Cloud Service Account Requirements
Cloud Access Manager's capabilites are enhanced if you provide service account or role credentials for your specific cloud environment. This section describes which capabilities are enabled by providing service account access, and what levels of access are required to restrict accounts.
Roles and Permission Policies - AWS¶
You can use the AWS Management Console to create a role which Cloud Access Manager is able to assume. For more information on creating roles in AWS, see here. You must use the Account ID and External ID that can be generated from the Cloud Access Manager Admin Console, for information on how to generate these credentials, see here.
AWS Permissions Policies¶
Once you have created the role in the AWS Management Console you can create and assign a permissions policy that contains the following permissions:
- Service: EC2
- Actions:
- List: DescribeInstances
- Write: RebootInstances StartInstances StopInstances TerminateInstances
There are additional permissions needed to verify that the role has all the required permissions before being added to a deployment:
- Actions
- List: ListAttachedRolePolicies ListRolePolicies
- Read: GetPolicy GetPolicyVersion GetRolePolicy
If the user tries to add an AWS role that doesn't have these permissions, Cloud Access Manager will still add the role but will not validate that it has the required permissions.
Service Account Permission Requirements - Azure¶
You need a service account that has adequate permissions and can manage compute instances to power manage a remote workstation in Microsoft Azure with Cloud Access Manager. The following roles are required:
- Reader
- Virtual Machine Contributor
For information on how to create a new Client Secret from Azure, see here.
Azure Client Secret
Once you generate the client secret you need to copy it straight away as it will not be available again from Microsoft. If you have an expired client secret you need to delete it and then create a new secret and assign it to that deployment.
Service Account Permission Requirements - GCP¶
You need a service account that has adequate permissions and can manage compute instances to provision a remote workstation in Google Cloud Platform (GCP) with Cloud Access Manager.
The table below outlines the default roles that are required for the service account on GCP, and which features they are required for.
Default Roles and Feature Requirements - GCP¶
Default Roles | Workstation Provisioning | Power Management |
---|---|---|
Deployment Manager Editor | Required | — |
Compute Admin | Required | Required |
Cloud KMS Admin | Required | — |
Cloud KMS CryptoKey Encrypter/Decrypter | Required | — |
For GCP the service account requires access to the following APIs:
- Service Usage API
- Cloud Resource Manager API
- Cloud Deployment Manager V2 API
- Cloud Key Management Service (KMS)
- Compute Engine API
Key File Storage
Cloud Access Manager does not store the key file provided and only extracts the fields that are entered into the dialog.
The following links have more information on GCP service accounts:
- GCP - Getting Started
- GCP - Access Information
- Managing Service Account Keys
- Enabling GCP API for Projects
Creating a Cloud IAM Custom Role¶
Users can create a single custom IAM role by using the following permissions for Cloud Access Manager:
- cloudkms.cryptoKeyVersions.useToDecrypt
- cloudkms.cryptoKeyVersions.useToEncrypt
- cloudkms.cryptoKeys.create
- cloudkms.cryptoKeys.get
- cloudkms.keyRings.create
- cloudkms.keyRings.get
- compute.acceleratorTypes.list
- compute.addresses.create
- compute.addresses.delete
- compute.diskTypes.list
- compute.disks.list
- compute.images.list
- compute.instances.create
- compute.instances.delete
- compute.instances.get
- compute.instances.getGuestAttributes
- compute.instances.osLogin
- compute.instances.reset
- compute.instances.setMetadata
- compute.instances.setServiceAccount
- compute.instances.setTags
- compute.instances.start
- compute.instances.stop
- compute.instances.suspend
- compute.instances.update
- compute.instances.updateNetworkInterface
- compute.instances.use
- compute.machineTypes.list
- compute.networks.create
- compute.networks.list
- compute.regions.list
- compute.subnetworks.list
- compute.zones.get
- compute.zones.list
- deploymentmanager.deployments.create
- deploymentmanager.deployments.delete
- deploymentmanager.deployments.get
- deploymentmanager.resources.list
- resourcemanager.projects.get
Using these permissions you can create a custom IAM role. If you use this single custom role you do not need to use other default roles discussed above. For information how to do this, see Creating and managing custom roles.