Learn about Google Cloud projects and permissions
Learn how BlueXP uses Google Cloud credentials to perform actions on your behalf and how those credentials are associated with marketplace subscriptions. Understanding these details can be helpful as you manage the credentials for one or more Google Cloud projects. For example, you might want to learn about the service account that's associated with the Connector VM.
Project and permissions for BlueXP
Before you can use BlueXP to manage resources in your Google Cloud project, you must first deploy a Connector. The Connector can't be running on your premises, or in a different cloud provider.
Two sets of permissions must be in place before you deploy a Connector directly from BlueXP:
-
You need to deploy a Connector using a Google account that has permissions to launch the Connector VM instance from BlueXP.
-
When deploying the Connector, you are prompted to select a service account for the VM instance. BlueXP gets permissions from the service account to create and manage Cloud Volumes ONTAP systems, to manage backups using BlueXP backup and recovery, and more. Permissions are provided by attaching a custom role to the service account.
The following image depicts the permission requirements described in numbers 1 and 2 above:
To learn how to set up permissions, refer to the following pages:
Credentials and marketplace subscriptions
When you deploy a Connector in Google Cloud, BlueXP creates a default set of credentials for the Google Cloud service account in the project in which the Connector resides. These credentials must be associated with a Google Cloud Marketplace subscription so that you can pay for Cloud Volumes ONTAP at an hourly rate (PAYGO) and use other BlueXP services.
Note the following about Google Cloud credentials and marketplace subscriptions:
-
Only one set of Google Cloud credentials can be associated with a Connector
-
You can associate only one Google Cloud Marketplace subscription with the credentials
-
You can replace an existing marketplace subscription with a new subscription
Project for Cloud Volumes ONTAP
Cloud Volumes ONTAP can reside in the same project as the Connector, or in a different project. To deploy Cloud Volumes ONTAP in a different project, you need to first add the Connector service account and role to that project.