If you create a Google account with a Viewer role and storage cluster management role assigned, you will be able to operate resources and services on Google Cloud.
To create a Google account for operations of Creating a virtual network and subsequent operations, create a role for storage cluster management and assign the created role and Viewer role to the Google account.
The following table shows permissions required for a role to be assigned to a Google account for setting up and maintaining VSP One SDS Block.
Also, if the Google account is not granted sufficient permissions, see the Google Cloud documentation to add necessary permissions.
Note that if you perform storage cluster setup with a Google account that has administrative privilege, or with an existing Google account that has the Viewer role and the following permissions, you can skip this procedure. In such a case, go to Creating a virtual network.
For Google Cloud disk encryption, additional roles are required to create and use a CMEK. For details, see Data encryption.
-
compute.addresses.list
-
compute.addresses.useInternal
-
compute.disks.create
-
compute.disks.delete
-
compute.disks.get
-
compute.disks.list
-
compute.disks.setLabels
-
compute.disks.update
-
compute.disks.use
-
compute.firewalls.create
-
compute.firewalls.delete
-
compute.firewalls.get
-
compute.firewalls.list
-
compute.firewalls.update
-
compute.forwardingRules.create
-
compute.forwardingRules.delete
-
compute.forwardingRules.get
-
compute.forwardingRules.setLabels
-
compute.forwardingRules.update
-
compute.forwardingRules.use
-
compute.globalAddresses.list
-
compute.globalOperations.get
-
compute.healthChecks.create
-
compute.healthChecks.delete
-
compute.healthChecks.get
-
compute.healthChecks.useReadOnly
-
compute.instanceGroups.create
-
compute.instanceGroups.delete
-
compute.instanceGroups.get
-
compute.instanceGroups.update
-
compute.instanceGroups.use
-
compute.instances.attachDisk
-
compute.instances.create
-
compute.instances.delete
-
compute.instances.detachDisk
-
compute.instances.get
-
compute.instances.setDeletionProtection
-
compute.instances.setLabels
-
compute.instances.setMetadata
-
compute.instances.setServiceAccount
-
compute.instances.start
-
compute.instances.stop
-
compute.instances.use
-
compute.networks.create
-
compute.networks.delete
-
compute.networks.get
-
compute.networks.list
-
compute.networks.use
-
compute.networks.updatePolicy
-
compute.regionBackendServices.create
-
compute.regionBackendServices.delete
-
compute.regionBackendServices.get
-
compute.regionBackendServices.update
-
compute.regionBackendServices.use
-
compute.regionOperations.get
-
compute.resourcePolicies.create
-
compute.resourcePolicies.delete
-
compute.resourcePolicies.get
-
compute.resourcePolicies.update
-
compute.routes.delete
-
compute.routes.list
-
compute.subnetworks.create
-
compute.subnetworks.delete
-
compute.subnetworks.get
-
compute.subnetworks.list
-
compute.subnetworks.update
-
compute.subnetworks.use
-
compute.zoneOperations.get
-
compute.zones.get
-
iam.roles.create
-
iam.roles.delete
-
iam.roles.get
-
iam.roles.list
-
iam.roles.undelete
-
iam.roles.update
-
iam.serviceAccounts.actAs
-
iam.serviceAccounts.create
-
iam.serviceAccounts.delete
-
iam.serviceAccounts.get
-
resourcemanager.projects.get
-
resourcemanager.projects.getIamPolicy
-
resourcemanager.projects.setIamPolicy
-
serviceusage.services.use
-
storage.objects.create
-
storage.objects.delete
-
storage.objects.get
-
storage.objects.list
-
storage.objects.update