Creating Cloud Authorization for Google Cloud Platform (GCP)
In order to allow Resource Manager to schedule jobs using your GCP account, MissingLink’s RM service account must be granted permissions in the account using standard GCP authorization.
Be aware that any and all MissingLink activity in your GCP account is tracked and available as part of GCP’s stack driver logging. In addition, the access you grant MissingLink can be revoked from your GCP account at any time.
The procedure itself involves a few short commands. To better understand the actions and configurations that are made behind the scenes, see GCP Authorization Process.
Before you enable authorization, ensure that you have:
- Installed MissingLink's CLI as detailed here.
- Google cloud-sdk installed as detailed here.
- Google cloud-sdk configured for your account, as described here.
- Google cloud default application set by running
gcloud auth application-default login, as described here. This step is optional, but will require explicitly providing your gcloud credentials file path otherwise.
- Granted your user the owner/editor role on the GCP project.
- (Optional) Created a separate SSH key to be used by MissingLink for Git cloning and other encryption related operations. By default, your default SSH key will be used. For more information, see Confidential Data.
The basic authorization command is:
ml resources gcp init --project <gcp-project> --zone <zone>
For more information about the command and the flags, see the CLI reference.
The authorization process takes a few minutes. It makes the following changes in the GCP project:
- Authorizes required APIs: IAM, CloudKMS, Deployment Management.
- Creates a GCP deployment with two custom roles (one for the Resource Manager and one for the instances), one new service account (for VM instances, with the instances role) and one new GCS bucket.
- Invites the MissingLink Resource Manager service account and grants it the resource management role.
- Creates a dedicated KMS keyring and key for MissingLink.
GCP Authorization Process describes what occurs "under the hood" when you issue the
ml resources gcp init command.