This is a detailed walk-through of configuring a service account in Google Cloud Platform and a cloud credential in Cloudbreak. Once these are done, Cloudbreak can spin up your clusters in GCP easily and quickly.
High Level Steps
- Enable Compute Engine API in GCP project
- Create service account with required roles in GCP project
- Create credential for GCP service account in Cloudbreak
You will need a GCP account that you have full rights to administer service accounts and a Cloudbreak instance. The Cloudbreak can be running anywhere, as long as it has network access to GCP. My example is running on an internal OpenStack cluster.
Google Cloud Platform Console
Log into the GCP Console at https://console.cloud.google.com
On the main dashboard page, you will find the Project ID. You will need this to define your credential in Cloudbbreak in a later step.
GCP - APIs Dashboard
Go to the Service Accounts screen by (1) clicking the menu in the top left, (2) hovering over APIs and Services, and (3) Clicking on Dashboard.
GCP - APIs & Services Dashboard
Verify that the Google Compute Engine API is listed and enabled. If it is not click on the Enable APIs button to search for and enable it.
GCP - Service Accounts
Go to the Service Accounts screen by (1) clicking the menu in the top left, (2) hovering over IAM & Admin, and (3) Clicking on Service Accounts.
GCP - Create Service Account - Step 1
- Click "Create Service Account"
GCP - Create Service Account - Step 2
- Give the service account a name
- Check the "Furnish a new key" box. This will download a key to your computer when you finish creating the account.
- If you are using Cloudbreak 2.7 or later, select JSON format key. Google has deprecated the P12 format and it will eventually be unsupported.
If you are using Cloudbreak before 2.7, I strongly recommend that you move to 2.7 because of the many excellent new features and use JSON. In Cloudbreak 2.4, P12 is the only format that is supported. - Click the "Select a Role" dropdown
- Select the required Compute Engine roles.
- Select the Storage Admin role under Storage.
- Click outside of the roles selection dropdown to reveal the "create" button.
All five of the roles shown are required for the service account.
GCP - Create Service Account - Step 3
- Click "Create"
GCP - Service Account Created
The new private key will be downloaded and the password for the key will be displayed. You will not use the password for Cloudbreak.
GCP - Service Accounts List
You will need to supply the Service Account ID in the Cloudbreak Credential form in a later step.
Cloudbreak - Creating GCP credential
Log into your Cloudbreak instance.
- Click on Credentials in navigation bar
- Click on "Create Credential"
Cloudbreak - Select cloud platform
- Click "Select your cloud provider" to pull down list
- Click on Google
Cloudbreak - Create Credential
- Give this credential a name. This will be used in Cloudbreak to identify which cloud you will use to provision a new cluster.
- Paste in the Service Account ID from the earlier step.
- Paste in the Project ID from the earlier step.
- Upload the key file that was downloaded in the earlier step.
- Click "Create"
Cloudbreak - Verifying Credential - Step 1
To see that the credential is working, start to create a new cluster
- Click Clusters on the left-side menu
- Click Create Cluster
Cloudbreak - Verifying Credential - Step 2
Once you select your new credential, the Region and Availability Zone fields should get populated. If they don't, they will be blank or say "select region". That would be an indication that your credential does not have the proper roles, or you do not have the Compute Engine API set up.
Finished
Once you've verified that your credential can talk to the GCP API, you can finish the cluster creation wizard to build your first cluster.
