Google Compute Engine
In Google Compute Engine (GCE), an Account maps to a credential able to authenticate against a given Google Cloud Platform (GCP) project.
Prerequisites
You need a Google Cloud Platform
(GCP) project to run Spinnaker against. The next steps assume you’ve already
created a
project,
and installed gcloud
.
You can check that gcloud
is installed and authenticated by running:
gcloud info
Downloading credentials
Spinnaker needs a service account to authenticate as against GCE, with the role enumerated below enabled. If you don’t already have such a service account with the corresponding JSON key downloaded, you can run the following commands to do so:
SERVICE_ACCOUNT_NAME=spinnaker-gce-account
SERVICE_ACCOUNT_DEST=~/.gcp/gce-account.json
gcloud iam service-accounts create \
$SERVICE_ACCOUNT_NAME \
--display-name $SERVICE_ACCOUNT_NAME
SA_EMAIL=$(gcloud iam service-accounts list \
--filter="displayName:$SERVICE_ACCOUNT_NAME" \
--format='value(email)')
PROJECT=$(gcloud info --format='value(config.project)')
# permission to create/modify instances in your project
gcloud projects add-iam-policy-binding $PROJECT \
--member serviceAccount:$SA_EMAIL \
--role roles/compute.instanceAdmin
# permission to create/modify network settings in your project
gcloud projects add-iam-policy-binding $PROJECT \
--member serviceAccount:$SA_EMAIL \
--role roles/compute.networkAdmin
# permission to create/modify firewall rules in your project
gcloud projects add-iam-policy-binding $PROJECT \
--member serviceAccount:$SA_EMAIL \
--role roles/compute.securityAdmin
# permission to create/modify images & disks in your project
gcloud projects add-iam-policy-binding $PROJECT \
--member serviceAccount:$SA_EMAIL \
--role roles/compute.storageAdmin
# permission to download service account keys in your project
# this is needed by packer to bake GCE images remotely
gcloud projects add-iam-policy-binding $PROJECT \
--member serviceAccount:$SA_EMAIL \
--role roles/iam.serviceAccountActor
mkdir -p $(dirname $SERVICE_ACCOUNT_DEST)
gcloud iam service-accounts keys create $SERVICE_ACCOUNT_DEST \
--iam-account $SA_EMAIL
Once you have run these commands, your GCP JSON key is sitting in a file
called $SERVICE_ACCOUNT_DEST
.
Adding an Account
First, make sure that the provider is enabled:
hal config provider google enable
All that’s required are the following values (we’ve provided defaults for you):
PROJECT=$(gcloud info --format='value(config.project)')
SERVICE_ACCOUNT_DEST=# see Prerequisites section above
Finally, add your new google account:
ACCOUNT=my-gce-account
hal config provider google account add $ACCOUNT --project $PROJECT \
--json-path $SERVICE_ACCOUNT_DEST
TODO(lwander or duftler): Add a note about application default credentials.
Advanced account settings
If you are looking for more configurability, please see the other options listed in the Halyard Reference.
Next steps
Optionally, you can set up another cloud provider, but otherwise you’re ready to choose an environment in which to install Spinnaker.