Google Cloud projects, permissions, and accounts

Learn how BlueXP uses Google Cloud credentials and permissions to perform actions on your behalf. Understanding these details can be helpful as you manage the credentials for one or more Google Cloud projects. For example, you might want to learn about the service account that’s associated with the Connector VM.

Project and permissions for BlueXP

Before you can use BlueXP to manage resources in your Google Cloud project, you must first deploy a Connector. The Connector can’t be running on your premises, or in a different cloud provider.

Two sets of permissions must be in place before you deploy a Connector directly from BlueXP:

  1. You need to deploy a Connector using a Google account that has permissions to launch the Connector VM instance from BlueXP.

  2. When deploying the Connector, you are prompted to select a service account for the VM instance. BlueXP gets permissions from the service account to create and manage Cloud Volumes ONTAP systems on your behalf, and more. Permissions are provided by attaching a custom role to the service account.

The following image depicts the permission requirements described in numbers 1 and 2 above:

A conceptual image depicting the permissions requirements for google and service accounts to deploy Cloud Volumes ONTAP.

To learn how to set up permissions, refer to the following pages:

Project for Cloud Volumes ONTAP

Cloud Volumes ONTAP can reside in the same project as the Connector, or in a different project. To deploy Cloud Volumes ONTAP in a different project, you need to first add the Connector service account and role to that project.