Set up Google Cloud resources

In addition to meeting the installation, hardware, and operating system prerequisites, you must configure and set up Google Cloud projects, APIs, and service accounts to run Google Distributed Cloud.

Note that the bmctl command can automatically enable service accounts and APIs at cluster creation time, but you can also manually set up these services for finer control of operations.

Before you begin

Create a Google Cloud project and a billing account.

During installation, you must provide the following credentials:

  • The private SSH keys needed to access cluster node machines.
  • If you are not using root, the cluster node machine login name.

Ensure you have all the necessary credentials before attempting to install Google Distributed Cloud.

Logging into gcloud

  1. Login to gcloud as a user using gcloud auth application-default login:
  2. gcloud auth application-default login
    
    You need to have a Project Owner/Editor role to use the automatic API enablement and Service Account creation features, described below. You can also add the following IAM roles to the user:
    • Service Account Admin
    • Service Account Key Admin
    • Project IAM Admin
    • Compute Viewer
    • Service Usage Admin
    Alternatively, if you already have a service account with those roles, run:
    export GOOGLE_APPLICATION_CREDENTIALS=JSON_KEY_FILE
    
    JSON_KEY_FILE specifies the path to your service account JSON key file.
  3. Get your Google Cloud project ID to use with cluster creation:
  4. export CLOUD_PROJECT_ID=$(gcloud config get-value project)
    

Set your default Google Cloud project ID and roles

You can set your default project id in addition to configuring service accounts.

You must have owner or editor roles on your project for Google Distributed Cloud.

To set the default project, issue the following command, and replace PROJECT_ID with your Google Cloud project ID:

gcloud config set project PROJECT_ID

Enable APIs

Before you install Google Distributed Cloud, you need to enable several APIs in your associated Google Cloud project. In order to enable APIs in your project, you must have been granted one of the following roles in the: Google Cloud project: roles/owner, roles/editor, or roles/serviceusage.serviceUsageAdmin.

For additional information, see Grant a single role.

After you have the required IAM permissions, enable the following APIs:

  • anthos.googleapis.com
  • anthosaudit.googleapis.com
  • anthosgke.googleapis.com
  • cloudresourcemanager.googleapis.com
  • connectgateway.googleapis.com
  • container.googleapis.com
  • gkeconnect.googleapis.com
  • gkehub.googleapis.com
  • iam.googleapis.com
  • logging.googleapis.com
  • monitoring.googleapis.com
  • opsconfigmonitoring.googleapis.com
  • serviceusage.googleapis.com
  • stackdriver.googleapis.com

You can also use the bmctl tool to enable these services.

Configure service accounts manually

The bmctl command of Google Distributed Cloud can automatically set up Google service accounts and APIs when you create clusters.

However, for more control over your system, or to streamline cluster creation with a default set of services, accounts, and projects, you can set up these services manually.

In production environments, you should create separate service accounts for different purposes. Google Distributed Cloud needs the following different types of Google Cloud service accounts depending on their purpose:

  • To access Container Registry (gcr.io), no special role is required.
  • To register a cluster in a fleet, grant the roles/gkehub.admin IAM role to the service account on your Google Cloud project.
  • To connect to fleets, grant the roles/gkehub.connect IAM role to the service account on your Google Cloud project.
  • To send logs and metrics to Google Cloud Observability, grant the following IAM roles to the service account on your Google Cloud project:

    • roles/logging.logWriter
    • roles/monitoring.metricWriter
    • roles/stackdriver.resourceMetadata.writer
    • roles/monitoring.dashboardEditor
    • roles/opsconfigmonitoring.resourceMetadata.writer

Google Distributed Cloud connects your clusters to Google Cloud. This connection enables the following functionality:

  • Connect to connect your bare metal cluster to Google Cloud. This enables access to cluster and to workload management features, including a unified user interface, Cloud console, to interact with your cluster.
  • Logging and Monitoring to view logs and metrics from the cluster in the Cloud console.
  • Automatic uploads of cluster snapshots to Cloud Storage buckets.

The process for manually configuring access includes:

  • Enabling the necessary Google services in your Cloud project.
  • Creating the following service accounts with the necessary roles:
    • connect-agent service account: Connect uses this service account to maintain a connection between your cluster and Google Cloud.
    • connect-register service account: Connect uses this service account to register your clusters with Google Cloud.
    • logging-monitoring service account: Connect uses this service account to export logs and metrics from clusters to Logging and Monitoring.
    • storage-agent service account: bmctl uses this service account to automatically store snapshots of clusters to Cloud Storage.

  • Downloading the JSON key files for each service account.

You then add references to the JSON key files to the appropriate cluster config files. See Creating clusters: overview for more information.

Configure service accounts for use with Connect

To create the service accounts and key files:

  1. Make sure you are in the baremetal directory.
  2. Enable the necessary Google services in your Cloud project:
  3. gcloud services enable --project=PROJECT_ID \
        gkeconnect.googleapis.com \
        gkehub.googleapis.com \
        connectgateway.googleapis.com \
        cloudresourcemanager.googleapis.com \
        anthos.googleapis.com
  4. Create the connect-agent service account with the necessary role and download the key file. These steps create the connect-agent.json key file in the baremetal directory:
    1. Create service account:
    2. gcloud iam service-accounts create connect-agent-svc-account --project=PROJECT_ID
    3. Grant the gkehub.connect role:
    4. gcloud projects add-iam-policy-binding  PROJECT_ID \
          --member="serviceAccount:connect-agent-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/gkehub.connect"
    5. Download the service account JSON key file:
    6. gcloud iam service-accounts keys create connect-agent.json \
          --project=PROJECT_ID \
          --iam-account=connect-agent-svc-account@PROJECT_ID.iam.gserviceaccount.com
      
  5. Create the connect-register service account with the necessary role and download the key file. These steps create the connect-register.json key file in the baremetal directory:
    1. Create service account:
    2. gcloud iam service-accounts create connect-register-svc-account \
          --project=PROJECT_ID
    3. Grant the gkehub.admin role:
    4. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:connect-register-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role=roles/gkehub.admin
    5. Download the service account JSON key file:
    6. gcloud iam service-accounts keys create connect-register.json \
          --project=PROJECT_ID \
          --iam-account=connect-register-svc-account@PROJECT_ID.iam.gserviceaccount.com
      

Configure a service account to audit logs and monitor projects

To create the service account and key file for logging and monitoring:

  1. Make sure you are in the baremetal directory.
  2. Enable the necessary Google services in your Cloud project:
  3. gcloud services enable --project PROJECT_ID \
        anthos.googleapis.com \
        anthosaudit.googleapis.com \
        anthosgke.googleapis.com \
        cloudresourcemanager.googleapis.com \
        gkeconnect.googleapis.com \
        gkehub.googleapis.com \
        logging.googleapis.com \
        monitoring.googleapis.com \
        opsconfigmonitoring.googleapis.com \
        serviceusage.googleapis.com \
        stackdriver.googleapis.com
    
  4. Create the logging-monitoring service account with the necessary roles and download the key file. These steps create the cloud-ops.json key file in the baremetal directory:
    1. Create service account
    2. gcloud iam service-accounts create logging-monitoring-svc-account \
          --project=PROJECT_ID
      
    3. Grant the logging.logWriter role
    4. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/logging.logWriter"
      
    5. Grant the monitoring.metricWriter role
    6. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/monitoring.metricWriter"
      
    7. Grant the roles/stackdriver.resourceMetadata.writer role
    8. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/stackdriver.resourceMetadata.writer"
      
    9. Grant the roles/opsconfigmonitoring.resourceMetadata.writer role
    10. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/opsconfigmonitoring.resourceMetadata.writer"
      
    11. Grant the roles/monitoring.dashboardEditor role
    12. gcloud projects add-iam-policy-binding PROJECT_ID \
          --member="serviceAccount:logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
          --role="roles/monitoring.dashboardEditor"
      
    13. Download the service account JSON key file:
    14. gcloud iam service-accounts keys create cloud-ops.json \
          --project=PROJECT_ID \
          --iam-account=logging-monitoring-svc-account@PROJECT_ID.iam.gserviceaccount.com
      

Configure a service account that can access a Cloud Storage bucket

You use a service account and key file to access Cloud Storage. You can use this service account to enable snapshots of clusters to be automatically uploaded to Cloud Storage buckets, or to import virtual machine (VM) images from Cloud Storage buckets for use with VM Runtime on Google Distributed Cloud.

To create the service account and key file, complete the following steps:

  1. Make sure you are in the baremetal directory.
  2. Enable the necessary Google services in your Cloud project:
  3. gcloud services enable --project=PROJECT_ID \
        storage.googleapis.com
  4. Create a service account that your cluster can use to access Cloud Storage buckets:
  5. gcloud iam service-accounts create storage-agent-svc-account \
        --project=PROJECT_ID
  6. Grant a storage.admin role to the service account so that the service account can upload data to a Cloud Storage bucket or import VM images:
  7. gcloud projects add-iam-policy-binding PROJECT_ID \
        --member="serviceAccount:storage-agent-svc-account@PROJECT_ID.iam.gserviceaccount.com" \
        --role="roles/storage.admin"
    
  8. Download the service account JSON key file:
  9. gcloud iam service-accounts keys create storage-agent.json \
        --iam-account=storage-agent-svc-account@PROJECT_ID.iam.gserviceaccount.com

For more information about how to create cluster snapshots and automatically upload them to a Cloud Storage bucket, see Create snapshots to help diagnose cluster problems.

For more information on how to import VM images from Cloud Storage, see Create and use credentials to import images from Cloud Storage for VM Runtime on Google Distributed Cloud.