Deploy Elastifile Cloud file system using custom roles

 of permissions will Elastifile Cloud File system deployment guide uses Basic IAM roles and Predefined IAM roles.

Those type of roles uses wide scope of permissions, and in some cases they are forbidden by the customer security policy.

To overcome this issue a set of 2 Custom IAM roles need to be configured

Elastifile Cloud file system needs 2 roles because in some cases the deployment uses Shared VPC network, and the ECFS-Network-Admin role need to be configured on the Shared VPC network host project.
While the ECFS-General-Admin role will be used on the service project (the project that the compute instances are deployed on)
  • ECFS-General-Admin - set of permission used to manage the Elastifile Cloud file system compute instances.
    compute.addresses.list
    compute.backendBuckets.list
    compute.diskTypes.get
    compute.disks.create
    compute.disks.delete
    compute.disks.get
    compute.disks.use
    compute.globalOperations.get
    compute.instances.create
    compute.instances.delete
    compute.instances.get
    compute.instances.list
    compute.instances.setDeletionProtection
    compute.instances.setLabels
    compute.instances.setMetadata
    compute.instances.setServiceAccount
    compute.instances.setTags
    compute.machineTypes.get
    compute.projects.get
    compute.regions.get
    compute.subnetworks.use
    compute.subnetworks.useExternalIp
    compute.zoneOperations.get
    compute.zones.get
    compute.zones.list
    iam.serviceAccounts.actAs
    iam.serviceAccounts.get
    iam.serviceAccounts.list
    resourcemanager.projects.get
    storage.buckets.create
    storage.buckets.get
    storage.buckets.getIamPolicy
    storage.buckets.list
    storage.buckets.setIamPolicy
    storage.buckets.update
    storage.objects.create
    storage.objects.delete
    storage.objects.get
    storage.objects.getIamPolicy
    storage.objects.list
  • ECFS-Network-Admin - set of permission used to manage the Elastifile Cloud file system network configuration.
    compute.addresses.list
    compute.addresses.useInternal
    compute.firewalls.create
    compute.firewalls.get
    compute.firewalls.update
    compute.networks.get
    compute.networks.updatePolicy
    compute.routes.create
    compute.routes.delete
    compute.routes.get
    compute.routes.list
    compute.subnetworks.get

This article will guide you how to set up the roles and assign them to Service Account used by Elastifile Cloud file system deployment.

 

Setting up the custom roles on a setup using Network VPC from the same Compute project (NOT Shared Network VPC)

  1. Create a new custom role using this article - section: To create a custom role using a YAML file section, using Elastifile provided YAML files .
  2. In GCP console go to IAM & Admin section and press on IAM 


     
  3. Edit the Service Account used for Elastifile Cloud file system and assign him the 2 new custom roles - ECFS-General-Admin & ECFS-Network-Admin, then save.



 

Setting up the custom roles on a setup using Shared Network VPC

  1. Create a new custom role using this article - section: To create a custom role using a YAML file section, using Elastifile provided YAML files .
    ECFS-General-Admin - used on the compute service project.
    ECFS-Network-Admin - used on the Shared VPC network project.
  2. On both projects, using GCP console go to IAM & Admin section and press on IAM 


     
  3. On both projects, edit the Service Account used for Elastifile Cloud file system


     
  4. In each project assign the Service Account the new custom roles - 
    On the compute project - ECFS-General-Admin , and save.



    On the Shared VPC network host project - ECFS-Network-Admin, and save.

 

 

 

Using the Service Account configured with the 2 new custom roles.

 

After configuring the 2 new roles, on the Elastifile Service account, this service account can be used to deploy Elastifle Cloud file system using Terraform.

  • There is no change in the deployment or management of the Elastifile Cloud file system due to changes done using this KB.
  • The custom roles can't be used by GCP Marketplace UI, as it always uses project's default service account for deployments.

 

 

YAML Download

ECFS-General-Admin YAML file

ECFS-Network-Admin YAML file

 
 
Was this helpful?
How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
Search Help Center
false