GCP
Connect Teleskope to your GCP Projects
Create Teleskope Service Account
Create a Teleskope service account in your GCP project.
Terraform
| Variable | Description | Example |
|---|---|---|
| project_id | (Required) Your GCP Project ID | "my-project-id" |
resource "google_service_account" "teleskope" {
account_id = "teleskope"
display_name = "Teleskope Read Only User"
project = "{project_id}"
}
Grant Resource Manager Read Access to Teleskope Service Account
Grant the following resource manager permissions to the Teleskope service account you created above:
- resourcemanager.projects.list
- resourcemanager.projects.get
- resourcemanager.folders.get
- resourcemanager.folders.list
- resourcemanager.organizations.get
- compute.regions.list
If you are enabling CloudStorage, please add the following permissions as well:
- storage.buckets.list
- storage.buckets.getIamPolicy
Terraform
| Variable | Description | Example |
|---|---|---|
| org_id | (Required) Your GCP Org ID | "130342390179" |
resource "google_organization_iam_custom_role" "teleskope" {
role_id = "teleskope-resource-manager-ro"
org_id = "{org_id}"
title = "Teleskope"
description = "teleskope resource manager read only role"
permissions = ["resourcemanager.projects.list", "resourcemanager.projects.get", "resourcemanager.folders.get", "resourcemanager.folders.list", "resourcemanager.organizations.get", "compute.regions.list", "storage.buckets.list", "storage.buckets.getIamPolicy"]
}
resource "google_organization_iam_member" "teleskope-resource-manager-ro-role" {
org_id = "{org_id}"
role = google_organization_iam_custom_role.teleskope.name
member = "serviceAccount:${google_service_account.teleskope.email}"
}
Configure Workload Identity Federation (Saas Only)
Teleskope Saas is run in an isolated AWS account. In order to grant Teleskope the ability to connect to GCP, you will need to configure workload identity federation.
Create Workload Identity Federation Pool
Go to https://console.cloud.google.com/ > Workload Identity Federation > Create Pool
- Name: teleskope-pool
- Pool id : teleskope-pool
- Provider:
- Select Provider: AWS
- Provider Name: teleskope-provider
- AWS Account: {origin_aws_account_id}
Grant Access to Teleskope Service Account
Once pool is created, click Grant Access, and select the Teleskope service account you created above.
Terraform
| Variable | Description | Example |
|---|---|---|
| origin_aws_account_id | (Required) AWS Account ID where Teleskope is deployed. | "012345678912" |
| project_id | (Required) Your GCP Project ID | "my-project-id" |
resource "google_iam_workload_identity_pool" "teleskope-pool" {
provider = google-beta
display_name = "Teleskope AWS Pool"
workload_identity_pool_id = "teleskope-pool"
}
resource "google_iam_workload_identity_pool_provider" "teleskope-prov" {
provider = google-beta
workload_identity_pool_id = google_iam_workload_identity_pool.teleskope-pool.workload_identity_pool_id
workload_identity_pool_provider_id = "teleskope-provider"
display_name = "Teleskope AWS Provider"
description = "AWS identity pool provider for teleskope"
disabled = false
aws {
account_id = "{origin_aws_account_id}"
}
depends_on = [google_iam_workload_identity_pool.teleskope-pool]
}
resource "google_project_iam_member" "teleskope-member" {
project = {project}
service_account_id = google_service_account.teleskope.name
member = "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.teleskope-pool.name}/*"
role = "roles/iam.workloadIdentityUser"
}
Updated 13 days ago