Managing Google Cloud Platform

This topic explains how to get started with Google Cloud Platform (GCP) in Commander, as well as key concepts involved in understanding how Commander manages GCP. This topic assumes that you understand the basics of GCP as well as the basics of Commander.

In this topic:

Getting started with GCP

To manage GCP services with Commander, here's how to get started:

  1. Create a service account for Commander to have programmatic access to GCP. See Create a service account for Commander to access GCP.
  2. Ensure that the proper APIs are enabled for the project where the service account was created. See Enable the required APIs.
  3. Give the service account permissions for all of the resources that you want to add as a single GCP managed system in Commander. See Grant permissions to the Commander service account.
  4. Optional: If Internet access is established through a web proxy server, integrate your web proxy server with Commander. See Connecting Public Clouds to Commander through a Web Proxy Server.
  5. Now you're ready to follow the steps in the Getting Started with Commander wizard.

Create a service account for Commander to access GCP

In the GCP Console, you must create a new service account for Commander to have programmatic access to GCP as explained in this section.

GCP supports two types of authentication: service accounts and user accounts. Commander requires a service account.

To learn more about GCP service accounts, see Understanding Service Accounts in the GCP documentation.

  1. In the GCP Console, use the navigation menu to navigate to IAM & admin.
  2. In the header, select the project location for the new service account.

    While the project location you choose has no impact on the service account's visibility and permissions, make sure to select a project that won't be deleted.

    In this example, Embotics Project X has been selected as the location for the new service account.

    Setting the Project Context for the Service Account in GCP Console

  3. In the left menu, select Service accounts.
  4. On the Service accounts page, click Create Service Account.
  5. On the Service account details page, enter a distinct name, such as "Commander Service Account", optionally enter a description, and click Create.

    The Service account ID field is automatically populated based on the name you enter.

    Creating a Service Account in the GCP Console

  6. On the Grant this service account access to project (optional) page, click Continue. You will grant permissions in another context.
  7. On the Grant users access to this service account (optional) page, click Create Key.
  8. In the Create key (optional) section, keep the default key type, JSON, and click Create.
  9. If your browser prompts you to save the file, save it to a known location.

    A JSON file that contains your key downloads to your computer. You'll use this JSON file when adding a GCP managed system.

    This is the only time when you can download this private key.

  10. Click Done.

Enable the required APIs

In the GCP Console, for the project where you created the service account for Commander, ensure that the following APIs are enabled:

  • Cloud Resource Manager API — so that Commander can group resources by organization and project
  • Cloud Billing API — so that Commander can retrieve billing data

To learn how to enable APIs for a project, see Enabling and Disabling Services in the Google Cloud documentation.

Grant permissions to the Commander service account

You must give the service account permissions for all of the resources that you want to add as a single GCP managed system in Commander. To learn more about GCP service accounts, see Understanding Service Accounts in the GCP documentation.

If you use Shared VPC networks, the Commander service account must have visibility of the host project.

  1. In a text editor, open the downloaded JSON file that contains your key.
  2. Copy the value for "client_email". In our example, the value is vcommander-service-account@embotics-project-x.iam.gserviceaccount.com.
  3. In the GCP Console, navigate to IAM & admin and select IAM.
  4. In the header, select a resource that you want to manage with Commander (such as an organization, folder or project).

    In this example, the organization "embotics.com" is one of the resources we want to manage with Commander.

    Setting the Context for Service Account Permissions in GCP Console

  5. On the IAM page, click Add.
  6. In the Add members pane, paste the "client_email" text you copied into the New members field.

    Adding Service Account to Appropriate Context

  7. Click the Select a role drop-down list and set permissions as required.
    • Assign the Project Editor permission so that Commander can carry out actions on resources within the selected object (such as powering instances on and off).
    • If you selected an organization, assign the Folder: Folder Viewer and Organization: Organization Viewer permissions so that the Commander views display GCP resources in their proper structural hierarchy, rather than in a flat list.
    • To monitor VM performance metrics, the service account must have at least the Monitoring Viewer role.
  8. Click Add Another Role and assign other permissions on this resource as necessary.

    Adding Roles to Commander Service Account in GCP Console

  9. Repeat steps 4 through 8 for each resource that you want to be part of this GCP managed system.
  10. Click Save.

What's next? Now you're ready to add a GCP managed system.

How Commander works with GCP