Creating Access for Temperstack in GCP

Create a new project under your organization(say temperstack-integration)

Ensure that a billing account is added to this project. Link to Billing Page.

Enable Cloud Monitoring API on temperstack-integration project

1. Run the command below in Cloud Shell to set the project to temperstack-integration(newly created project)

   Copy

   gcloud config set project temperstack-integration

2. Run the command below in Cloud Shell enable cloud API need by temperstack

   Copy

   gcloud services enable \  
     sqladmin.googleapis.com \
     sql-component.googleapis.com \
     compute.googleapis.com \
     run.googleapis.com \
     dataflow.googleapis.com \
     pubsub.googleapis.com \
     redis.googleapis.com \
     memcache.googleapis.com \
     cloudfunctions.googleapis.com \
     container.googleapis.com \
     monitoring.googleapis.com
   

   

Open Cloud Shell on the GCP Console and create a YAML file.

1. Note: Ensure the shell is not attached to any project, as the role must be created at the organization level. Use the command below to unset the project.

   Copy

   gcloud config unset project

2. Create a YAML file called temperstack.yaml

   Copy

   vi temperstack.yaml

3. Paste the contents below into that file

   Copy

   title: Temperstack_Custom_Role
   description: Custom_Role_for_Temperstack
   stage: GA
   includedPermissions:
   - cloudsql.instances.list
   - cloudsql.instances.get
   - compute.instances.list
   - compute.instances.get
   - compute.instanceGroupManagers.get
   - compute.instanceGroupManagers.list
   - compute.instanceGroups.get
   - compute.instanceGroups.list
   - run.executions.get
   - run.executions.list
   - run.jobs.get
   - run.jobs.list
   - run.services.get
   - run.services.list
   - run.tasks.get
   - run.tasks.list
   - memcache.instances.get
   - memcache.instances.list
   - redis.instances.get
   - redis.instances.list
   - cloudfunctions.functions.get
   - cloudfunctions.functions.list
   - container.apiServices.get
   - container.apiServices.list
   - container.clusters.get
   - container.clusters.list
   - container.deployments.get
   - container.deployments.list
   - container.namespaces.get
   - container.namespaces.list
   - container.nodes.get
   - container.nodes.list
   - container.pods.get
   - container.pods.list
   - container.nodes.get
   - container.nodes.list
   - bigtable.instances.get
   - bigtable.instances.list
   - bigtable.tables.get
   - bigtable.tables.list
   - bigtable.clusters.get
   - bigtable.clusters.list
   - storage.buckets.get
   - storage.buckets.list
   - storage.objects.get
   - storage.objects.list
   - pubsub.topics.get
   - pubsub.topics.list
   - pubsub.subscriptions.get
   - pubsub.subscriptions.list
   - cloudbuild.builds.get
   - cloudbuild.builds.list
   - dataflow.jobs.get
   - dataflow.jobs.list
   - monitoring.alertPolicies.get
   - monitoring.alertPolicies.list
   - monitoring.alertPolicies.create
   - monitoring.alertPolicies.update
   - monitoring.notificationChannelDescriptors.get
   - monitoring.notificationChannelDescriptors.list
   - monitoring.notificationChannels.create
   - monitoring.notificationChannels.get
   - monitoring.notificationChannels.list
   - monitoring.notificationChannels.update
   - monitoring.notificationChannels.verify
   - monitoring.notificationChannels.sendVerificationCode
   - spanner.instances.get
   - spanner.instances.list
   - spanner.instances.update
   - cloudnotifications.activities.list
   - monitoring.dashboards.get
   - monitoring.dashboards.list
   - monitoring.dashboards.create
   - monitoring.groups.create
   - monitoring.groups.get
   - monitoring.groups.list
   - monitoring.metricDescriptors.get
   - monitoring.metricDescriptors.list
   - monitoring.metricDescriptors.create
   - monitoring.notificationChannelDescriptors.get
   - monitoring.notificationChannelDescriptors.list
   - monitoring.monitoredResourceDescriptors.get
   - monitoring.monitoredResourceDescriptors.list
   - monitoring.notificationChannels.create
   - monitoring.notificationChannels.get
   - monitoring.notificationChannels.list
   - monitoring.notificationChannels.sendVerificationCode
   - monitoring.notificationChannels.update
   - monitoring.notificationChannels.verify
   - monitoring.services.get
   - monitoring.services.list
   - redis.clusters.get
   - redis.clusters.list
   - redis.clusters.update

4. Get YOUR_ORG_ID(used in the next step), by running the following command on Cloud Shell

   Copy

   gcloud organizations list

5. To create the role, run the following command. Note: The current shell user must have the role Organization Role Administrator permission.

   Copy

   gcloud iam roles create temperstack_custom_role --organization=YOUR_ORG_ID --file=temperstack.yaml

   

Create and Assign a Service Account

1. Switch to temperstack-integration on GCP Console.

   
2. Search for Service Accounts and got to Service Account - IAM & Admin

   
3. Click on Create Service Account.

   
4. Enter the Service Account Name (say temperstack-service-account).

5. Add a description

6. Click on Continue.

   
7. Search for temperstack_custom_role and assign it to the service account.

   
8. Click on Done(Service Account User Role is not required).

   
9. Create a key for the service account.

   

   

   

   

   
10. Copy the JSON service account information into the Service Account Information field.

    

For each project being integrated with Temperstack.

1. Adding GCP Project IDs for intergration with Temperstack

   1. Identify the projects that need to be integrated with Temperstack.

   2. Add the Project IDs to GCP Project IDs field.(comma separated)

      

      
2. Go to IAM and Admin in the GCP Console.

   
3. Click on the Grant Access button.

   
4. Enter the Service Account ID as the Principal.

5. Assign the custom role temperstack_custom_role.

6. Click on Save.