OSDOCS#5371: Document the explicit list of required credential permissions for GCP

xenolinux · xenolinux · commit becfd9bb5d77 · 2023-03-17T16:11:55.000+05:30
diff --git a/modules/installation-gcp-permissions.adoc b/modules/installation-gcp-permissions.adoc
@@ -13,6 +13,18 @@ endif::[]
 ifeval::["{context}" == "installing-gcp-user-infra-vpc"]
 :template:
 endif::[]
+ifeval::["{context}" == "installing-gcp-account"]
+:ipi:
+endif::[]
+ifeval::["{context}" == "installing-gcp-user-infra"]
+:upi:
+endif::[]
+ifeval::["{context}" == "installing-gcp-account"]
+:ipiupi:
+endif::[]
+ifeval::["{context}" == "installing-gcp-user-infra"]
+:ipiupi:
+endif::[]
 
 [id="installation-gcp-permissions_{context}"]
 = Required GCP permissions
@@ -29,6 +41,291 @@ account requires the following permissions. If you deploy your cluster into an e
 * Service Account User
 * Storage Admin
 
+ifdef::ipiupi[]
+The following are the required permissions for provisioning GCP infrastructure for creating and deleting the {product-title} cluster.
+
+.Required permissions for creating network resources
+[%collapsible]
+====
+* `compute.addresses.create`
+* `compute.addresses.createInternal`
+* `compute.addresses.delete`
+* `compute.addresses.get`
+* `compute.addresses.list`
+* `compute.addresses.use`
+* `compute.addresses.useInternal`
+* `compute.firewalls.create`
+* `compute.firewalls.delete`
+* `compute.firewalls.get`
+* `compute.firewalls.list`
+* `compute.forwardingRules.create`
+* `compute.forwardingRules.get`
+* `compute.forwardingRules.list`
+* `compute.forwardingRules.setLabels`
+* `compute.networks.create`
+* `compute.networks.get`
+* `compute.networks.list`
+* `compute.networks.updatePolicy`
+* `compute.routers.create`
+* `compute.routers.get`
+* `compute.routers.list`
+* `compute.routers.update`
+* `compute.routes.list`
+* `compute.subnetworks.create`
+* `compute.subnetworks.get`
+* `compute.subnetworks.list`
+* `compute.subnetworks.use`
+* `compute.subnetworks.useExternalIp`
+====
+
+.Required permissions for creating load balancer resources
+[%collapsible]
+====
+* `compute.regionBackendServices.create`
+* `compute.regionBackendServices.get`
+* `compute.regionBackendServices.list`
+* `compute.regionBackendServices.update`
+* `compute.regionBackendServices.use`
+* `compute.targetPools.addInstance`
+* `compute.targetPools.create`
+* `compute.targetPools.get`
+* `compute.targetPools.list`
+* `compute.targetPools.removeInstance`
+* `compute.targetPools.use`
+====
+
+.Required permissions for creating DNS resources
+[%collapsible]
+====
+* `dns.changes.create`
+* `dns.changes.get`
+* `dns.managedZones.create`
+* `dns.managedZones.get`
+* `dns.managedZones.list`
+* `dns.networks.bindPrivateDNSZone`
+* `dns.resourceRecordSets.create`
+* `dns.resourceRecordSets.list`
+* `dns.resourceRecordSets.update`
+endif::ipiupi[]
+ifdef::upi[]
+* `dns.resourceRecordSets.update`
+endif::upi[]
+ifdef::ipiupi[]
+====
+
+.Required permissions for creating Service Account resources
+[%collapsible]
+====
+* `iam.serviceAccountKeys.create`
+* `iam.serviceAccountKeys.delete`
+* `iam.serviceAccountKeys.get`
+* `iam.serviceAccountKeys.list`
+* `iam.serviceAccounts.actAs`
+* `iam.serviceAccounts.create`
+* `iam.serviceAccounts.delete`
+* `iam.serviceAccounts.get`
+* `iam.serviceAccounts.list`
+* `resourcemanager.projects.get`
+* `resourcemanager.projects.getIamPolicy`
+* `resourcemanager.projects.setIamPolicy`
+====
+
+.Required permissions for creating compute resources
+[%collapsible]
+====
+* `compute.disks.create`
+* `compute.disks.get`
+* `compute.disks.list`
+* `compute.instanceGroups.create`
+* `compute.instanceGroups.delete`
+* `compute.instanceGroups.get`
+* `compute.instanceGroups.list`
+* `compute.instanceGroups.update`
+* `compute.instanceGroups.use`
+* `compute.instances.create`
+* `compute.instances.delete`
+* `compute.instances.get`
+* `compute.instances.list`
+* `compute.instances.setLabels`
+* `compute.instances.setMetadata`
+* `compute.instances.setServiceAccount`
+* `compute.instances.setTags`
+* `compute.instances.use`
+* `compute.machineTypes.get`
+* `compute.machineTypes.list`
+====
+
+.Required for creating storage resources
+[%collapsible]
+====
+* `storage.buckets.create`
+* `storage.buckets.delete`
+* `storage.buckets.get`
+* `storage.buckets.list`
+* `storage.objects.create`
+* `storage.objects.delete`
+* `storage.objects.get`
+* `storage.objects.list`
+====
+
+.Required permissions for creating health check resources
+[%collapsible]
+====
+* `compute.healthChecks.create`
+* `compute.healthChecks.get`
+* `compute.healthChecks.list`
+* `compute.healthChecks.useReadOnly`
+* `compute.httpHealthChecks.create`
+* `compute.httpHealthChecks.get`
+* `compute.httpHealthChecks.list`
+* `compute.httpHealthChecks.useReadOnly`
+====
+
+.Required permissions to get GCP zone and region related information
+[%collapsible]
+====
+* `compute.globalOperations.get`
+* `compute.regionOperations.get`
+* `compute.regions.list`
+* `compute.zoneOperations.get`
+* `compute.zones.get`
+* `compute.zones.list`
+====
+
+.Required permissions for checking services and quotas
+[%collapsible]
+====
+* `monitoring.timeSeries.list`
+* `serviceusage.quotas.get`
+* `serviceusage.services.list`
+====
+
+.Required IAM permissions for installation
+[%collapsible]
+====
+* `iam.roles.get`
+====
+endif::ipiupi[]
+
+ifdef::ipi[]
+.Optional Images permissions for installation
+[%collapsible]
+====
+* `compute.images.list`
+====
+endif::ipi[]
+ifdef::upi[]
+.Required Images permissions for installation
+[%collapsible]
+====
+* `compute.images.create`
+* `compute.images.delete`
+* `compute.images.get`
+* `compute.images.list`
+====
+endif::upi[]
+
+ifdef::ipiupi[]
+.Optional permission for running gather bootstrap
+[%collapsible]
+====
+* `compute.instances.getSerialPortOutput`
+====
+
+.Required permissions for deleting network resources
+[%collapsible]
+====
+* `compute.addresses.delete`
+* `compute.addresses.deleteInternal`
+* `compute.addresses.list`
+* `compute.firewalls.delete`
+* `compute.firewalls.list`
+* `compute.forwardingRules.delete`
+* `compute.forwardingRules.list`
+* `compute.networks.delete`
+* `compute.networks.list`
+* `compute.networks.updatePolicy`
+* `compute.routers.delete`
+* `compute.routers.list`
+* `compute.routes.list`
+* `compute.subnetworks.delete`
+* `compute.subnetworks.list`
+====
+
+.Required permissions for deleting load balancer resources
+[%collapsible]
+====
+* `compute.regionBackendServices.delete`
+* `compute.regionBackendServices.list`
+* `compute.targetPools.delete`
+* `compute.targetPools.list`
+====
+
+.Required permissions for deleting DNS resources
+[%collapsible]
+====
+* `dns.changes.create`
+* `dns.managedZones.delete`
+* `dns.managedZones.get`
+* `dns.managedZones.list`
+* `dns.resourceRecordSets.delete`
+* `dns.resourceRecordSets.list`
+====
+
+.Required permissions for deleting Service Account resources
+[%collapsible]
+====
+* `iam.serviceAccounts.delete`
+* `iam.serviceAccounts.get`
+* `iam.serviceAccounts.list`
+* `resourcemanager.projects.getIamPolicy`
+* `resourcemanager.projects.setIamPolicy`
+====
+
+.Required permissions for deleting compute resources
+[%collapsible]
+====
+* `compute.disks.delete`
+* `compute.disks.list`
+* `compute.instanceGroups.delete`
+* `compute.instanceGroups.list`
+* `compute.instances.delete`
+* `compute.instances.list`
+* `compute.instances.stop`
+* `compute.machineTypes.list`
+====
+
+.Required for deleting storage resources
+[%collapsible]
+====
+* `storage.buckets.delete`
+* `storage.buckets.getIamPolicy`
+* `storage.buckets.list`
+* `storage.objects.delete`
+* `storage.objects.list`
+====
+
+.Required permissions for deleting health check resources
+[%collapsible]
+====
+* `compute.healthChecks.delete`
+* `compute.healthChecks.list`
+* `compute.httpHealthChecks.delete`
+* `compute.httpHealthChecks.list`
+====
+
+.Required Images permissions for deletion
+[%collapsible]
+====
+endif::ipiupi[]
+ifdef::upi[]
+* `compute.images.delete`
+endif::upi[]
+ifdef::ipiupi[]
+* `compute.images.list`
+====
+endif::ipiupi[]
+
 .Required roles for creating network resources during installation
 * DNS Administrator
 
@@ -40,6 +337,28 @@ ifdef::template[]
 .Required roles for user-provisioned GCP infrastructure
 * Deployment Manager Editor
 * Service Account Key Admin
+
+ifdef::upi[]
+The following are the additional permissions required for user-provisioned GCP infrastructure for creating and deleting the {product-title} cluster.
+
+.Required permissions to get Region related information
+[%collapsible]
+====
+* `compute.regions.get`
+====
+
+.Required Deployment Manager permissions
+[%collapsible]
+====
+* `deploymentmanager.deployments.create`
+* `deploymentmanager.deployments.delete`
+* `deploymentmanager.deployments.get`
+* `deploymentmanager.deployments.list`
+* `deploymentmanager.manifests.get`
+* `deploymentmanager.operations.get`
+* `deploymentmanager.resources.list`
+====
+endif::upi[]
 endif::template[]
 
 .Optional roles
@@ -79,3 +398,15 @@ endif::[]
 ifeval::["{context}" == "installing-gcp-user-infra-vpc"]
 :!template:
 endif::[]
+ifeval::["{context}" == "installing-gcp-account"]
+:!ipi:
+endif::[]
+ifeval::["{context}" == "installing-gcp-user-infra"]
+:!upi:
+endif::[]
+ifeval::["{context}" == "installing-gcp-account"]
+:!ipiupi:
+endif::[]
+ifeval::["{context}" == "installing-gcp-user-infra"]
+:!ipiupi:
+endif::[]
