AROVA Prerequisites
The AROVA is a privileged appliance and requires additional prerequisites to be able to operate on a user's infrastructure in the Google Cloud.
- A service account is required to provide required permissions to AROVA.
- An organization-level role is required to list the necessary permissions.
- The role with the service account must be assigned to projects that contain protected VMs.
- A group account is used to mandate access to the AROVA Web UI.
- The full list of permissions required for AROVA operation is provided in Appendix A.
- The Preparation Helper can be used to create a service account, the role, and grant it access to required projects.
- This is an example script command:
python3 ./arova-cli.py prepare-permissions \
--role arova_access \
--project arova-project \
--sa-prefix arova-sa \
project1 project2 project3
Important: The above command is an illustrative example only and should not be directly used.
Note:
The actual service account pseudo-email is:
<sa-prefix>@<project>.iam.gserviceaccount.com
From the above example it would be written out as: "[email protected]"
Also see: