Setting up a Google Cloud service account for workload monitoring

This topic describes the steps to set up a valid service account that Turbonomic will use to connect to your Google Cloud environment. The access that you grant this service account determines the Google Cloud workloads that Turbonomic discovers, monitors, and optimizes.

Task overview

To set up a service account, perform the following tasks in Google Cloud:

  1. Create a service account for workload monitoring.

  2. Create a custom role and then assign the role to the service account.

Creating a service account for workload monitoring

Create a service account and generate a key file for the account. The key file is required when adding a Google Cloud target in the Turbonomic user interface.

For seamless monitoring of your Google Cloud workloads, create the service account in a project that does not typically hit the rate limits enforced by Google Cloud, such as a non-production project.

  1. In the project that will host the new service account, open a gcloud CLI session.

  2. Create a service account.

    gcloud iam service-accounts create <SERVICE_ACCOUNT_NAME>

    Where:

    <SERVICE_ACCOUNT_NAME> is the internal name of the new service account. The name must be between 6 and 30 characters in length.

  3. Record the following information for later use.

    • <SERVICE_ACCOUNT_NAME>

    • <PROJECT_ID>

      Note:

      <PROJECT_ID> identifies the project that hosts the service account. This information is needed if you need to review or edit the service account later.

  4. Generate a key file for the service account.

    gcloud iam service-accounts keys create <KEY_FILE_NAME> \
      --iam-account=<SERVICE_ACCOUNT_NAME>@<PROJECT_ID>.iam.gserviceaccount.com

    Where:

    • <KEY_FILE_NAME> is your preferred name for the key file.

    • <SERVICE_ACCOUNT_NAME> is the name of the service account that you created.

    • <PROJECT_ID> is the project that hosts the service account.

  5. Download the key file (JSON file) to your local machine. You will use the key file later when you add a Google Cloud target in the Turbonomic user interface.

    cloudshell download <KEY_FILE_NAME>

    Where:

    <KEY_FILE_NAME> is the key file name that you specified in the previous step.

Overview of custom roles

You can assign the following custom roles to the service account that you created.

  • (Required) Custom role for workload monitoring

    This custom role specifies the permissions that Turbonomic needs to discover and monitor workloads in your entire organization, or in individual folders or projects.

    Google Cloud resources to monitor Task
    Organization Create a custom role at the organization level.
    Individual folders

    Create a custom role at the organization level. It is not possible to create custom roles at the folder level.

    Individual projects Create a custom role at the project level.
  • (Optional) Custom role for action execution

    To execute actions from Turbonomic, create a role that specifies the required permissions for executing actions.

Creating and assigning custom roles (organization level)

Note:

Skip to the next section if you want Turbonomic to monitor individual projects.

  1. Create a custom role for workload monitoring.

    gcloud iam roles create <ROLE_ID> --organization=<ORGANIZATION_ID> \
      --title='Turbonomic Role: Access - Organization' \
      --description='Minimum permissions to manage the Google Cloud organization' \
      --permissions="billing.accounts.list,\
    billing.resourceAssociations.list,\
    compute.commitments.list,\
    compute.disks.get,\
    compute.disks.list,\
    compute.diskTypes.list,\
    compute.instances.get,\
    compute.instances.list,\
    compute.instanceGroupManagers.get,\
    compute.instanceGroupManagers.list,\
    compute.instanceGroups.get,\
    compute.instanceGroups.list,\
    compute.machineTypes.get,\
    compute.machineTypes.list,\
    compute.regions.list,\
    compute.zones.list,\
    container.clusters.get,\
    logging.logEntries.list,\
    logging.views.get,\
    logging.views.list,\
    monitoring.services.get,\
    monitoring.services.list,\
    monitoring.timeSeries.list,\
    resourcemanager.folders.get,\
    resourcemanager.folders.list,\
    resourcemanager.organizations.get,\
    resourcemanager.projects.get,\
    resourcemanager.projects.list,\
    serviceusage.services.get" --stage=ALPHA

    Where:

    • <ROLE_ID> is your preferred ID for the custom role.

    • <ORGANIZATION_ID> is the organization that Turbonomic will monitor.

  2. Assign the custom role to the service account.

    gcloud organizations add-iam-policy-binding <ORGANIZATION_ID> \
      --member=serviceAccount:<SERVICE_ACCOUNT_NAME>@<PROJECT_ID>.iam.gserviceaccount.com --role=<ROLE_NAME>

    Where:

    • <ORGANIZATION_ID> is the organization that Turbonomic will monitor.

    • <SERVICE_ACCOUNT_NAME> is the name of the service account that you created.

    • <PROJECT_ID> is the project that hosts the service account.

    • <ROLE_NAME> is the complete path for the role name, expressed as follows:

      organizations/<ORGANIZATION_ID>/roles/<ROLE_ID>

      Note:

      <ROLE_ID> was created in a previous step.

  3. Add the predefined Billing Account Viewer role to the service account.

    gcloud organizations add-iam-policy-binding <ORGANIZATION_ID> \
      --member=serviceAccount:<SERVICE_ACCOUNT_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \
      --role=roles/billing.viewer

    Where:

    • <ORGANIZATION_ID> is your Google Cloud organization.

    • <SERVICE_ACCOUNT_NAME> is the name of the service account that you created.

    • <PROJECT_ID> is the project that hosts the service account.

  4. (Optional) Create a custom role to execute actions from Turbonomic.

    gcloud iam roles create <ROLE_ID_ACTION> --organization=<ORGANIZATION_ID> \
      --title='Turbonomic Role: Org Action Execution' \
      --description='Minimum permissions to execute actions in the Google Cloud organization' \
      --permissions="compute.disks.create,\
    compute.disks.createSnapshot,\
    compute.disks.delete,\
    compute.disks.resize,\
    compute.disks.setLabels,\
    compute.disks.update,\
    compute.disks.use,\
    compute.disks.useReadOnly,\
    compute.globalOperations.get,\
    compute.instanceGroupManagers.update,\
    compute.instanceGroups.get,\
    compute.instanceGroups.list,\
    compute.instanceGroups.use,\
    compute.instances.attachDisk,\
    compute.instances.detachDisk,\
    compute.instances.setLabels,\
    compute.instances.setMachineType,\
    compute.instances.start,\
    compute.instances.stop,\
    compute.instances.useReadOnly,\
    compute.instanceTemplates.list,\
    compute.instantSnapshots.list,\
    compute.regionOperations.get,\
    compute.reservations.list,\
    compute.resourcePolicies.use,\
    compute.snapshots.create,\
    compute.snapshots.delete,\
    compute.snapshots.get,\
    compute.snapshots.list,\
    compute.snapshots.useReadOnly,\
    compute.zoneOperations.get,\
    container.clusters.update,\
    iam.serviceAccounts.actAs" --stage=ALPHA

    Where:

    • <ROLE_ID_ACTION> is your preferred ID for the custom role for action execution.

    • <ORGANIZATION_ID> is the organization that Turbonomic will monitor.

  5. (Optional) Assign the custom role for action execution to the service account.

    gcloud projects add-iam-policy-binding <ORGANIZATION_ID> \
      --member=serviceAccount:<SERVICE_ACCOUNT_NAME>@<PROJECT_ID>.iam.gserviceaccount.com --role=<ROLE_NAME_ACTION>

    Where:

    • <ORGANIZATION_ID> is the organization that Turbonomic will monitor.

    • <SERVICE_ACCOUNT_NAME> is the name of the service account that you created.

    • <PROJECT_ID> is the project that hosts the service account.

    • <ROLE_NAME_ACTION> is the complete path for the role name, expressed as follows:

      organizations/<ORGANIZATION_ID>/roles/<ROLE_ID_ACTION>

      Note:

      <ROLE_ID_ACTION> was created in a previous step.

Creating and assigning custom roles (project level)

Note: See the previous section if you want Turbonomic to monitor individual folders or your entire organization.
  1. Create a custom role for workload monitoring.

    gcloud iam roles create <ROLE_ID> --project=<PROJECT_ID_MONITOR> \
      --title='Turbonomic Role: Min Access - Project' \
      --description='Minimum permissions to manage the Google Cloud project' \
      --permissions="compute.commitments.list,\
    compute.disks.get,\
    compute.disks.list,\
    compute.diskTypes.list,\
    compute.instances.get,\
    compute.instances.list,\
    compute.instanceGroupManagers.get,\
    compute.instanceGroupManagers.list,\
    compute.instanceGroups.get,\
    compute.instanceGroups.list,\
    compute.machineTypes.get,\
    compute.machineTypes.list,\
    compute.regions.list,\
    compute.zones.list,\
    container.clusters.get,\
    logging.logEntries.list,\
    logging.views.get,\
    logging.views.list,\
    monitoring.services.get,\
    monitoring.services.list,\
    monitoring.timeSeries.list,\
    resourcemanager.projects.get,\
    serviceusage.services.get" --stage=ALPHA

    Where:

    • <ROLE_ID> is your preferred ID for the custom role.

    • <PROJECT_ID_MONITOR> is the project that Turbonomic will monitor.

  2. Assign the custom role to the service account.

    gcloud projects add-iam-policy-binding <PROJECT_ID_MONITOR> \
      --member=serviceAccount:<SERVICE_ACCOUNT_NAME>@<PROJECT_ID>.iam.gserviceaccount.com --role=<ROLE_NAME>

    Where:

    • <PROJECT_ID_MONITOR> is the project that Turbonomic will monitor.

    • <SERVICE_ACCOUNT_NAME> is the name of the service account that you created.

    • <PROJECT_ID> is the project that hosts the service account.

    • <ROLE_NAME> is the complete path for the role name, expressed as follows:

      projects/<PROJECT_ID_MONITOR>/roles/<ROLE_ID>

      Note:

      <ROLE_ID> was created in a previous step.

  3. Add the predefined Billing Account Viewer role to the service account.

    gcloud organizations add-iam-policy-binding <ORGANIZATION_ID> \
      --member=serviceAccount:<SERVICE_ACCOUNT_NAME>@<PROJECT_ID>.iam.gserviceaccount.com \
      --role=roles/billing.viewer

    Where:

    • <ORGANIZATION_ID> is your Google Cloud organization.

    • <SERVICE_ACCOUNT_NAME> is the name of the service account that you created.

    • <PROJECT_ID> is the project that hosts the service account.

  4. (Optional) Create a custom role to execute actions from Turbonomic.

    gcloud iam roles create <ROLE_ID_ACTION> --project=<PROJECT_ID_MONITOR> \
      --title='Turbonomic Role: Project Action Execution' \
      --description='Minimum permissions to execute actions in the Google Cloud project' \
      --permissions="compute.disks.create,\
    compute.disks.createSnapshot,\
    compute.disks.delete,\
    compute.disks.resize,\
    compute.disks.setLabels,\
    compute.disks.update,\
    compute.disks.use,\
    compute.disks.useReadOnly,\
    compute.globalOperations.get,\
    compute.instanceGroupManagers.update,\
    compute.instanceGroups.get,\
    compute.instanceGroups.list,\
    compute.instanceGroups.use,\
    compute.instances.attachDisk,\
    compute.instances.detachDisk,\
    compute.instances.setLabels,\
    compute.instances.setMachineType,\
    compute.instances.start,\
    compute.instances.stop,\
    compute.instances.useReadOnly,\
    compute.instanceTemplates.list,\
    compute.instantSnapshots.list,\
    compute.regionOperations.get,\
    compute.reservations.list,\
    compute.resourcePolicies.use,\
    compute.snapshots.create,\
    compute.snapshots.delete,\
    compute.snapshots.get,\
    compute.snapshots.list,\
    compute.snapshots.useReadOnly,\
    compute.zoneOperations.get,\
    container.clusters.update,\
    iam.serviceAccounts.actAs" --stage=ALPHA

    Where:

    • <ROLE_ID_ACTION> is your preferred ID for the custom role for action execution.

    • <PROJECT_ID_MONITOR> is the project that Turbonomic will monitor.

  5. (Optional) Assign the custom role for action execution to the service account.

    gcloud projects add-iam-policy-binding <PROJECT_ID_MONITOR> \
      --member=serviceAccount:<SERVICE_ACCOUNT_NAME>@<PROJECT_ID>.iam.gserviceaccount.com --role=<ROLE_NAME_ACTION>

    Where:

    • <PROJECT_ID_MONITOR> is the project that Turbonomic will monitor.

    • <SERVICE_ACCOUNT_NAME> is the name of the service account that you created.

    • <PROJECT_ID> is the project that hosts the service account.

    • <ROLE_NAME_ACTION> is the complete path for the role name, expressed as follows:

      projects/<PROJECT_ID_MONITOR>/roles/<ROLE_ID_ACTION>

      Note:

      <ROLE_ID_ACTION> was created in a previous step.

Next step

In the Turbonomic user interface, add a Google Cloud target. For details, see this topic.