Update permissions for GCP shared VPC installs.

Author: patrickdillon

installing/installing_gcp/installing-gcp-account.adoc

@@ -28,6 +28,8 @@ include::modules/installation-gcp-permissions.adoc[leveloffset=+2]
 
 include::modules/minimum-required-permissions-ipi-gcp.adoc[leveloffset=+2]
 
+include::modules/minimum-required-permissions-ipi-gcp-xpn.adoc[leveloffset=+2]
+
 include::modules/installation-gcp-regions.adoc[leveloffset=+1]
 
 == Next steps

installing/installing_gcp/installing-gcp-shared-vpc.adoc

@@ -20,7 +20,7 @@ The installation program provisions the rest of the required infrastructure, whi
 * If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_gcp/manually-creating-iam-gcp.adoc#manually-creating-iam-gcp[manually create and maintain IAM credentials].
 * You have a GCP host project which contains a shared VPC network.
 * You xref:../../installing/installing_gcp/installing-gcp-account.adoc#installing-gcp-account[configured a GCP project] to host the cluster. This project, known as the service project, must be attached to the host project. For more information, see link:https://cloud.google.com/vpc/docs/provisioning-shared-vpc#create-shared[Attaching service projects in the GCP documentation].
-* You have a GCP service account that has the xref:../../installing/installing_gcp/installing-gcp-account.adoc#installation-gcp-permissions_installing-gcp-account[required GCP permissions] in the host project.
+* You have a GCP service account that has the xref:../../installing/installing_gcp/installing-gcp-account.adoc#minimum-required-permissions-ipi-gcp-xpn[required GCP permissions] in both the host and service projects.
 
 include::modules/cluster-entitlements.adoc[leveloffset=+1]
 

modules/minimum-required-permissions-ipi-gcp-xpn.adoc

@@ -0,0 +1,27 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_gcp/installing-gcp-account.adoc
+
+[id="minimum-required-permissions-ipi-gcp-xpn"]
+= Required GCP permissions for shared VPC installations
+
+When you are installing a cluster to a link:https://cloud.google.com/vpc/docs/shared-vpc[shared VPC], you must configure the service account for both the host project and the service project. If you are not installing to a shared VPC, you can skip this section.
+
+You must apply the minimum roles required for a standard installation as listed above, to the service project. Note that custom roles, and therefore fine-grained permissions, cannot be used in shared VPC installations because GCP does not support adding the required permission `compute.organizations.administerXpn` to custom roles.
+
+In addition, the host project must apply one of the following configurations to the service account:
+
+.Required permissions for creating firewalls in the host project
+[%collapsible]
+====
+* `projects/<host-project>/roles/dns.networks.bindPrivateDNSZone`
+* `roles/compute.networkAdmin`
+* `roles/compute.securityAdmin`
+====
+
+.Required minimal permissions
+[%collapsible]
+====
+* `projects/<host-project>/roles/dns.networks.bindPrivateDNSZone`
+* `roles/compute.networkUser`
+====