Google Cloud permissions for the Connector
BlueXP requires permissions to perform actions in Google Cloud. These permissions are included in a custom role provided by NetApp. You might want to understand what BlueXP does with these permissions.
Service account permissions
The custom role shown below provides the permissions that a Connector needs to manage resources and processes within your Google Cloud network.
You’ll need to apply this custom role to a service account that gets attached to the Connector VM.
You also need to ensure that the role is up to date as new permissions are added in subsequent releases.
title: NetApp BlueXP
description: Permissions for the service account associated with the Connector instance.
stage: GA
includedPermissions:
- iam.serviceAccounts.actAs
- compute.regionBackendServices.create
- compute.regionBackendServices.get
- compute.regionBackendServices.list
- compute.networks.updatePolicy
- compute.backendServices.create
- compute.addresses.list
- compute.disks.create
- compute.disks.createSnapshot
- compute.disks.delete
- compute.disks.get
- compute.disks.list
- compute.disks.setLabels
- compute.disks.use
- compute.firewalls.create
- compute.firewalls.delete
- compute.firewalls.get
- compute.firewalls.list
- compute.globalOperations.get
- compute.images.get
- compute.images.getFromFamily
- compute.images.list
- compute.images.useReadOnly
- compute.instances.addAccessConfig
- compute.instances.attachDisk
- compute.instances.create
- compute.instances.delete
- compute.instances.detachDisk
- compute.instances.get
- compute.instances.getSerialPortOutput
- compute.instances.list
- compute.instances.setDeletionProtection
- compute.instances.setLabels
- compute.instances.setMachineType
- compute.instances.setMetadata
- compute.instances.setTags
- compute.instances.start
- compute.instances.stop
- compute.instances.updateDisplayDevice
- compute.instanceGroups.get
- compute.addresses.get
- compute.instances.updateNetworkInterface
- compute.machineTypes.get
- compute.networks.get
- compute.networks.list
- compute.projects.get
- compute.regions.get
- compute.regions.list
- compute.snapshots.create
- compute.snapshots.delete
- compute.snapshots.get
- compute.snapshots.list
- compute.snapshots.setLabels
- compute.subnetworks.get
- compute.subnetworks.list
- compute.subnetworks.use
- compute.subnetworks.useExternalIp
- compute.zoneOperations.get
- compute.zones.get
- compute.zones.list
- compute.instances.setServiceAccount
- deploymentmanager.compositeTypes.get
- deploymentmanager.compositeTypes.list
- deploymentmanager.deployments.create
- deploymentmanager.deployments.delete
- deploymentmanager.deployments.get
- deploymentmanager.deployments.list
- deploymentmanager.manifests.get
- deploymentmanager.manifests.list
- deploymentmanager.operations.get
- deploymentmanager.operations.list
- deploymentmanager.resources.get
- deploymentmanager.resources.list
- deploymentmanager.typeProviders.get
- deploymentmanager.typeProviders.list
- deploymentmanager.types.get
- deploymentmanager.types.list
- logging.logEntries.list
- logging.privateLogEntries.list
- resourcemanager.projects.get
- storage.buckets.create
- storage.buckets.delete
- storage.buckets.get
- storage.buckets.list
- cloudkms.cryptoKeyVersions.useToEncrypt
- cloudkms.cryptoKeys.get
- cloudkms.cryptoKeys.list
- cloudkms.keyRings.list
- storage.buckets.update
- iam.serviceAccounts.getIamPolicy
- iam.serviceAccounts.list
- storage.objects.get
- storage.objects.list
- monitoring.timeSeries.list
- storage.buckets.getIamPolicy
- cloudkms.cryptoKeys.getIamPolicy
- cloudkms.cryptoKeys.setIamPolicy
- cloudkms.keyRings.get
- cloudkms.keyRings.getIamPolicy
- cloudkms.keyRings.setIamPolicy
How Google Cloud permissions are used
Actions | Purpose |
---|---|
- compute.disks.create |
To create and manage disks for Cloud Volumes ONTAP. |
- compute.firewalls.create |
To create firewall rules for Cloud Volumes ONTAP. |
- compute.globalOperations.get |
To get the status of operations. |
- compute.images.get |
To get images for VM instances. |
- compute.instances.attachDisk |
To attach and detach disks to Cloud Volumes ONTAP. |
- compute.instances.create |
To create and delete Cloud Volumes ONTAP VM instances. |
- compute.instances.get |
To list VM instances. |
- compute.instances.getSerialPortOutput |
To get console logs. |
- compute.instances.list |
To retrieve the list of instances in a zone. |
- compute.instances.setDeletionProtection |
To set deletion protection on the instance. |
- compute.instances.setLabels |
To add labels. |
- compute.instances.setMachineType |
To change the machine type for Cloud Volumes ONTAP. |
- compute.instances.setMetadata |
To add metadata. |
- compute.instances.setTags |
To add tags for firewall rules. |
- compute.instances.start |
To start and stop Cloud Volumes ONTAP. |
- compute.machineTypes.get |
To get the numbers of cores to check qoutas. |
- compute.projects.get |
To support multi-projects. |
- compute.snapshots.create |
To create and manage persistent disk snapshots. |
- compute.networks.get |
To get the networking information needed to create a new Cloud Volumes ONTAP virtual machine instance. |
- deploymentmanager.compositeTypes.get |
To deploy the Cloud Volumes ONTAP virtual machine instance using Google Cloud Deployment Manager. |
- logging.logEntries.list |
To get stack log drives. |
- resourcemanager.projects.get |
To support multi-projects. |
- storage.buckets.create |
To create and manage a Google Cloud Storage bucket for data tiering. |
- cloudkms.cryptoKeyVersions.useToEncrypt |
To use customer-managed encryption keys from the Cloud Key Management Service with Cloud Volumes ONTAP. |
- compute.instances.setServiceAccount |
To set a service account on the Cloud Volumes ONTAP instance. This service account provides permissions for data tiering to a Google Cloud Storage bucket. |
- compute.addresses.list |
To retrieve the addresses in a region when deploying an HA pair. |
- compute.backendServices.create |
To configure a backend service for distributing traffic in an HA pair. |
- compute.networks.updatePolicy |
To apply firewall rules on the VPCs and subnets for an HA pair. |
- compute.subnetworks.use |
To enable BlueXP classification. |
- container.clusters.get |
To discover Kubernetes clusters running in Google Kubernetes Engine. |
- compute.instanceGroups.get |
To create and manage storage VMs on Cloud Volumes ONTAP HA pairs. |
- monitoring.timeSeries.list |
To discover information about Google Cloud Storage buckets. |
- cloudkms.cryptoKeys.get |
To select your own customer-managed keys in the BlueXP backup and recovery activation wizard instead of using the default Google-managed encryption keys. |
Change log
As permissions are added and removed, we’ll note them in the sections below.
6 February, 2023
The following permission was added to this policy:
-
compute.instances.updateNetworkInterface
This permission is required for Cloud Volumes ONTAP.
27 January, 2023
The following permissions were added to the policy:
-
cloudkms.cryptoKeys.getIamPolicy
-
cloudkms.cryptoKeys.setIamPolicy
-
cloudkms.keyRings.get
-
cloudkms.keyRings.getIamPolicy
-
cloudkms.keyRings.setIamPolicy
These permissions are required for BlueXP backup and recovery.