of permissions will Elastifile Cloud File system deployment guide uses Basic IAM roles and Predefined IAM roles.
Those type of roles uses wide scope of permissions, and in some cases they are forbidden by the customer security policy.
To overcome this issue a set of 2 Custom IAM roles need to be configured -
Elastifile Cloud file system needs 2 roles because in some cases the deployment uses Shared VPC network, and the ECFS-Network-Admin role need to be configured on the Shared VPC network host project.
While the ECFS-General-Admin role will be used on the service project (the project that the compute instances are deployed on)
- ECFS-General-Admin - set of permission used to manage the Elastifile Cloud file system compute instances.
compute.addresses.listcompute.backendBuckets.listcompute.diskTypes.getcompute.disks.createcompute.disks.deletecompute.disks.getcompute.disks.usecompute.globalOperations.getcompute.instances.createcompute.instances.deletecompute.instances.getcompute.instances.listcompute.instances.setDeletionProtectioncompute.instances.setLabelscompute.instances.setMetadatacompute.instances.setServiceAccountcompute.instances.setTagscompute.instances.setMachineTypecompute.instances.startcompute.machineTypes.getcompute.projects.getcompute.regions.getcompute.subnetworks.usecompute.subnetworks.useExternalIpcompute.zoneOperations.getcompute.zones.getcompute.zones.listiam.serviceAccounts.actAsiam.serviceAccounts.getiam.serviceAccounts.listresourcemanager.projects.getstorage.buckets.createstorage.buckets.getstorage.buckets.getIamPolicystorage.buckets.liststorage.buckets.setIamPolicystorage.buckets.updatestorage.buckets.deletestorage.objects.createstorage.objects.deletestorage.objects.getstorage.objects.getIamPolicystorage.objects.list
- ECFS-Network-Admin - set of permission used to manage the Elastifile Cloud file system network configuration.
compute.addresses.listcompute.addresses.useInternal
compute.firewalls.list
compute.firewalls.createcompute.firewalls.getcompute.firewalls.updatecompute.networks.getcompute.networks.updatePolicycompute.routes.createcompute.routes.deletecompute.routes.getcompute.routes.listcompute.subnetworks.get
This article will guide you how to set up the roles and assign them to Service Account used by Elastifile Cloud file system deployment.
Setting up the custom roles on a setup using Network VPC from the same Compute project (NOT Shared Network VPC)
- Create a new custom role using this article - section: To create a custom role using a YAML file section, using Elastifile provided YAML files .
- In GCP console go to IAM & Admin section and press on IAM
- Edit the Service Account used for Elastifile Cloud file system and assign it the 2 new custom roles - ECFS-General-Admin & ECFS-Network-Admin, then save.
Setting up the custom roles on a setup using Shared Network VPC
- Create a new custom role using this article - section: To create a custom role using a YAML file section, using Elastifile provided YAML files .
ECFS-General-Admin - used on the compute service project.
ECFS-Network-Admin - used on the Shared VPC network project. - On both projects, using GCP console go to IAM & Admin section and press on IAM
- On both projects, edit the Service Account used for Elastifile Cloud file system
- In each project assign the Service Account the new custom roles -
On the compute project - ECFS-General-Admin , and save.
On the Shared VPC network host project - ECFS-Network-Admin, and save.
Using the Service Account configured with the 2 new custom roles.
After configuring the 2 new roles, on the Elastifile Service account, this service account can be used to deploy Elastifle Cloud file system using Terraform.
- There is no change in the deployment or management of the Elastifile Cloud file system due to changes done using this KB.
- The custom roles can't be used by GCP Marketplace UI, as it always uses project's default service account for deployments.