The recommended way to set up GCP as a meshPlatform is via the public terraform GCP meshPlatform Module. The steps below are not needed if you decide to use it.
Set up the Service Account for Replication
meshStack needs a well-defined set of permissions for its automation. meshStack is designed so that it does not require access to workload. We highly recommend that permissions are configured according to the "least privilege" principle.
Operators need to define a Custom IAM Role called
meshfed-service at the Organization Level with the following permissions
resourcemanager.folders.get resourcemanager.folders.list resourcemanager.organizations.get resourcemanager.projects.create resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list resourcemanager.projects.move resourcemanager.projects.setIamPolicy resourcemanager.projects.update resourcemanager.projects.createBillingAssignment resourcemanager.projects.deleteBillingAssignment billing.resourceAssociations.create serviceusage.services.enable serviceusage.services.get deploymentmanager.deployments.delete deploymentmanager.deployments.create deploymentmanager.deployments.update deploymentmanager.deployments.get
Configure the Root Project
meshStack requires a project in GCP for some of the resources it uses. It is reserved for use by meshstack and operators. For this guide, we’ll call the project
Enable the following APIs on the
meshstack-root project from the API Library
Create meshfed-service Service Account
meshfed-service Service Account in the
- Enable the Service Account for “G Suite Domain-wide Delegation” and note the generated
- Generate and Download a Service Account Key
The Service Account will be identified by an email address like
Grant Resource Permissions
The Service Account will be used by meshStack to perform project replication. Operators thus need to grant it the permissions of the
meshfed-service IAM role on those folders of the GCP resource hierarchy
that make up the Landing Zones for client projects.
It's a best practice to segregate "user" and "infrastructure" projects in GCP using the resource hierarchy. By setting granular permissions (instead of organization-wide permissions) this can limit the access of meshStack's replicator to only the parts of the resource hierarchy that it needs to actively manage (principle of least privilege).
Grant Billing Account Permissions to the Service Account
In order to associate created projects with a Billing Account, the replicator needs to be granted the
billing.resourceAssociations.create permission on the Billing Account. This is best achieved by assigning the
meshfed-service IAM Role to the
meshfed-service Service Account on the Billing Account in the Billing Account's permissions.
Set up Cloud Identity
Authorize the Service Account
In order to perform certain group related administrative tasks the previously created service account needs the "Groups Admin" role from the Admin Console (G Suite).
To authorize the Service Account via the Google Admin Console navigate to
@Account in the sidebar and then
Admin Roles -> Groups Admin and click
Assign Service Accounts. In the prompt that appears, enter the service account email, which looks like
You can alternatively authorize the Service Account via the Cloud Identity Groups API. Please find the instructions in for this in the official Google guide.
Set up the Service Account for Metering
Once billing export has been setup as explained in the GCP documentation linked above, meshStack should be configured with the credentials of a GCP service account that has permission to access the exported billing dataset. This service account must also have the permission to run jobs.
Assign the service account the following predefined roles:
roles/bigquery.jobUser (on the project of the ServiceAccount) roles/bigquery.dataViewer (on the project that holds the bigquery dataset)
To enable meshStack to periodically collect active projects, create an IAM role with the following permissions and assign it to the service account.
resourcemanager.folders.get resourcemanager.folders.list resourcemanager.projects.get resourcemanager.projects.list
Optional: Query multiple billing accounts for the same GCP organization
Create GCP Cloud Billing data BigQuery Exports are available for all billing accounts. Use the same location for all datasets.
Create a view of the union over two base billing account exports.
An example query for creating a view
CREATE VIEW mydataset.meshcloud_billing_view AS ( (SELECT *, _PARTITIONTIME as PARTITIONTIME FROM project-id-a.billing.gcp_billing_export_v1_01234A_5678C_1A23B ) UNION ALL ( SELECT *, _PARTITIONTIME as PARTITIONTIME FROM project-id-b.billing.gcp_billing_export_v1_98765Z_4321X_9Z87Y )
Grant Service Account Permissions on the dataset as described in Service Account Configuration.
Optional: Billing Account owned by a different organization
In order to use a billing account that is owned by a different organization the permissons for
meshfed-service user need to be adjusted.
Operators create a custom role
meshfed-billing-creator in the organization that owns the target billing account with the following permisson
meshfed-service user needs to be granted the
meshfed-billing-creator role in the organization that owns the target billing account.
Following the principle of least privilege, operators should remove the
billing.resourceAssociations.create permisson from the custom role
meshfed-service created in meshfed-service IAM Role.
Optional: Enable Audit Logs for meshfed-service User
The actions of the
meshfed-service User can be monitored via Audit Logs. This allows an in-depth view meshStack activities for GCP project at any moment.
Enable Audit Logs
Enabling Audit Logs may incur charges.
meshcloud recommends to enable Audit Logs on the organizational level for monitoring
meshfed-service User. This is achivied by following these steps:
- Navigate to the organizational level in GCP Cloud Console
- Navigate to IAM & Admin --> Audit logs
- Filter the table for
Cloud Resource Manager APIand select the resulting entry
- Enable all log types
You may want to check the official Google instructions on enabling Auit Logs for further information.
The below screen shot show how to set up the Audit Logs for the organization
Query Audit Logs in Google Cloud Console
Please consult Google docs for options to querying Audit Logs.