Before you perform tasks on virtual machines (VM) in Google Distributed Cloud (GDC) air-gapped, you must have the proper identity and access (IAM) roles and permissions.
Before you begin
To use gdcloud CLI commands, complete the required steps from the
gdcloud command-line interface (CLI)
sections. All commands for Google Distributed Cloud air-gapped use the
gdcloud or kubectl CLI, and require an operating system (OS) environment.
Get the kubeconfig file path
To run commands against the org admin cluster, ensure you have the following resources:
Locate the org admin cluster name, or ask your Platform Administrator (PA) what the cluster name is.
Sign in and generate the kubeconfig file for the org admin cluster if you don't have one.
Use the path to the kubeconfig file of the org admin cluster to replace
ORG_ADMIN_KUBECONFIGin these instructions.
About IAM
Distributed Cloud offers Identity and Access Management (IAM) for granular access to specific Distributed Cloud resources and prevents unwanted access to other resources. IAM operates on the security principle of least privilege and provides control over who has permission to given resources using IAM roles and permissions.
Read the IAM documentation in
Sign in, which provides
instructions for signing in to the GDC console or the
gdcloud CLI and using kubectl to access your workloads.
Predefined roles to VM resources
To create VMs and VM disks in a project, request the appropriate permissions from your Project IAM Admin for a given project. All VM roles must bind to the namespace of the project where the VM resides. To manage virtual machines, your Project IAM Admin can assign you the following predefined roles:
- Project VirtualMachine Admin
project-vm-admin: Manages VMs in the project namespace. - Project VirtualMachine Image Admin
project-vm-image-admin: Manages VM images in the project namespace.
For a list of all predefined roles for Application Operators (AO), see Role descriptions.
The following are predefined common roles for VMs. For details on common roles, see Common roles.
- VM type viewer
vm-type-viewer: has read access to predefined VM types. - Public image viewer
public-image-viewer: has read access to images GDC provides.
To grant or receive access to VM resources, see Grant access to project resources.
Verify user access to VM resources
Log in as the user requesting or verifying permissions.
Verify whether you, or the user, can create virtual machines:
kubectl --kubeconfig ORG_ADMIN_KUBECONFIG auth can-i create virtualmachines.virtualmachine.gdc.goog -n PROJECTReplace the variables by using the following definitions.
Variable Replacement ORG_ADMIN_KUBECONFIGThe system kubeconfigpath fromgdcloud auth login.PROJECTThe project name to create VM images. - If the output is
yes, you have permissions to create a VM in the projectPROJECT. - If the output is
no, you don't have permissions. Contact your Project IAM Admin and request assignment to the Project VirtualMachine Admin (project-vm-admin) role in the namespace of the project where the VM resides.
- If the output is
Optional: Verify whether users have access to project-level VM images. For example, run the following commands to verify if they can create and use
VirtualMachineImageresources at the project level:kubectl --kubeconfig ORG_ADMIN_KUBECONFIG auth can-i get virtualmachineimages.virtualmachine.gdc.goog -n PROJECTkubectl --kubeconfig ORG_ADMIN_KUBECONFIG auth can-i create virtualmachineimageimports.virtualmachine.gdc.goog -n PROJECTReplace the variables by using the following definitions.
Variable Replacement ORG_ADMIN_KUBECONFIGThe admin cluster kubeconfigpath.PROJECTThe project name where VM images are created. - If the output is
yes, the user has permissions to access custom VM images in the project PROJECT. - If the output is
no, you don't have permissions. Contact your Project IAM Admin role and request assignment to the Project VirtualMachine Image Admin (project-vm-image-admin) role in the namespace of the project where the VM resides.
- If the output is