Google Cloud project configuration

The steps below walk you through the process of creating and configuring service accounts and keys, to provide the required permissions on your Google Cloud project.

This section can be completed before you receive the appliance.

When you're done, you'll have created and/or configured the following service accounts and keys.

Service account Description
edge-appliance The appliance service account. The service account name must be unique for each appliance in your project, so the name of a specific appliance's service account may differ from the name used in this document.
gke-register-sa The Anthos cluster registration service account.
project-CUSTOMER_IDENTIFIER@storage-transfer-service.iam.gserviceaccount.com The Storage Transfer Service service account.
ta-SESSION_ID@transfer-appliance-zimbru.iam.gserviceaccount.com A session service account that is tied to this particular appliance. The name of this service account is provided to you in an email titled Prepare Permissions and Access for Google Edge Appliance.
Service account key Description
key.json The appliance service account key.
register_key.json The Anthos cluster registration service account key.

Configure your Google Cloud project

We strongly recommend creating a separate Google Cloud project that will be exclusively used for your appliances. Appliances require some project level permissions; a separate project ensures that appliances deployed at edge locations cannot be used to access or disrupt other Google Cloud projects containing sensitive resources.

Enable the required APIs using gcloud or the Google Cloud console.

When using gcloud we recommend using Cloud Shell. If you're not using Cloud Shell, you may need to install and configure the gcloud tool in your environment.

Open Cloud Shell

gcloud

This document uses $PROJECT_ID in sample code to refer to your unique project name. You can use this variable in your examples if you first assign your own project ID to the variable:

export PROJECT_ID=YOUR_PROJECT_ID

Then, execute the following commands.

gcloud auth login
gcloud config set project $PROJECT_ID
gcloud services enable \
    anthos.googleapis.com \
    anthosgke.googleapis.com \
    cloudresourcemanager.googleapis.com \
    container.googleapis.com \
    gkeconnect.googleapis.com \
    gkehub.googleapis.com \
    serviceusage.googleapis.com \
    stackdriver.googleapis.com \
    monitoring.googleapis.com \
    logging.googleapis.com \
    pubsub.googleapis.com \
    storagetransfer.googleapis.com \
    anthosaudit.googleapis.com \
    opsconfigmonitoring.googleapis.com

Google Cloud console

Follow these instructions to enable the following APIs from the Google Cloud console:

Create and configure the appliance service account

Create the service account to be used in the appliance, grant it the necessary permissions, and download the key file. You'll need to provide this key to the person configuring the Edge Appliance.

gcloud 

# Specify the destination bucket name. Do not include the gs:// prefix.
export DESTINATION_BUCKET=YOUR_BUCKET_NAME

# Create service account.
# The service account name needs to be unique for each appliance
export SA_NAME=edge-appliance
gcloud iam service-accounts create $SA_NAME

# Grant project permissions
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/gkehub.connect"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/logging.logWriter"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/monitoring.metricWriter"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/monitoring.dashboardEditor"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/opsconfigmonitoring.resourceMetadata.writer"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/stackdriver.resourceMetadata.writer"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/storagetransfer.admin"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/storagetransfer.transferAgent"

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/compute.viewer"

# If online transfer will be enabled, grant bucket permissions
gsutil iam ch serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com:admin gs://$DESTINATION_BUCKET

# Download key file
gcloud iam service-accounts keys create key.json \
  --iam-account=$SA_NAME@${PROJECT_ID}.iam.gserviceaccount.com

Google Cloud console

Follow the instructions here to create a service account from the console. The service account name needs to be unique for each appliance. This document uses edge-appliance in its examples.

Grant the following roles:

  • GKE Connect Agent
  • Logs Writer
  • Monitoring Editor
  • Stackdrive Resource Metadata Writer
  • Pub/Sub Editor
  • Storage Transfer Admin
  • Storage Transfer Transfer Agent
  • Compute Viewer

Follow the instructions here to grant Storage Admin permissions to your service account on your destination bucket.

Finally, follow these instructions to create and download the key file for the service account. Rename the key file to key.json.

Create and configure the cluster registration service account

Create the service account for registering your Anthos cluster, grant it the necessary permissions, and download the key file. You'll need to provide this key to the person configuring the Edge Appliance.

This service account can be used across all of your appliances, but a new key should be generated for each appliance.

gcloud 

# Create service account
export SA_NAME=gke-register-sa
gcloud iam service-accounts create $SA_NAME

# Grant project permissions
# If asked to specify a condition select 'None'
gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/gkehub.admin"

# Download key file
gcloud iam service-accounts keys create register_key.json \
  --iam-account=$SA_NAME@$PROJECT_ID.iam.gserviceaccount.com

Google Cloud console

Follow the instructions here to create a service account named gke-register-sa from the console.

Grant the following roles:

  • GKE Hub Admin

Follow these instructions to create and download the key file for the service account. Rename the key file to register_key.json.

Create and configure the Storage Transfer Service service account

Grant the necessary permissions to the Storage Transfer service account. This is a Google-created service account that is created the first time you call googleServiceAccounts/get from the Storage Transfer Service endpoint.

To create the service account and retrieve its email:

  1. Go to the googleServiceAccounts/get reference page.
  2. In the Try this method pane on the right side of the page, enter your project ID and click execute.

Note the value of accountEmail in the API response. It uses the format project-CUSTOMER_IDENTIFIER@storage-transfer-service.iam.gserviceaccount.com.

Then, follow the instructions below to assign the required role and permissions.

gcloud 

export SERVICE_AGENT=SERVICE_ACCOUNT_EMAIL

gcloud projects add-iam-policy-binding $PROJECT_ID \
  --member="serviceAccount:$SERVICE_AGENT" \
  --role="roles/pubsub.editor"

gsutil iam ch serviceAccount:$SERVICE_AGENT:admin gs://$DESTINATION_BUCKET

Google Cloud console

  • Follow the steps here to grant the Pub/Sub Editor role to the service account.
  • Follow the instructions here to grant Storage Admin permissions to the service account on your destination bucket.

Prepare the Cloud KMS key

Transfer Appliance secures your data on the appliance by encrypting the data before you ship the appliance back to us. A Cloud Key Management Service (Cloud KMS) public key is used to encrypt your data on Transfer Appliance, and a private key is used to decrypt your data.

We use the session service account from Prepare the destination Cloud Storage bucket to upload the data from the appliance to your Cloud Storage bucket.

You have the following options for managing encryption keys:

  • Google-managed encryption keys. You can request that we create and manage the Cloud KMS keys for you. If you want to use this method, you are done with configuring your Google Cloud project and you can continue with steps described in Receive your appliance.

  • Create and manage encryption keys yourself. You create and manage the encryption keys used for your transfer, by following the directions below. You prepare a Cloud KMS asymmetric decryption key and add the session service account to the key. The session service account uses the asymmetric decryption key to decrypt and copy your data to Cloud Storage.

To prepare Cloud KMS keys, do the following:

  1. If you don't have a Cloud Key Management Service key ring, do the following to create one:

    Google Cloud Console

    1. Go to the Cryptographic Keys page in the Google Cloud console.

      Go to the Cryptographic Keys page

    2. Click Create key ring.

    3. In the Key ring name field, enter the desired name for your key ring.

    4. From the Key ring location dropdown, select a location like "us-east1".

    5. Click Create.

    Command line

    gcloud kms keyrings create KEY_RING --location=LOCATION --project=PROJECT_ID

    In this example:

    • LOCATION: The Cloud Key Management Service location for the key ring. For example, global.
    • KEY_RING: The key ring's name.
    • PROJECT_ID: The Google Cloud project ID that your storage bucket is under.

  2. Create an asymmetric decryption key by doing the following:

    Google Cloud Console

    1. Go to the Cryptographic Keys page in the Google Cloud console.

      Go to the Cryptographic Keys page

    2. Click the name of the key ring that you want to create a key for.

    3. Click Create key.

    4. In the What type of key do you want to create? section, choose Generated key.

    5. In the Key name field, enter the name for your key.

    6. Click the Protection level dropdown and select Software.

    7. Click the Purpose dropdown and select Asymmetric decrypt.

    8. Click the Algorithm dropdown and select 4096-bit RSA - OAEP Padding - SHA256 Digest

    9. Click Create.

    Command line

    Run the following command to create an asymmetric decryption key:

    gcloud kms keys create KEY --keyring=KEY_RING \
--location=LOCATION --purpose=asymmetric-encryption \
--default-algorithm=rsa-decrypt-oaep-4096-sha256 \
--project=PROJECT_ID

    In this example:

    • KEY: The name of the Cloud Key Management Service key. For example, ta-key.
    • KEY_RING: The key ring's name.
    • LOCATION: The Cloud Key Management Service location for the key ring. For example, global.
    • PROJECT_ID: The Google Cloud project ID that your storage bucket is under.

  3. Add the session service account as a principal to the asymmetric key by doing the following:

    Google Cloud Console

    1. Go to the Cryptographic Keys page in Google Cloud console.

      Go to the Cryptographic Keys page

    2. Click the key ring that contains your asymmetric key.

    3. Select the checkbox for the asymmetric key.

    4. In the Info panel, click Add principal.

      Add principals is displayed.

    5. In the New principals field, enter the session service account provided by the Transfer Appliance Team. It looks like the following example:

      ta-SESSION_ID@transfer-appliance-zimbru.iam.gserviceaccount.com

      In this example, SESSION_ID is the session ID for this particular transfer.

    6. In the Select a role field, add the Cloud KMS CryptoKey Public Key Viewer role.

    7. Click Save.

    Command line

    Run the following command to grant the session service account the roles/cloudkms.publicKeyViewer role:

    gcloud kms keys add-iam-policy-binding KEY \
--keyring=KEY_RING --location=LOCATION \
--member=serviceAccount:ta-SESSION_ID@transfer-appliance-zimbru.iam.gserviceaccount.com \
--role=roles/cloudkms.publicKeyViewer

    In this example:

    • KEY: The name of the Cloud Key Management Service key. For example, ta-key.
    • KEY_RING: The key ring's name.
    • LOCATION: The Cloud Key Management Service location for the key ring. For example, global.
    • SESSION_ID: The session ID for this particular transfer.

  4. Obtain your asymmetric key's path by doing the following:

    Google Cloud Console

    1. Go to the Cryptographic Keys page in the Google Cloud console.

      Go to the Cryptographic Keys page

    2. Click the key ring that contains your asymmetric decryption key.

    3. Click the asymmetric decryption key's name.

    4. Select the key version that you want, and click More .

    5. Click Copy Resource Name.

      An example of the key format is:

      projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY/cryptoKeyVersions/VERSION_NUMBER

      In this example:

      • PROJECT_ID: The Google Cloud project ID that your storage bucket is under.
      • LOCATION: The Cloud Key Management Service location for the key ring.
      • KEY_RING: The key ring's name.
      • KEY: The name of the Cloud Key Management Service key.
      • VERSION_NUMBER: The key's version number.

      The Transfer Appliance Team requires the entire key path, including the version number, so they can apply the correct key to your data.

    Command line

    Run the following command to list your asymmetric key's full path, including its version number:

    gcloud kms keys versions list --keyring=KEY_RING \
--key=KEY --location=LOCATION \
--project=PROJECT_ID

    In this example:

    • KEY_RING: The name of your key ring.
    • KEY: The name of your asymmetric key.
    • LOCATION: The Google Cloud location of the key ring.
    • PROJECT_ID: The Google Cloud project ID that your storage bucket is under.

    The following sample response resembles the output that is returned:

    NAME STATE
projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY/cryptoKeyVersions/VERSION_NUMBER
ENABLED

    In this example:

    • PROJECT_ID: The Google Cloud project ID that your storage bucket is under.
    • LOCATION: The Cloud Key Management Service location for the key ring.
    • KEY_RING: The key ring's name.
    • KEY: The name of the Cloud Key Management Service key.
    • VERSION_NUMBER: The key's version number.

    The Transfer Appliance Team requires the string under NAME that ends in /cryptoKeyVersions/VERSION_NUMBER, where VERSION_NUMBER is your key's version number.