Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            GCP Onboarding Process

            Modified on Tue, 22 Apr at 1:56 PM

             

            Introduction

            This documentation provides a comprehensive guide to onboarding a GCP account to Wiv using a script that automates the creation of a service account, the generation of a service account key, and the assignment of predefined roles to the service account at either the organization or project level.

            Prerequisites

            • Permissions: You must have the necessary permissions to perform actions in the GCP project and organization. Refer to the following documents for more information:
              • Configuring IAM
              • Cloud Platform Resource Hierarchy
              • Add IAM Policy Binding
              • Granting, Changing, Revoking Access
              • Access Control for Organizations

            Step-by-Step Guide

            Login to GCP with this

            https://shell.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https://github.com/wiv-ai/GCPOnBoarding.git


            2. Run the Script

            Start the script by executing:

            ./GCPWivOnBoarding.sh
            Bash

            3. Login to GCP

            The script will prompt you to log in to Google Cloud using the gcloud auth login command. Follow the instructions in your terminal to authenticate.

            4. Select Configuration Type

            The script will ask if you want to set up for a standalone project or an entire organization:

            Is this for a standalone project or an entire organization? 1) Standalone Project 2) Entire Organization
            • Standalone Project: Permissions will be set at the project level.
            • Entire Organization: If you choose to set permissions at the organization level, the script will fetch a list of organizations available to you. If there are multiple organizations, you will be prompted to select one.

            5. Enter the Project ID for Service Account Creation

            The script will prompt you for a GCP Project ID where the service account will be created:

            Enter the project ID to create the service account wiv-sa (usually project that contains the billing dataset):

            Enter the project ID, for example, my-gcp-project.

            6. API Enablement

            The script will enable the following APIs on the specified project:

            • recommender.googleapis.com
            • cloudresourcemanager.googleapis.com
            • compute.googleapis.com

            These APIs are necessary for the service account's intended permissions. If they are already enabled, the script will inform you.

            7. Service Account Creation

            The script creates a new service account named wiv-sa with the display name "Wiv Service Account."

            8. Generate Service Account Key

            The script will generate a key for the service account and save it as key.json in the current directory. This key file is essential for applications or scripts that need to authenticate as the service account.

            9. Assign IAM Roles

            The script will assign the following IAM roles to the service account at either the organization or project level:

            • roles/recommender.computeViewer
            • roles/recommender.viewer
            • roles/monitoring.viewer
            • roles/compute.viewer
            • roles/bigquery.jobUser
            • roles/recommender.bigQueryCapacityCommitmentsViewer
            • roles/container.viewer
            • roles/storage.objectViewer
            • roles/bigquery.dataViewer
            • roles/cloudsql.viewer
            • roles/run.viewer
            • roles/cloudfunctions.viewer
            • roles/pubsub.viewer
            • roles/spanner.viewer
            • roles/logging.viewer
            • roles/iam.securityReviewer
            • roles/compute.networkViewer
            • roles/cloudbuild.builds.viewer
            • roles/dataflow.viewer
            • roles/redis.viewer
            • roles/securitycenter.viewer
            • roles/cloudkms.viewer
            • roles/artifactregistry.reader
            • roles/gkebackup.viewer
            • roles/cloudasset.viewer
            • roles/bigquery.resourceViewer

            10. Completion

            After the script finishes running, you'll see a completion message confirming that the service account has been created and configured:

            === Onboarding Complete === Service account wiv-sa@PROJECT_ID.iam.gserviceaccount.com has been created and configured. All necessary permissions have been granted at [organization/project] level for TARGET_ID. Key file has been saved as key.json in the current directory. 
            === Configuration Summary === Service Account Project: PROJECT_ID Key File Name: key.json

            Verify Permissions

            After running the script, verify that the service account has been created and the roles have been assigned correctly in the GCP Console IAM & Admin section.

            Additional Notes

            • Error Handling: If any step fails, the script will print an error message indicating the issue and exit. Check the error message to identify what needs to be corrected (e.g., insufficient permissions or an incorrect project ID).
            • Security: Keep key.json secure as it contains sensitive information. You may want to move it to a safe location or restrict its permissions after the script completes.

            Example Output

            Here's a sample output for a user who chose to apply permissions at the organization level:

            Is this for a standalone project or an entire organization? 1) Standalone Project 2) Entire Organization #? 2 
            Multiple organizations found. Please choose one: 1) Org1 2) Org2 #? 1 
            Enter the project ID to create the service account wiv-sa (usually project that contains the billing dataset): my-gcp-project 
            recommender.googleapis.com is already enabled on project my-gcp-project. cloudresourcemanager.googleapis.com is already enabled on project my-gcp-project. compute.googleapis.com is already enabled on project my-gcp-project. 
            Created service account [wiv-sa]. Service account key has been exported to the current directory. IAM policy bindings added successfully at organization level (123456789012). 
            === Onboarding Complete === Service account wiv-sa@my-gcp-project.iam.gserviceaccount.com has been created and configured. All necessary permissions have been granted at organization level for 123456789012. Key file has been saved as key.json in the current directory. 
            === Configuration Summary === Service Account Project: my-gcp-project Key File Name: key.json

            Note: Ensure that you have the necessary permissions and understand the implications of assigning roles at the organization level. Misconfigurations can lead to security risks or unintended access to resources within your organization. Always follow the principle of least privilege when assigning roles.

            By following these steps, you can successfully onboard your GCP account to Wiv, allowing for streamlined management and integration of your cloud resources.




            complete the integration

            Attachments (1)

            sh

            GCPWivOnBoar....sh
            8.18 KB

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0