GCP Onboarding Process

Modified on Tue, 22 Apr at 1:56 PM

 

Introduction

This documentation provides a comprehensive guide to onboarding a GCP account to Wiv using a script that automates the creation of a service account, the generation of a service account key, and the assignment of predefined roles to the service account at either the organization or project level.

Prerequisites

  • Permissions: You must have the necessary permissions to perform actions in the GCP project and organization. Refer to the following documents for more information:
    • Configuring IAM
    • Cloud Platform Resource Hierarchy
    • Add IAM Policy Binding
    • Granting, Changing, Revoking Access
    • Access Control for Organizations

Step-by-Step Guide

Login to GCP with this

https://shell.cloud.google.com/cloudshell/editor?cloudshell_git_repo=https://github.com/wiv-ai/GCPOnBoarding.git


2. Run the Script

Start the script by executing:

./GCPWivOnBoarding.sh
Bash

3. Login to GCP

The script will prompt you to log in to Google Cloud using the gcloud auth login command. Follow the instructions in your terminal to authenticate.

4. Select Configuration Type

The script will ask if you want to set up for a standalone project or an entire organization:

Is this for a standalone project or an entire organization? 1) Standalone Project 2) Entire Organization
  • Standalone Project: Permissions will be set at the project level.
  • Entire Organization: If you choose to set permissions at the organization level, the script will fetch a list of organizations available to you. If there are multiple organizations, you will be prompted to select one.

5. Enter the Project ID for Service Account Creation

The script will prompt you for a GCP Project ID where the service account will be created:

Enter the project ID to create the service account wiv-sa (usually project that contains the billing dataset):

Enter the project ID, for example, my-gcp-project.

6. API Enablement

The script will enable the following APIs on the specified project:

  • recommender.googleapis.com
  • cloudresourcemanager.googleapis.com
  • compute.googleapis.com

These APIs are necessary for the service account's intended permissions. If they are already enabled, the script will inform you.

7. Service Account Creation

The script creates a new service account named wiv-sa with the display name "Wiv Service Account."

8. Generate Service Account Key

The script will generate a key for the service account and save it as key.json in the current directory. This key file is essential for applications or scripts that need to authenticate as the service account.

9. Assign IAM Roles

The script will assign the following IAM roles to the service account at either the organization or project level:

  • roles/recommender.computeViewer
  • roles/recommender.viewer
  • roles/monitoring.viewer
  • roles/compute.viewer
  • roles/bigquery.jobUser
  • roles/recommender.bigQueryCapacityCommitmentsViewer
  • roles/container.viewer
  • roles/storage.objectViewer
  • roles/bigquery.dataViewer
  • roles/cloudsql.viewer
  • roles/run.viewer
  • roles/cloudfunctions.viewer
  • roles/pubsub.viewer
  • roles/spanner.viewer
  • roles/logging.viewer
  • roles/iam.securityReviewer
  • roles/compute.networkViewer
  • roles/cloudbuild.builds.viewer
  • roles/dataflow.viewer
  • roles/redis.viewer
  • roles/securitycenter.viewer
  • roles/cloudkms.viewer
  • roles/artifactregistry.reader
  • roles/gkebackup.viewer
  • roles/cloudasset.viewer
  • roles/bigquery.resourceViewer

10. Completion

After the script finishes running, you'll see a completion message confirming that the service account has been created and configured:

=== Onboarding Complete === Service account wiv-sa@PROJECT_ID.iam.gserviceaccount.com has been created and configured. All necessary permissions have been granted at [organization/project] level for TARGET_ID. Key file has been saved as key.json in the current directory. 
=== Configuration Summary === Service Account Project: PROJECT_ID Key File Name: key.json

Verify Permissions

After running the script, verify that the service account has been created and the roles have been assigned correctly in the GCP Console IAM & Admin section.

Additional Notes

  • Error Handling: If any step fails, the script will print an error message indicating the issue and exit. Check the error message to identify what needs to be corrected (e.g., insufficient permissions or an incorrect project ID).
  • Security: Keep key.json secure as it contains sensitive information. You may want to move it to a safe location or restrict its permissions after the script completes.

Example Output

Here's a sample output for a user who chose to apply permissions at the organization level:

Is this for a standalone project or an entire organization? 1) Standalone Project 2) Entire Organization #? 2 
Multiple organizations found. Please choose one: 1) Org1 2) Org2 #? 1
Enter the project ID to create the service account wiv-sa (usually project that contains the billing dataset): my-gcp-project
recommender.googleapis.com is already enabled on project my-gcp-project. cloudresourcemanager.googleapis.com is already enabled on project my-gcp-project. compute.googleapis.com is already enabled on project my-gcp-project.
Created service account [wiv-sa]. Service account key has been exported to the current directory. IAM policy bindings added successfully at organization level (123456789012).
=== Onboarding Complete === Service account wiv-sa@my-gcp-project.iam.gserviceaccount.com has been created and configured. All necessary permissions have been granted at organization level for 123456789012. Key file has been saved as key.json in the current directory.
=== Configuration Summary === Service Account Project: my-gcp-project Key File Name: key.json

Note: Ensure that you have the necessary permissions and understand the implications of assigning roles at the organization level. Misconfigurations can lead to security risks or unintended access to resources within your organization. Always follow the principle of least privilege when assigning roles.

By following these steps, you can successfully onboard your GCP account to Wiv, allowing for streamlined management and integration of your cloud resources.




complete the integration

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article