GCP requirements - BlueCat Cloud Resolver - 1.5.0

BlueCat Cloud Resolver Administration Guide

Product name
BlueCat Cloud Resolver

Cloud API access requirements

Note: For more information on GCP API endpoints, refer to https://developers.google.com/apis-explorer.
The platform that has Cloud Resolver installed must be able to access the following cloud API endpoints:
  • https://dns.googleapis.com
  • https://compute.googleapis.com
If you are using Secret Manager to store Cloud Resolver secrets, you must be able to access the following endpoint:
  • https://secretmanager.googleapis.com
  • https://cloudresourcemanager.googleapis.com

Configuring GCP permission requirements

  1. Create a service account that Cloud Resolver will use to authenticate with GCP. For more information on creating service accounts, refer to https://cloud.google.com/iam/docs/creating-managing-service-accounts.
  2. Assign the following roles to the service account:
    • roles/compute.viewer
    • roles/dns.reader
    • (Optional) If you're using Secret Manager, you must also add the following scope to the service account: https://www.googleapis.com/auth/cloud-platform

    For more information on granting roles to the service account, refer to https://cloud.google.com/iam/docs/granting-changing-revoking-access#grant-single-role.

  3. Create a service account key file for the service account. Cloud Resolver uses this information to authenticate with the service account and access the resources within the GCP project. For more information on generating a service account key file, refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating.
  4. If you deployed Cloud Resolver in GCP, you must attach the service account to the Compute Engine that Cloud Resolver is running on. For more information, refer to https://cloud.google.com/docs/authentication/provide-credentials-adc#attached-sa.
    • The service account must be able to access the Secret Manager secrets that any remote projects have been configured to use. The service account will also be used to discover the project in which Cloud Resolver is deployed.
    • When you are deploying Cloud Resolver in GCP, you must set the GCP_PROJECT_ID, GCP_NETWORK_ID, and GCP_NETWORK_NAME configuration parameters. For more information, refer to Creating the Cloud Resolver configuration file.