Creating Access for Temperstack in GCP

Following are the steps to access GCP credentials to Integrate with Temperstack

  1. Create a new project under your organization(say temperstack-integration)

  2. Ensure that a billing account is added to this project. Link to Billing Page.

  3. Enable Cloud Monitoring API on temperstack-integration project

    1. Run the command below in Cloud Shell to set the project to temperstack-integration(newly created project)

      gcloud config set project temperstack-integration
    2. Run the command below in Cloud Shell enable cloud API need by temperstack

      gcloud services enable \  
        sqladmin.googleapis.com \
        sql-component.googleapis.com \
        compute.googleapis.com \
        run.googleapis.com \
        dataflow.googleapis.com \
        pubsub.googleapis.com \
        redis.googleapis.com \
        memcache.googleapis.com \
        cloudfunctions.googleapis.com \
        container.googleapis.com \
        monitoring.googleapis.com
      

  4. Open Cloud Shell on the GCP Console and create a YAML file.

    1. Note: Ensure the shell is not attached to any project, as the role must be created at the organization level. Use the command below to unset the project.

      gcloud config unset project
    2. Create a YAML file called temperstack.yaml

      vi temperstack.yaml

    3. Paste the contents below into that file

      title: Temperstack_Custom_Role
      description: Custom_Role_for_Temperstack
      stage: GA
      includedPermissions:
      - cloudsql.instances.list
      - cloudsql.instances.get
      - compute.instances.list
      - compute.instances.get
      - compute.instanceGroupManagers.get
      - compute.instanceGroupManagers.list
      - compute.instanceGroups.get
      - compute.instanceGroups.list
      - run.executions.get
      - run.executions.list
      - run.jobs.get
      - run.jobs.list
      - run.services.get
      - run.services.list
      - run.tasks.get
      - run.tasks.list
      - memcache.instances.get
      - memcache.instances.list
      - redis.instances.get
      - redis.instances.list
      - cloudfunctions.functions.get
      - cloudfunctions.functions.list
      - container.apiServices.get
      - container.apiServices.list
      - container.clusters.get
      - container.clusters.list
      - container.deployments.get
      - container.deployments.list
      - container.namespaces.get
      - container.namespaces.list
      - container.nodes.get
      - container.nodes.list
      - container.pods.get
      - container.pods.list
      - container.nodes.get
      - container.nodes.list
      - bigtable.instances.get
      - bigtable.instances.list
      - bigtable.tables.get
      - bigtable.tables.list
      - bigtable.clusters.get
      - bigtable.clusters.list
      - storage.buckets.get
      - storage.buckets.list
      - storage.objects.get
      - storage.objects.list
      - pubsub.topics.get
      - pubsub.topics.list
      - pubsub.subscriptions.get
      - pubsub.subscriptions.list
      - cloudbuild.builds.get
      - cloudbuild.builds.list
      - dataflow.jobs.get
      - dataflow.jobs.list
      - monitoring.alertPolicies.get
      - monitoring.alertPolicies.list
      - monitoring.alertPolicies.create
      - monitoring.alertPolicies.update
      - monitoring.notificationChannelDescriptors.get
      - monitoring.notificationChannelDescriptors.list
      - monitoring.notificationChannels.create
      - monitoring.notificationChannels.get
      - monitoring.notificationChannels.list
      - monitoring.notificationChannels.update
      - monitoring.notificationChannels.verify
      - monitoring.notificationChannels.sendVerificationCode
      - spanner.instances.get
      - spanner.instances.list
      - spanner.instances.update
      - cloudnotifications.activities.list
      - monitoring.dashboards.get
      - monitoring.dashboards.list
      - monitoring.dashboards.create
      - monitoring.groups.create
      - monitoring.groups.get
      - monitoring.groups.list
      - monitoring.metricDescriptors.get
      - monitoring.metricDescriptors.list
      - monitoring.metricDescriptors.create
      - monitoring.notificationChannelDescriptors.get
      - monitoring.notificationChannelDescriptors.list
      - monitoring.monitoredResourceDescriptors.get
      - monitoring.monitoredResourceDescriptors.list
      - monitoring.notificationChannels.create
      - monitoring.notificationChannels.get
      - monitoring.notificationChannels.list
      - monitoring.notificationChannels.sendVerificationCode
      - monitoring.notificationChannels.update
      - monitoring.notificationChannels.verify
      - monitoring.services.get
      - monitoring.services.list
      - redis.clusters.get
      - redis.clusters.list
      - redis.clusters.update

    4. Get YOUR_ORG_ID(used in the next step), by running the following command on Cloud Shell

      gcloud organizations list
    5. To create the role, run the following command. Note: The current shell user must have the role Organization Role Administrator permission.

      gcloud iam roles create temperstack_custom_role --organization=YOUR_ORG_ID --file=temperstack.yaml

  5. Create and Assign a Service Account

    1. Switch to temperstack-integration on GCP Console.

    2. Search for Service Accounts and got to Service Account - IAM & Admin

    3. Click on Create Service Account.

    4. Enter the Service Account Name (say temperstack-service-account).

    5. Add a description

    6. Click on Continue.

    7. Search for temperstack_custom_role and assign it to the service account.

    8. Click on Done(Service Account User Role is not required).

    9. Create a key for the service account.

    10. Copy the JSON service account information into the Service Account Information field.

  6. For each project being integrated with Temperstack.

    1. Adding GCP Project IDs for intergration with Temperstack

      1. Identify the projects that need to be integrated with Temperstack.

      2. Add the Project IDs to GCP Project IDs field.(comma separated)

    2. Go to IAM and Admin in the GCP Console.

    3. Click on the Grant Access button.

    4. Enter the Service Account ID as the Principal.

    5. Assign the custom role temperstack_custom_role.

    6. Click on Save.

Last updated