0

I'm brand new to Google Cloud Platform, and we are working on a strategy to provision software for non-technical users.

Is it possible to prompt a user with a familiar Oauth-like, one-click request for permissions/privileges that will give our system account a VM-admin role on the customer's Google Cloud Platform account?

Ideally, we could create a project in their GCP account with the necessary admin roles assigned. We'd spin up a compute instance from an image we maintain, and manage the vm as necessary but let the customer fully own the resource. Principle of Least Privilege would be applied wherever possible.

User ease is a major concern. We want to prevent the user from needing to navigate into the GP backend to manually create projects and assign roles.

Can GCP do this?

g000m
  • 3
  • 2

1 Answers1

0

I think you have to separate you main goal on several processes. The access can be archive with Oath in your application or use cloud functions.

If your going yo deploy on your costumers GCP account you need a service account or a custom role to do that.

For the custom deployment you can use deploy manager or another deployment tool.

DavidC
  • 166
  • 3
  • The cloud functions tutorial is broken unfortunately (outdated to GCP probably, but also some errors). I spent time working around the issues and get the basic premise, but don't see how authenticating the user/client could then permit executing code as that client to grant us privileges (service account, custom role) on the client's GCP account. Please clarify? – g000m Sep 03 '19 at 22:12
  • You can check these links [Creating short-lived service account credentials](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials), [How to generate and use temporary credentials on Google Cloud Platform](https://medium.com/wescale/how-to-generate-and-use-temporary-credentials-on-google-cloud-platform-b425ef95a00d), [Terraform “Assume Role” and service Account impersonation on Google Cloud](https://medium.com/google-cloud/terraform-assume-role-and-service-account-impersonation-on-google-cloud-ffc553863e72) – DavidC Sep 04 '19 at 14:07
  • OK, I see where you're pointing me now! finding the following was also a huge help, as it perfectly demonstrates what I'm after: https://cloud.google.com/compute/docs/reference/rest/v1/instances/insert – g000m Sep 06 '19 at 22:06