Google policies required by Buddy
What are Google policies?
With Google policies you can define access scopes for particular Google Cloud services and resources.
Below you can find the list of policies that need to be checked in order to make Buddy work properly with Google Cloud Platform services.
You can add the permissions in the Identity and Access Management (IAM) tab in Google Cloud console.
Google App Engine
App Engine Admin API and Cloud Build API are required.
Required policies:
appengine.applications.get
appengine.instances.get
appengine.instances.list
appengine.operations.get
appengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.create
appengine.versions.delete
appengine.versions.get
appengine.versions.list
appengine.versions.update
cloudbuild.builds.create
cloudbuild.builds.get
cloudbuild.builds.list
cloudbuild.builds.update
iam.serviceAccounts.actAs
resourcemanager.projects.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
storage.objects.update
Google Cloud Run
Cloud Run API is required. In the Service account permissions panel, set the status of the Cloud Run Admin role to ENABLED.
Cloud Run Admin Role must be added to the member.
Required policies:
run.services.create
run.services.update
iam.serviceAccounts.actAs
Google Cloud Storage
Listing buckets:
storage.buckets.list
Deployment:
storage.objects.list
storage.objects.create
storage.objects.update
storage.objects.delete
Google CDN
Listing urlMaps:
compute.urlMaps.list
Invalidation:
compute.urlMaps.invalidateCache
Google Function Deploy
Listing functions:
cloudfunctions.functions.list
Deployment:
cloudfunctions.functions.get
cloudfunctions.functions.sourceCodeSet
iam.serviceAccounts.actAs
cloudfunctions.functions.update
cloudfunctions.operations.get
Google Function Trigger
Listing functions:
cloudfunctions.functions.list
Triggering functions:
cloudfunctions.functions.call
Google Container Registry actions
Container Registry API is required.
Policies required for pulling an image:
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
Policies required for pushing an image:
pubsub.topics.publish
storage.buckets.create
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.getIamPolicy
storage.objects.list
storage.objects.update
Kubernetes Engine actions
Listing zone and clusters:
container.clusters.get
container.clusters.list
Kubernetes Apply Deployment
container.clusters.get
container.clusters.list
container.deployments.get
container.deployments.list
container.deployments.create
container.deployments.update
container.configMaps.list
container.endpoints.list
container.persistentVolumeClaims.list
container.pods.list
container.replicationControllers.list
container.secrets.list
container.services.list
container.jobs.list
container.cronJobs.list
container.ingresses.list
container.daemonSets.list
container.replicaSets.list
container.statefulSets.list
container.namespaces.list
container.namespaces.delete
Kubernetes Set Image
container.clusters.get
container.clusters.list
container.deployments.get
container.deployments.list
container.deployments.update
Kubernetes Run Job
container.clusters.get
container.clusters.list
container.pods.get
container.pods.list
container.pods.getLogs
container.jobs.create
container.jobs.delete
container.jobs.get
Kubernetes Run Pod
container.clusters.get
container.clusters.list
container.pods.get
container.pods.list
container.pods.getLogs
container.pods.delete
container.pods.create
Kubernetes CLI/Helm CLI
container.pods.list
container.pods.portForward
With Google IAM policies specified, you can be sure all Google services will work as expected in your Buddy pipelines.
Last modified on Sep 23, 2024