Setting Up Service Account in Google


1. In the Google console go to IAM & admin.


2. Go to Service accounts. Click Create Service Account.


3. Enter the name for the service account, e.g. "cloudaware-service-account". Click Create.


4. Specify the Project role as 'Viewer'. Click Continue.


5. Click +Create key. Select 'JSON' → Create.


6. A .json file will be automatically downloaded by the browser.

Creating Custom Role (optional)

A custom role is necessary if you are going to use backups and labels.

1. Go to IAM & admin, select "Roles" and click +Create Role.

Add the name and the description of the custom role. Set 'Role launch stage' as General Availability and click + Add Permissions.


2. Select the following permissions:

For backups

For labels

  • compute.disks.get

  • compute.disks.createSnapshot

  • compute.disks.list

  • compute.disks.setLabels

  • compute.snapshots.create

  • compute.snapshots.delete

  • compute.snapshots.get

  • compute.snapshots.list

  • compute.snapshots.setLabels

  • compute.zones.get

  • compute.zones.list

  • bigquery.datasets.update

  • bigquery.tables.update

  • cloudsql.instances.update

  • compute.addresses.setLabels

  • compute.disks.setLabels

  • compute.forwardingRules.setLabels

  • compute.globalAddresses.setLabels

  • compute.globalForwardingRules.setLabels

  • compute.images.setLabels

  • compute.instances.setLabels

  • compute.snapshots.setLabels

  • compute.targetVpnGateways.setLabels

  • compute.vpnTunnels.setLabels

  • dataproc.clusters.update

  • dataproc.jobs.update

  • cloudkms.cryptoKeys.update

  • storage.buckets.update

3. Assign the custom role to the service account you have just created (IAM & admin → IAM → select the service account).

Enabling Google APIs on Google Project

1. Go to APIs & Services.

2. Click +ENABLE APIS AND SERVICES.

3. Using the search bar, locate and enable:

  • Compute Engine API

  • Identity and Access Management (IAM) API

  • Cloud Resource Manager API

  • Kubernetes Engine API (learn more)

Google Organizations

If you use Google Organizations, you should assign the role 'Viewer' to the service account for Cloudaware to consume your Organization data. Assign the following roles to the service account created earlier:

  • Organization Role Viewer

  • Folder Viewer

  • Organization Viewer

  • Organization Policy Viewer

Click Save.

Assign the 'Project Viewer' role on the organization level for Cloudaware to automatically add and collect Google Projects within a Google Organization:


Adding Service Account to Cloudaware


1. Log in to your Cloudaware account and select Admin.

2. Select ''Google Service Accounts & Projects'' and click +Add.

3. Fill in the Service Account Name and click Load credentials from file to upload credentials from the file you have downloaded before (see p. 1.6).


4. Check the tab 'Service Accounts'. The green light in 'Status' means that your Google Service Account has been added successfully. The blue light means that the integration is ok but Cloudaware doesn’t have access to your Google Resource Manager. If there is a red light, please contact support@cloudaware.com.

 

5. Go to the tab 'Projects'. Assign the service account you added to a project or any object higher in the hierarchy to define the level on which your Google Resource Manager objects will be collected by Cloudaware. Check Managing Google Projects & Service Accounts for more details.