forked from GoogleCloudPlatform/cloud-foundation-fabric
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sharedvpc-agent-iam.yaml
97 lines (87 loc) · 3.02 KB
/
sharedvpc-agent-iam.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Cloud Composer
# https://cloud.google.com/composer/docs/how-to/managing/configuring-shared-vpc#edit_permissions_for_the_composer_agent_service_account
- service: composer.googleapis.com
agents:
composer:
- roles/compute.networkUser
- roles/composer.sharedVpcAgent
# Compute Engine
# TODO: identify docs
- service: compute.googleapis.com
agents:
cloudservices:
- roles/compute.networkUser
# Google Kubernetes Engine
# https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc#enabling_and_granting_roles
- service: container.googleapis.com
agents:
container:
- roles/compute.networkUser
- roles/container.hostServiceAgentUser
- roles/compute.securityAdmin # to manage firewall rules
cloudservices:
- roles/compute.networkUser
# Dataflow
# https://cloud.google.com/dataflow/docs/guides/specifying-networks#shared
- service: dataflow.googleapis.com
agents:
dataflow:
- roles/compute.networkUser
# Cloud Data Fusion
# https://cloud.google.com/data-fusion/docs/how-to/create-private-ip#shared-vpc-network_1
- service: datafusion.googleapis.com
agents:
datafusion:
- roles/compute.networkUser
dataproc:
- roles/compute.networkUser
# Dataproc
# https://cloud.google.com/dataproc/docs/concepts/configuring-clusters/network#create_a_cluster_that_uses_a_network_in_another_project
- service: dataproc.googleapis.com
agents:
dataproc:
- roles/compute.networkUser
cloudservices:
- roles/compute.networkUser
# Change Data Capture | Datastream
# https://cloud.google.com/datastream/docs/create-a-private-connectivity-configuration
- service: datastream.googleapis.com
agents:
datastream:
- roles/compute.networkAdmin
# Cloud Functions
# For shared connectors in host project
# https://cloud.google.com/functions/docs/networking/shared-vpc-host-project
- service: cloudfunctions.googleapis.com
agents:
cloudfunctions:
- roles/vpcaccess.user
# Cloud Run
# For shared connectors in host project
# https://cloud.google.com/run/docs/configuring/shared-vpc-host-project
- service: run.googleapis.com
agents:
cloudrun:
- roles/vpcaccess.user
# Cloud Run / Cloud Functions
# For connectors in service project
# https://cloud.google.com/functions/docs/networking/shared-vpc-service-projects#grant-permissions
- service: vpcaccess.googleapis.com
agents:
vpcaccess:
- roles/compute.networkUser
cloudservices:
- roles/compute.networkUser