IAM permissions preparation

Before you perform tasks on virtual machines (VM) in Google Distributed Cloud (GDC) air-gapped appliance, you must have the proper identity and access (IAM) roles and permissions.

GDC air-gapped appliance offers Identity and Access Management (IAM) for granular access to specific GDC air-gapped appliance resources and prevents unwanted access to other resources. IAM operates on the security principle of least privilege and provides control over who, or identity, has which permissions, or roles, and to which resources. You must have the necessary roles and permissions assigned to you before you can work with virtual machines (VMs).

Before you begin

To use gdcloud CLI commands, complete the required steps from the gdcloud command-line interface (CLI) sections. All commands for Google Distributed Cloud air-gapped appliance use the gdcloud or kubectl CLI, and require an operating system (OS) environment.

Get the kubeconfig file paths

  1. Run gdcloud auth login to the Management API server.

    1. Record the path to the generated file. The following is an example of the path to record:
      /tmp/admin-kubeconfig-with-user-identity.yaml.

    2. Use the path to replace MANAGEMENT_API_SERVER in these instructions.

About IAM

GDC air-gapped appliance offers Identity and Access Management (IAM) for granular access to specific GDC air-gapped appliance resources and prevents unwanted access to other resources. IAM operates on the security principle of least privilege and provides control over who has permission to given resources using IAM roles and permissions.

Read the IAM documentation in Sign in, which provides instructions for signing in to the GDC console or the gdcloud CLI and using kubectl to access your workloads.

Predefined roles to VM resources

To create VMs and VM disks in a project, request the appropriate permissions from your Project IAM Admin for a given project. To manage virtual machines, your Project IAM Admin can assign you the following predefined roles:

  • Project VirtualMachine Admin: Manages VMs in the project namespace.
  • Project VirtualMachine Image Admin: Manages VM images in the project namespace.

For a list of all predefined roles for Application Operators (AO), see Role descriptions.

The following are predefined common roles for VMs. For details on common roles, see Common roles.

  • VM type viewer: has read access to predefined VM types.
  • Public image viewer: has read access to images GDC air-gapped appliance provides.

To grant or receive access to VM resources, see Grant access to project resources.

Verify user access to VM resources

  1. Log in as the user requesting or verifying permissions.

  2. Verify whether you, or the user, can create virtual machines:

    kubectl --kubeconfig MANAGEMENT_API_SERVER auth can-i create virtualmachines.virtualmachine.gdc.goog -n PROJECT

    Replace the variables by using the following definitions.

    Variable Replacement
    MANAGEMENT_API_SERVER The Management API server kubeconfig path from gdcloud auth login
    PROJECT to create VM images

    If the output is yes, you have permissions to create a VM in the project PROJECT.
    If the output is no, you don't have permissions. Contact your Project IAM Admin and request assignment to the Project VirtualMachine Admin (project-vm-admin) role.

  3. Optional: Verify whether users have access to project-level VM images and whether they can create and use VirtualMachineImage resources at the project level:

    kubectl --kubeconfig MANAGEMENT_API_SERVER auth can-i get virtualmachineimages.virtualmachine.gdc.goog -n PROJECT

    kubectl --kubeconfig MANAGEMENT_API_SERVER auth can-i create virtualmachineimageimports.virtualmachine.gdc.goog -n PROJECT

    Replace the variables by using the following definitions.

    Variable Replacement
    MANAGEMENT_API_SERVER The Management API server kubeconfig path
    PROJECT The project name where VM images are created
    • If the output is yes, the user has permissions to access custom VM images in the project PROJECT.
    • If the output is no, you don't have permissions. Contact your Project IAM Admin role and request assignment to the Project VirtualMachine Image Admin (project-vm-image-admin) role.