IAM permissions preparation

Before you perform tasks on virtual machines (VM) in Google Distributed Cloud (GDC) air-gapped, you must have the proper identity and access (IAM) roles and permissions.

Before you begin

To use gdcloud CLI commands, complete the required steps from the gdcloud command-line interface (CLI) sections. All commands for Google Distributed Cloud air-gapped use the gdcloud or kubectl CLI, and require an operating system (OS) environment.

Get the kubeconfig file path

To run commands against the Management API server, ensure you have the following resources:

  1. Sign in and generate the kubeconfig file for the Management API server if you don't have one.

  2. Use the path to the kubeconfig file of the Management API server to replace MANAGEMENT_API_SERVER in these instructions.

About IAM

Distributed Cloud offers Identity and Access Management (IAM) for granular access to specific Distributed Cloud resources and prevents unwanted access to other resources. IAM operates on the security principle of least privilege and provides control over who has permission to given resources using IAM roles and permissions.

Read the IAM documentation in Sign in, which provides instructions for signing in to the GDC console or the gdcloud CLI and using kubectl to access your workloads.

Predefined roles to VM resources

To create VMs and VM disks in a project, request the appropriate permissions from your Project IAM Admin for a given project. All VM roles must bind to the namespace of the project where the VM resides. To manage virtual machines, your Project IAM Admin can assign you the following predefined roles:

  • Project VirtualMachine Admin project-vm-admin: Manages VMs in the project namespace.
  • Project VirtualMachine Image Admin project-vm-image-admin: Manages VM images in the project namespace.

For a list of all predefined roles for Application Operators (AO), see Role descriptions.

The following are predefined common roles for VMs. For details on common roles, see Common roles.

  • VM type viewer vm-type-viewer: has read access to predefined VM types.
  • Public image viewer public-image-viewer: has read access to images GDC provides.

To grant or receive access to VM resources, see Grant access to project resources.

Verify user access to VM resources

  1. Log in as the user requesting or verifying permissions.

  2. Verify whether you, or the user, can create virtual machines:

    kubectl --kubeconfig MANAGEMENT_API_SERVER auth can-i create virtualmachines.virtualmachine.gdc.goog -n PROJECT

    Replace the variables by using the following definitions.

    Variable Replacement
    MANAGEMENT_API_SERVER The system kubeconfig file from gdcloud auth login.
    PROJECT The project name to create VM images.
    • If the output is yes, you have permissions to create a VM in the project PROJECT.
    • If the output is no, you don't have permissions. Contact your Project IAM Admin and request assignment to the Project VirtualMachine Admin (project-vm-admin) role in the namespace of the project where the VM resides.

  3. Optional: Verify whether users have access to project-level VM images. For example, run the following commands to verify if they can create and use VirtualMachineImage resources at the project level:

    kubectl --kubeconfig MANAGEMENT_API_SERVER auth can-i get virtualmachineimages.virtualmachine.gdc.goog -n PROJECT

    kubectl --kubeconfig MANAGEMENT_API_SERVER auth can-i create virtualmachineimageimports.virtualmachine.gdc.goog -n PROJECT

    Replace the variables by using the following definitions.

    Variable Replacement
    MANAGEMENT_API_SERVER The Management API server kubeconfig file.
    PROJECT The project name where VM images are created.
    • If the output is yes, the user has permissions to access custom VM images in the project PROJECT.
    • If the output is no, you don't have permissions. Contact your Project IAM Admin role and request assignment to the Project VirtualMachine Image Admin (project-vm-image-admin) role in the namespace of the project where the VM resides.