GCP project configuration
Note: For a detailed walk-through showing how to set up a fresh GCP project for Opstrace, please try our corresponding admin guide.
Required services (APIs)
Creating an Opstrace cluster in a GCP project requires the following APIs to be enabled in that project:
- Cloud DNS API
- Compute Engine API
- Kubernetes Engine API
- Cloud SQL Admin API
- Service Networking API
- Cloud Resource Manager API
We try to keep this list up to date—if in doubt, please reach out in our community!
Required service account permissions
Creating an Opstrace cluster in a GCP project requires a service account. That service account must have certain security roles applied in the GCP project:
roles/compute.networkAdminroles/container.adminroles/editorroles/iam.securityAdmin
If you would like to know which individual permissions are implied by any of these roles, please search for that role (e.g. roles/container.admin) on the GCP IAM permissions reference page.
Note: we didn't quite arrive at fulfilling the principle of least privilege here—this is an ongoing effort. If you have specific ideas for reducing the set of privileges required, please open an issue!