Table of contents

Permissions for deployment

Before deploying File Storage Security on GCP, complete these tasks:

  1. Sign up for Cloud One. You can create an account here:

    Also connect GCP to Cloud One. For more instructions on how to connect your GCP account, see Connect GCP account to Cloud One

  2. Sign in to the cloud storage service where you want to deploy File Storage Security.

  3. Go to IAM & Admin > IAM and make sure you have the Owner role assigned to your service account.

    The Owner role is a GCP predefined role. It has full access to all resources in the project and can delegate access to others. For more information, see Grant a single role.

Carry out the following before deployment:

  1. Enable specific APIs.

  2. Create a custom role.

  3. Bind the custom role to the service account.

Enable the following APIs

Enable the following APIs:

  • Cloud Build API
  • Cloud Deployment Manager V2 API
  • Cloud Functions API
  • Cloud Pub/Sub API
  • Cloud Resource Manager API
  • Cloud Scheduler API
  • IAM Service Account Credentials API
  • Identity and Access Management API
  • Secret Manager API

To see which APIs are enabled, run the following script:

gcloud services list -- enabled

To enable all of the required APIs at once, run the following script:

gcloud services enable

Create a custom role

You need to create a custom role containing the permissions below:

  • cloudfunctions.functions.setIamPolicy
  • iam.roles.create
  • iam.serviceAccounts.setIamPolicy
  • pubsub.topics.setIamPolicy
  • resourcemanager.projects.setIamPolicy
When creating the ROLE_ID and ROLE_TITLE, there are some limitations:

  • ROLE_ID length: 3-64 characters. ID can only include letters, numbers, periods and underscores.
  • ROLE_TITLE length: 1-100 characters.

To create a custom role, with the necessary permissions, run the following script:

gcloud iam roles create <ROLE_ID> --project=<PROJECT_ID> \ --title=<ROLE_TITLE> --description="Custom role for deployment" \ --permissions="cloudfunctions.functions.setIamPolicy,iam.roles.create,iam.serviceAccounts.setIamPolicy,pubsub.topics.setIamPolicy,resourcemanager.projects.setIamPolicy" --stage=GA

Bind the custom role to the service account

Bind the custom role to the service account, <GCP_PROJECT_NUMBER> This service account is created by GCP, and its name is Google APIs Service Agent.

  1. Run the following script to get the project number:

    gcloud projects list --filter=<PROJECT_ID> --format="value(PROJECT_NUMBER)"

  2. With the project id and the project number, run the following script to bind the server account:

    gcloud projects add-iam-policy-binding <PROJECT_ID> \ --member=serviceAccount:<PROJECT_NUMBER> --role=<ROLE_ID>

These APIs should be enabled when the GCP project is created:

  • BigQuery API
  • BigQuery Migration API
  • BigQuery Storage API
  • Cloud Datastore API
  • Cloud Debugger API
  • Cloud Logging API
  • Cloud Monitoring API
  • Cloud SQL
  • Cloud Storage
  • Cloud Storage API
  • Cloud Trace API
  • Google Cloud APIs
  • Google Cloud Storage JSON API
  • Service Management API
  • Service Usage API

You have now completed the pre-deployment tasks. Now determine your deployment path.

Continue to the next section to sign in.