Create Private Key Using Google CLI

A private key is required in UDP console to create a VSB to GCP plan.

Before you can create a new key, you must install and initialize the gcloud CLI. Follow the steps mentioned in the links below to install and initialize the CLI tool with administrator permission.

• For instructions on how to install Google Cloud CLI, click here.
• For instructions on how to initialize Google Cloud CLI, click here.

After installing and initializing gcloud in the same environment, follow these steps to create the key manually or run the Windows powershell script gcp_auth_key_create.ps1:

1. After installing and initializing the gcloud tool, do the following:
1. Test and confirm that the gcloud tool is successfully installed by checking the version using command "gcloud --version".
2. During the initialization, authenticate in gcloud using an administrator account that has complete control of the organization to attach it to a specific project.
3. Set a project in which VSB instances need to be created using command “gcloud config set project PROJECT_ID” where PROJECT_ID is a valid project available in the organization.
2. Use gcloud to configure access to the project for the user by creating a custom role for the project that permits VSB related tasks.
3. To create a service account, replace the following values and run the command given below:
• SA_NAME: the desired name of the service account.
• DISPLAY_NAME: the service account name to display in the Google Cloud console.

gcloud iam service-accounts create SA_NAME --display-name="DISPLAY_NAME"

4. Get the service account email address and run the command:

gcloud iam service-accounts list --filter "displayName=DISPLAY_NAME"

5. Replace the following:
6. DISPLAY_NAME: the display name provided in step 3.
5. Note down the service account email address from the output of above command, which will be in the following format and is represented as SA_EMAIL in rest of the steps:
6. SA_NAME@PROJECT_ID.iam.gserviceaccount.com
6. To create and download the JSON key file, replace the following values and run the command given below:
• KEY_FILE: The path to a new output file for the private key—for example, c:\gcp-private-key.json or ~/sa-private-key.json.
• SA_EMAIL: Service account email address noted down in step 5, also mentioned as SA_NAME@PROJECT_ID.iam.gserviceaccount.com, where SA_NAME is the name of the service account to create a key for and PROJECT_ID is your Google Cloud project ID.

gcloud iam service-accounts keys create KEY_FILE --iam-account=SA_EMAIL

7. The JSON key file contains the private key that you need later within the UDP console.
7. To create a custom role containing the below 69 permissions required for VSB task, replace the following values and run the command:
• PROJECT_ID: Your Google Cloud project ID.
• ROLE_NAME: Desired role name.

gcloud iam roles create ROLE_NAME --project PROJECT_ID –permissions=
compute.addresses.list,compute.addresses.use,compute.disks.create,compute.disks.createSnapshot,
compute.disks.delete,compute.disks.get,compute.disks.use,compute.firewallPolicies.create,compute.firewallPolicies.delete,
compute.firewallPolicies.get,compute.firewallPolicies.list,compute.firewallPolicies.update,compute.firewallPolicies.use,
compute.firewalls.create,compute.firewalls.delete,compute.firewalls.get,compute.firewalls.list,compute.firewalls.update,
compute.globalOperations.get,compute.images.useReadOnly,compute.instances.addAccessConfig,
compute.instances.attachDisk,compute.instances.create,compute.instances.delete,compute.instances.deleteAccessConfig,
compute.instances.detachDisk,compute.instances.list,compute.instances.setMetadata,compute.instances.setServiceAccount,
compute.instances.start,compute.instances.stop,compute.instances.update,compute.instances.updateDisplayDevice,compute.machineTypes.list,compute.networks.access,
compute.networks.create,compute.networks.delete,compute.networks.get,compute.networks.getEffectiveFirewalls,compute.networks.list,compute.networks.update,
compute.networks.use,compute.networks.useExternalIp,compute.regionOperations.get,compute.snapshots.create,compute.snapshots.delete,compute.snapshots.get,
compute.snapshots.useReadOnly,compute.subnetworks.create,compute.subnetworks.delete,compute.subnetworks.get,compute.subnetworks.list,compute.subnetworks.update,
compute.subnetworks.use,compute.subnetworks.useExternalIp,compute.zoneOperations.get,compute.zones.list,iam.serviceAccounts.actAs,iam.serviceAccounts.get,iam.serviceAccounts.list,
resourcemanager.projects.get,serviceusage.services.use,storage.buckets.create,storage.buckets.enableObjectRetention,storage.buckets.list,storage.objects.create,storage.objects.delete,
storage.objects.get,storage.objects.list

8. This command creates a custom role in the project called ROLE_NAME with the permissions to create and manage instances.The full name of the role is listed as output of the above command, the role name format is projects/PROJECT_ID/roles/ROLE_NAME.

Note: A role is a collection of permissions. You cannot assign a permission to the user directly; instead you grant them a role. When you grant a role to a user, you grant them all the permissions that the role contains.

8. To bind the custom role ROLE_NAME to the service account SA_NAME, replace the following values and run the command given below:
• PROJECT_ID: Your Google Cloud project ID.
• ROLE_FULL_NAME: Full name of the role listed in previous step 6 in projects/PROJECT_ID/roles/ROLE_NAME format, where ROLE_NAME is the name used in previous step and PROJECT_ID is your Google Cloud project ID.
• SA_EMAIL: Service account email address noted down in previous step in SA_NAME@PROJECT_ID.iam.gserviceaccount.com format, where SA_NAME is the name of the service account to create a key for and PROJECT_ID is your Google Cloud project ID.

gcloud projects add-iam-policy-binding PROJECT_ID --member serviceAccount:SA_EMAIL --role=ROLE_FULL_NAME

9. In UDP console, use this Service accounts JSON key file downloaded in step 5 to create VSB to GCP plan.