Prerequisites for using the Guided Deployment Automation tool

This document describes the prerequisites for using the Guided Deployment Automation tool in Workload Manager.

In addition, you must meet the following prerequisites that are specific to the application you're deploying:

Prerequisite Description
Google Cloud billing account

You must have a Google Cloud account that is part of your organization with active billing.

For more information, see Create a new billing account.

Google Cloud project

A Google Cloud project in which you want to deploy the application. See Create and manage projects.

Make sure that the project is linked to the billing account.

Enable APIs Enable the following APIs in your project:

During the deployment process, Workload Manager automatically enables additional required APIs if they're not enabled in your project.

Grant IAM roles to Workload Manager service account Workload Manager uses a service agent that needs to be granted the required roles before you can deploy an application. For more information, see Workload Manager service account.
Grant IAM roles to a user-managed service account Create a service account and grant all the required roles for deploying your application. For more information, see User-managed service account.
IAM roles and permissions Users who deploy a workload using the Guided Deployment Automation tool must have or be granted the required roles and permissions to configure the deployment. These users also need permissions to create the necessary service accounts during deployment. For more information, see IAM roles and permissions.
Cloud Build private pool Optional. If your organization enforces VPC Service Controls perimeter settings for protecting Workload Manager resources and data, then set up a Cloud Build private worker pool to use in your deployment environment. For more information, see Use a Cloud Build private worker pool.
Quotas Make sure that you have sufficient resource quota in your project to deploy the workload. For more information, see Quotas.

Workload Manager service account

The Guided Deployment Automation tool uses a service agent for deploying applications.

When you create a deployment, Workload Manager prompts you to grant the required roles to this service account if they're not already granted. If you don't have the permission to grant these roles, ask an administrator to grant the following roles to the Workload Manager service account before creating a deployment.

Service account Required roles
Service-PROJECT_ID@gcp-sa-workloadmanager.iam.gserviceaccount.com
  • Cloud Infrastructure Manager Admin (roles/config.admin)
  • Logs Viewer (roles/logging.viewer)
  • Service Account User (roles/iam.serviceAccountUser)
  • Workload Manager Service Agent (roles/workloadmanager.serviceAgent)

User-managed service account

Workload Manager uses the service account attached to your deployment to call other APIs and services for creating resources required for the deployment.

You can either attach an existing service account or create a service account when you configure the deployment. Depending on your application and configuration, Workload Manager prompts you to grant any of the missing roles to your service account.

For more information about granting roles to service accounts, see Manage access to service accounts.

IAM roles and permissions

Access control in Workload Manager is controlled using Identity and Access Management (IAM). Workload Manager provides a specific set of predefined IAM roles where each role contains a set of permissions. IAM lets you adopt the security principle of least privilege, so you grant only the necessary access to your resources.
The following permission is required to enable the Workload Manager API in the selected project. This task only needs to be performed once in each project. An administrator or another user with the permission can enable the API and after that other users can access Workload Manager.

Action Permission Required Example Role
Enable Workload Manager API serviceusage.services.enable roles/editor
roles/service.Usage.Admin

Workload Manager also has roles to control who can access the deployment features and determine who can deploy, manage, and view deployments. Each role has the necessary permissions to perform the stated tasks.

For more information, see Access control with IAM. When granting IAM roles to principals, Google recommends that you apply the principle of least privilege.

Role Deployment task
Workload Manager Deployment AdminAlpha Create, modify, deploy, and view deployments.
Workload Manager Deployment ViewerAlpha View deployments.

Use a Cloud Build private worker pool

If your organization enforces VPC Service Controls compliance, then you must use a private worker pool for your deployment.

Private pools are hosted in a Google-owned Virtual Private Cloud network called the service producer network. Before creating a private pool, set up a private connection between the service producer network and the VPC network that contains your resources.

To create and use a Cloud Build private pool, follow the instructions in Create and manage private pools.

Consider the following requirements when you set up a private worker pool to use with Workload Manager:

  • You must use a Cloud Build private worker pool for the deployment. You cannot use the default Cloud Build worker pool. For more information, see Limitations in the Cloud Build documentation.
  • To download the Terraform configuration, the Cloud Build private pool must have public internet calls enabled.

You must also ensure that the following resources are in the same VPC Service Controls service perimeter:

Quotas

Google Cloud uses quotas to protect and control the number of resources that a particular account or organization can use. The supported applications often consume a large portion of resources. Given the size of the databases and applications, you might experience quota issues during the deployment process.

To avoid quota issues, do the following:

  1. View available resource quota for your project.
  2. If needed, request a higher quota limit or contact your project administrator.

What's next