicies.create, osconfig.guestPolicies.delete, "osconfig.guestPolicies.get, osconfig.guestPolicies.list, osconfig.guestPolicies.update
    • resourcemanager.projects.get, resourcemanager.projects.getIamPolicy


Service Account

After necessary roles have been configured, a service account will be created by the Preparation Helper assigning the roles to specified projects. The service account must be associated with a project under which AROVA deployments will be conducted. (Learn more about creating service accounts: https://cloud.google.com/iam/docs/service-accounts-create.)

Also see:

View: AROVA Prerequisites