Table of Contents

Search

  1. Preface
  2. Advanced clusters
  3. Setting up AWS
  4. Setting up Google Cloud
  5. Setting up Microsoft Azure
  6. Setting up a self-service cluster
  7. Setting up a local cluster
  8. Advanced configurations
  9. Troubleshooting
  10. Appendix A: Command reference

Advanced Clusters

Advanced Clusters

Permissions for the Secure Agent role

Permissions for the Secure Agent role

The following table lists the minimum required permissions for the Secure Agent role:
Operations
Permissions
  • Create an external static IP address
  • Delete or release an IP address
compute.addresses.create compute.addresses.delete compute.addresses.get compute.addresses.list compute.addresses.use
  • Create a target pool
  • Get details for a target pool
  • Delete a target pool
compute.targetPools.addInstance compute.targetPools.create compute.targetPools.delete compute.targetPools.get compute.targetPools.list compute.targetPools.removeInstance compute.targetPools.update compute.targetPools.use
  • Create a forwarding rule
  • Get details for a rule creation
  • Delete a forwarding rule
compute.forwardingRules.create compute.forwardingRules.delete compute.forwardingRules.get compute.forwardingRules.list compute.forwardingRules.setTarget compute.forwardingRules.update
  • Create an instance template
  • Get details for an instance template
  • Delete an instance template
  • Add a disk to an instance
compute.instanceTemplates.create compute.instanceTemplates.delete compute.instanceTemplates.get compute.instanceTemplates.list compute.instanceTemplates.useReadOnly compute.disks.create compute.disks.delete compute.disks.get compute.disks.list compute.disks.resize compute.disks.setLabels compute.disks.update compute.disks.use
  • Create a regional and zonal group
  • Get details or description of regional instance groups
  • Delete a regional instance group
compute.addresses.create compute.addresses.delete compute.addresses.get compute.addresses.list compute.addresses.use
compute.instanceGroupManagers.create compute.instanceGroupManagers.delete compute.instanceGroupManagers.get compute.instanceGroupManagers.list compute.instanceGroupManagers.update compute.instanceGroupManagers.use compute.instanceGroups.create compute.instanceGroups.delete compute.instanceGroups.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instances.addAccessConfig compute.instances.attachDisk compute.instances.create compute.instances.delete compute.instances.deleteAccessConfig compute.instances.detachDisk compute.instances.get compute.instances.getEffectiveFirewalls compute.instances.list compute.instances.osAdminLogin compute.instances.osLogin compute.instances.reset compute.instances.resume compute.instances.setDiskAutoDelete compute.instances.setLabels compute.instances.setMachineResources compute.instances.setMachineType compute.instances.setMetadata compute.instances.setMinCpuPlatform compute.instances.setServiceAccount compute.instances.setTags compute.instances.start compute.instances.startWithEncryptionKey compute.instances.stop compute.instances.suspend compute.instances.update compute.instances.updateAccessConfig compute.instances.updateNetworkInterface compute.instances.updateSecurity compute.instances.use compute.subnetworks.use compute.subnetworks.useExternalIp compute.subnetworks.get
  • Delete, upload, and list Google Cloud Storage metadata and logs
storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update storage.buckets.get
  • Create, use, and delete a resource within a VPC and subnet
compute.subnetworks.get compute.subnetworks.use compute.subnetworks.useExternalIp
  • Work with a project
resourcemanager.projects.get
  • Use a service account
iam.serviceAccounts.actAs
  • Create, use, and delete an internal IP address
compute.addresses.createInternal compute.addresses.deleteInternal compute.addresses.useInternal
  • Create, use, and delete a regional backend service
compute.regionBackendServices.create compute.regionBackendServices.delete compute.regionBackendServices.get compute.regionBackendServices.list compute.regionBackendServices.update compute.regionBackendServices.use
  • Create, use, and delete a regional health check
compute.regionHealthChecks.create compute.regionHealthChecks.delete compute.regionHealthChecks.get compute.regionHealthChecks.list compute.regionHealthChecks.update compute.regionHealthChecks.use compute.regionHealthChecks.useReadOnly
To allow the Secure Agent to create a VPC network and subnets, add the following permissions to the Secure Agent role:
Operations
Permissions
  • Create, use, and delete a VPC network
compute.networks.access compute.networks.create compute.networks.delete compute.networks.get compute.networks.list compute.networks.use
  • Create, use, and delete a subnetwork
compute.subnetworks.create compute.subnetworks.delete compute.subnetworks.get compute.subnetworks.list compute.subnetworks.update compute.subnetworks.use compute.subnetworks.useExternalIp
  • Create, use, and delete a Cloud Router
compute.routers.create compute.routers.delete compute.routers.get compute.routers.list compute.routers.use
  • Create, use, and delete a firewall rule
  • Add a firewall rule to a VPC network
compute.firewalls.create compute.firewalls.delete compute.firewalls.get compute.firewalls.list compute.firewalls.update
compute.networks.updatePolicy
If you do not create separate roles and service accounts for the cluster nodes, add the following permissions to the Secure Agent role:
Node type
Operations
Permissions
Master
  • Scale up or down an instance group for worker nodes
compute.regions.get compute.instanceGroups.list compute.instanceGroups.update compute.instanceGroups.use compute.instanceGroups.get
Worker
  • Upload initialization script notification to the staging location
  • Upload initialization script logs to the log location
storage.objects.create storage.objects.delete storage.objects.get storage.objects.list storage.objects.update

0 COMMENTS

We’d like to hear from you!