It is preferred to use the Compute Engine Default Service Account when connecting a GCP project to Workspot Control. If this is not possible, it is necessary to create a service account with appropriate permissions for the Workspot control plane to be able to create/edit/delete compute resources in the GCP project.
Note: For service account permissions for Shared Virtual Private Clouds, see instead Using GCP Shared Virtual Private Clouds (VPCs).
To create a GCP service account with custom permissions required for Workspot control plane:
- In the GCP console, navigate to 'IAM & Admin' > Roles
- Click 'Create Role': give it a name and click 'Add Permissions'
- Add the following permissions:
compute.acceleratorTypes.list
compute.addresses.create
compute.addresses.createInternal
compute.addresses.delete
compute.addresses.deleteInternal
compute.addresses.get
compute.addresses.list
compute.addresses.use
compute.disks.create
compute.disks.createSnapshot
compute.disks.setLabels
compute.disks.use
compute.disks.useReadOnly
compute.firewalls.create
compute.firewalls.get
compute.globalOperations.get
compute.globalOperations.getIamPolicy
compute.images.create
compute.images.delete
compute.images.get
compute.images.getFromFamily
compute.images.useReadOnly
compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.list
compute.instanceTemplates.useReadOnly
compute.instances.create
compute.instances.delete
compute.instances.get
compute.instances.list
compute.instances.resume
compute.instances.setLabels
compute.instances.setMetadata
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.start
compute.instances.stop
compute.instances.suspend
compute.instances.update
compute.instances.updateDisplayDevice
compute.machineTypes.get
compute.machineTypes.list
compute.networks.get
compute.networks.list
compute.networks.updatePolicy
compute.networks.use
compute.networks.useExternalIp
compute.nodeGroups.create
compute.nodeGroups.delete
compute.nodeGroups.get
compute.nodeTemplates.create
compute.nodeTemplates.delete
compute.nodeTemplates.get
compute.nodeTypes.list
compute.regionOperations.get
compute.regions.get
compute.regions.list
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.subnetworks.get
compute.subnetworks.use
compute.subnetworks.useExternalIp
compute.zoneOperations.get
compute.zones.get
iam.serviceAccounts.actAs
-Click 'Create'
Next, click on 'Service Accounts' and click on 'Create Service Account'. Assign the custom role created in the previous step.
Next, follow the instructions for connecting a GCP project to Workspot Control, selecting the service account created in the previous step. Creating Workspot Cloud Configuration for GCP