Skip to main content
Setup and administration

Learn about Google Cloud projects and permissions

Contributors netapp-bcammett netapp-ivanad

Learn how BlueXP uses Google Cloud credentials to perform actions on your behalf and how those credentials are associated with marketplace subscriptions. Understanding these details can be helpful as you manage the credentials for one or more Google Cloud projects. For example, you might want to learn about the service account that's associated with the Connector VM.

Project and permissions for BlueXP

Before you can use BlueXP to manage resources in your Google Cloud project, you must first deploy a Connector. The Connector can't be running on your premises, or in a different cloud provider.

Two sets of permissions must be in place before you deploy a Connector directly from BlueXP:

  1. You need to deploy a Connector using a Google account that has permissions to launch the Connector VM instance from BlueXP.

  2. When deploying the Connector, you are prompted to select a service account for the VM instance. BlueXP gets permissions from the service account to create and manage Cloud Volumes ONTAP systems, to manage backups using BlueXP backup and recovery, and more. Permissions are provided by attaching a custom role to the service account.

The following image depicts the permission requirements described in numbers 1 and 2 above:

A conceptual image depicting the permissions requirements for google and service accounts to deploy Cloud Volumes ONTAP.

To learn how to set up permissions, refer to the following pages:

Credentials and marketplace subscriptions

When you deploy a Connector in Google Cloud, BlueXP creates a default set of credentials for the Google Cloud service account in the project in which the Connector resides. These credentials must be associated with a Google Cloud Marketplace subscription so that you can pay for Cloud Volumes ONTAP at an hourly rate (PAYGO) and use other BlueXP services.

Note the following about Google Cloud credentials and marketplace subscriptions:

  • Only one set of Google Cloud credentials can be associated with a Connector

  • You can associate only one Google Cloud Marketplace subscription with the credentials

  • You can replace an existing marketplace subscription with a new subscription

Project for Cloud Volumes ONTAP

Cloud Volumes ONTAP can reside in the same project as the Connector, or in a different project. To deploy Cloud Volumes ONTAP in a different project, you need to first add the Connector service account and role to that project.