IAM permissions preparation

Before you perform tasks on virtual machines (VM) in Google Distributed Cloud (GDC) air-gapped, you must have the proper identity and access (IAM) roles and permissions.

Before you begin

To use gdcloud CLI commands, complete the required steps from the gdcloud command-line interface (CLI) sections. All commands for Google Distributed Cloud air-gapped use the gdcloud or kubectl CLI, and require an operating system (OS) environment.

Get the kubeconfig file path

To run commands against the org admin cluster, ensure you have the following resources:

  1. Locate the org admin cluster name, or ask your Platform Administrator (PA) what the cluster name is.

  2. Sign in and generate the kubeconfig file for the org admin cluster if you don't have one.

  3. Use the path to the kubeconfig file of the org admin cluster to replace ORG_ADMIN_KUBECONFIG in these instructions.

About IAM

Distributed Cloud offers Identity and Access Management (IAM) for granular access to specific Distributed Cloud resources and prevents unwanted access to other resources. IAM operates on the security principle of least privilege and provides control over who has permission to given resources using IAM roles and permissions.

Read the IAM documentation in Sign in, which provides instructions for signing in to the GDC console or the gdcloud CLI and using kubectl to access your workloads.

Predefined roles to VM resources

To create VMs and VM disks in a project, request the appropriate permissions from your Project IAM Admin for a given project. To manage virtual machines, your Project IAM Admin can assign you the following predefined roles:

  • Project VirtualMachine Admin: Manages VMs in the project namespace.
  • Project VirtualMachine Image Admin: Manages VM images in the project namespace.

For a list of all predefined roles for Application Operators (AO), see Role descriptions.

The following are predefined common roles for VMs. For details on common roles, see Common roles.

  • VM type viewer: has read access to predefined VM types.
  • Public image viewer: has read access to images Distributed Cloud provides.

To grant or receive access to VM resources, see Grant access to project resources.

Verify user access to VM resources

  1. Log in as the user requesting or verifying permissions.

  2. Verify whether you, or the user, can create virtual machines:

    kubectl --kubeconfig ORG_ADMIN_KUBECONFIG auth can-i create virtualmachines.virtualmachine.gdc.goog -n PROJECT

    Replace the variables by using the following definitions.

    Variable Replacement
    ORG_ADMIN_KUBECONFIG The system kubeconfig path from gdcloud auth login.
    PROJECT The project name to create VM images.
    • If the output is yes, you have permissions to create a VM in the project PROJECT.
    • If the output is no, you don't have permissions. Contact your Project IAM Admin and request assignment to the Project VirtualMachine Admin (project-vm-admin) role.

  3. Optional: Verify whether users have access to project-level VM images. For example, run the following commands to verify if they can create and use VirtualMachineImage resources at the project level:

    kubectl --kubeconfig ORG_ADMIN_KUBECONFIG auth can-i get virtualmachineimages.virtualmachine.gdc.goog -n PROJECT

    kubectl --kubeconfig ORG_ADMIN_KUBECONFIG auth can-i create virtualmachineimageimports.virtualmachine.gdc.goog -n PROJECT

    Replace the variables by using the following definitions.

    Variable Replacement
    ORG_ADMIN_KUBECONFIG The admin cluster kubeconfig path.
    PROJECT The project name where VM images are created.
    • If the output is yes, the user has permissions to access custom VM images in the project PROJECT.
    • If the output is no, you don't have permissions. Contact your Project IAM Admin role and request assignment to the Project VirtualMachine Image Admin (project-vm-image-admin) role.