Cloud API access requirements
Note: For more information on GCP API endpoints, refer to https://developers.google.com/apis-explorer.
The platform that has Cloud Resolver installed must be able to access the following cloud API endpoints:
If you are using Secret Manager to store Cloud Resolver secrets, you must be able to access the following endpoint:
Configuring GCP permission requirements
- Create a service account that Cloud Resolver will use to authenticate with GCP. For more information on creating service accounts, refer to https://cloud.google.com/iam/docs/creating-managing-service-accounts.
- Assign the following roles to the service account:
- (Optional) If you're using Secret Manager, you must also add
the following scope to the service account:
For more information on granting roles to the service account, refer to https://cloud.google.com/iam/docs/granting-changing-revoking-access#grant-single-role.
- Create a service account key file for the service account. Cloud Resolver uses this information to authenticate with the service account and access the resources within the GCP project. For more information on generating a service account key file, refer to https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating.
- If you deployed Cloud Resolver in GCP, you must attach the service account
to the Compute Engine that Cloud Resolver is running on. For more
information, refer to https://cloud.google.com/docs/authentication/provide-credentials-adc#attached-sa.Note:
- The service account must be able to access the Secret Manager secrets that any remote projects have been configured to use. The service account will also be used to discover the project in which Cloud Resolver is deployed.
- When you are deploying Cloud Resolver in GCP, you must set the
GCP_NETWORK_NAMEconfiguration parameters. For more information, refer to Creating the Cloud Resolver configuration file.