To install OpenShift to your GCP project, the installer requires a service account, which provides authentication and authorization to access data in the Google APIs. You can use an existing IAM service account that contains the required roles or create one by following these steps:
Create a GCP service account using the console or the CLI
GCP: Creating a service account
A service account needs to be granted permission for specific APIs in order to access the services used to created a cluster. You can assign the proper roles during or after the creation of a service account. The simplest approach to assigning roles would be to make the service account an Owner of the project, but that service account would then have complete control over the project, which would be a decided risk. Note that service accounts with these roles are only required for installation (and destruction); the post-install docs outline optional steps for removing the roles granted here.
The minimum set of roles you can assign the service account are the following:
- Compute Admin
- DNS Administrator
- Security Admin
- Service Account Admin
- Service Account User
- Storage Admin
If you want the OpenShift cluster to create new limited credentials for its own operators, you also need the following role:
- Service Account Key Admin
To assign roles to your service account you may use the console or the CLI:
GCP: Assign service account roles
You will need to create and save a service account key for your service account so you can use it with the OpenShift Installer. You should create the key in JSON format.