IAM permissions preparation

Before you perform tasks on virtual machines (VM), you must have the proper identity and access (IAM) roles and permissions.

Before you begin

To use gdcloud CLI commands, complete the required steps from the gdcloud command-line interface (CLI) sections. All commands for Google Distributed Cloud Hosted use the gdcloud or kubectl CLI, and require an operating system (OS) environment.

Get the kubeconfig file paths

  1. Run gdcloud auth login to the admin cluster.

    1. Record the path to the generated file. The following is an example of the path to record:
      /tmp/admin-kubeconfig-with-user-identity.yaml.

    2. Use the path to replace ORG_ADMIN_KUBECONFIG in these instructions.

About IAM

Distributed Cloud Hosted offers Identity and Access Management (IAM) for granular access to specific Distributed Cloud Hosted resources and prevents unwanted access to other resources. IAM operates on the security principle of least privilege and provides control over who has permission to given resources using IAM roles and permissions.

Read the IAM documentation in Sign in, which provides instructions for signing in to the GDCH console or the gdcloud CLI and using kubectl to access your workloads.

Predefined roles to VM resources

To create VMs and VM disks in a project, request the appropriate permissions from your Project IAM Admin for a given project. To manage virtual machines, your Project IAM Admin can assign you the following predefined roles:

  • Project VirtualMachine Admin: Manages VMs in the project namespace.
  • Project VirtualMachine Image Admin: Manages VM images in the project namespace.
  • VM Admin: Manages VMs and disks in user clusters.

For a list of all predefined roles for Application Operators (AO), see Role descriptions.

The following are predefined common roles for VMs. For details on common roles, see Common roles.

  • VM type viewer: has read access to predefined VM types.
  • Public image viewer: has read access to images Distributed Cloud Hosted provides.

To grant or receive access to VM resources, see Grant access to project resources.

Verify user access to VM resources

  1. Log in as the user requesting or verifying permissions.

  2. Verify whether you, or the user, can create virtual machines:

    kubectl --kubeconfig ORG_ADMIN_KUBECONFIG auth can-i create virtualmachines.virtualmachine.gdc.goog -n PROJECT
    

    Replace the variables by using the following definitions.

    Variable Replacement
    ORG_ADMIN_KUBECONFIG The system kubeconfig path from gdcloud auth login.
    PROJECT The project name to create VM images.
    • If the output is yes, you have permissions to create a VM in the project PROJECT.
    • If the output is no, you don't have permissions. Contact your Project IAM Admin and request assignment to the Project VirtualMachine Admin (project-vm-admin) role.
  3. Optional: Verify whether users have access to project-level VM images. For example, run the following commands to verify if they can create and use VirtualMachineImage resources at the project level:

    kubectl --kubeconfig ORG_ADMIN_KUBECONFIG auth can-i get virtualmachineimages.virtualmachine.gdc.goog -n PROJECT
    
    kubectl --kubeconfig ORG_ADMIN_KUBECONFIG auth can-i create virtualmachineimageimports.virtualmachine.gdc.goog -n PROJECT
    

    Replace the variables by using the following definitions.

    Variable Replacement
    ORG_ADMIN_KUBECONFIG The admin cluster kubeconfig path.
    PROJECT The project name where VM images are created.
    • If the output is yes, the user has permissions to access custom VM images in the project PROJECT.
    • If the output is no, you don't have permissions. Contact your Project IAM Admin role and request assignment to the Project VirtualMachine Image Admin (project-vm-image-admin) role.