Preparation Helper Roles and Service Account

This is a list of roles and permissions that may be configured by the Preparation Helper script. These roles and permissions can also be manually configured for custom application, as necessary. (Learn more about working with custom roles: https://cloud.google.com/iam/docs/creating-custom-roles.)

Role	Permission
cloudkms	cloudkms.keyRings.list cloudkms.cryptoKeys.list cloudkms.cryptoKeyVersions.useToDecrypt cloudkms.cryptoKeyVersions.useToEncrypt
compute.addresses	compute.addresses.use
compute.disks	compute.disks.addResourcePolicies compute.disks.create compute.disks.delete compute.disks.get compute.disks.list compute.disks.removeResourcePolicies compute.disks.setLabels compute.disks.startAsyncReplication compute.disks.stopAsyncReplication compute.disks.stopGroupAsyncReplication compute.disks.update compute.disks.use compute.disks.useReadOnly
compute.images	compute.images.useReadOnly
compute.instances	compute.instances.addAccessConfig compute.instances.addMaintenancePolicies compute.instances.addResourcePolicies compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.detachDisk compute.instances.get compute.instances.getGuestAttributes compute.instances.getIamPolicy compute.instances.list compute.instances.setDeletionProtection compute.instances.setDiskAutoDelete compute.instances.setIamPolicy compute.instances.setLabels compute.instances.setMachineResources compute.instances.setMachineType compute.instances.setMetadata compute.instances.setMinCpuPlatform compute.instances.setName compute.instances.setScheduling, compute.instances.setSecurityPolicy compute.instances.setServiceAccount compute.instances.setShieldedInstanceIntegrityPolicy compute.instances.setShieldedVmIntegrityPolicy compute.instances.setTags compute.instances.simulateMaintenanceEvent compute.instances.start compute.instances.stop compute.instances.update compute.instances.updateAccessConfig compute.instances.updateDisplayDevice compute.instances.updateNetworkInterface compute.instances.updateSecurity compute.instances.updateShieldedInstanceConfig compute.instances.updateShieldedVmConfig compute.instances.use
compute.instanceTemplates	compute.instanceTemplates.useReadOnly
compute.machineImages	compute.machineImages.useReadOnly
compute.machineTypes	compute.machineTypes.get compute.machineTypes.list
compute.networks	compute.networks.get compute.networks.list compute.networks.use compute.networks.useExternalIp
compute.projects	compute.projects.get
compute.regionOperations	compute.regionOperations.get
compute.regions	compute.regions.get
compute.resourcePolicies	compute.resourcePolicies.create compute.resourcePolicies.delete compute.resourcePolicies.get compute.resourcePolicies.list compute.resourcePolicies.use compute.resourcePolicies.useReadOnly
compute.serviceAttachments	compute.serviceAttachments.getIamPolicy
compute.snapshots	compute.snapshots.useReadOnly
compute.sub-networks	compute.sub-networks.get compute.sub-networks.list compute.sub-networks.use compute.sub-networks.useExternalIp
compute.zoneOperations	compute.zoneOperations.get
compute.zones	compute.zones.list
iam.serviceAccounts	iam.serviceAccounts.actAs iam.serviceAccounts.get iam.serviceAccounts.list iam.serviceAccounts.setIamPolicy
logging	logging.logEntries.create logging.logMetrics.create
monitoring.timeSeries	monitoring.timeSeries.list
osconfig.guestPolicies	osconfig.guestPolicies.create osconfig.guestPolicies.delete osconfig.guestPolicies.get osconfig.guestPolicies.list osconfig.guestPolicies.update
resourcemanager.projects	resourcemanager.projects.get resourcemanager.projects.getIamPolicy

Table 2: Preparation Helper Roles and Permissions.

Service Account

After necessary roles have been configured, a service account will be created by the Preparation Helper assigning the roles to specified projects. The service account must be associated with a project under which AROVA deployments will be conducted. (Learn more about creating service accounts: https://cloud.google.com/iam/docs/service-accounts-create.)