AROVA is a privileged appliance that has additional prerequisite requirements to be able to operate on a user's infrastructure in the Google Cloud.

    • A service account is necessary to provide required permissions to AROVA.
      • An organization-level role is required to list the necessary permissions.
      • The role with the service account must be assigned to projects that contain protected VMs.
      • A group account is used to mandate access to the AROVA Web UI.
    • The full list of permissions required for AROVA operation is provided in Appendix A.
    • The Preparation Helper can be used to create a service account, a role, and grant it access to required projects.
      • This is an example of a generated command script:
        (Example only, do not use this script directly.)


python3 ./arova-cli.py prepare-permissions \

  --role arova_access \

  --project arova-project \

  --sa-prefix arova-sa  \

  project1 project2 project3

Figure 31: Preparation Helper example.


Important: The above command is an illustrative example only and should not be directly used.

Note:
The actual service account pseudo-email is:
<sa-prefix>@<project>.iam.gserviceaccount.com
From the above example it would be written out as: "[email protected]"

See:

AROVA Deployment