Control plane architecture
All management actions to Google Cloud NetApp Volumes are done through API. Google Cloud NetApp Volumes management integrated into the GCP Cloud Console also uses the Google Cloud NetApp Volumes API.
Identity and Access Management
Identity and Access Management (IAM) is a standard service that enables you to control authentication (logins) and authorization (permissions) to Google Cloud project instances. Google IAM provides a full audit trail of permissions authorization and removal. Currently Google Cloud NetApp Volumes does not provide control plane auditing.
Authorization/permission overview
IAM offers built-in, granular permissions for Google Cloud NetApp Volumes. You can find a complete list of granular permissions here.
IAM also offers two predefined roles called netappcloudvolumes.admin
and netappcloudvolumes.viewer
. These roles can be assigned to specific users or service accounts.
Assign appropriate roles and permission to allow IAM users to manage Google Cloud NetApp Volumes.
Examples for using granular permissions include the following:
-
Build a custom role with only get/list/create/update permissions so that users cannot delete volumes.
-
Use a custom role with only
snapshot.*
permissions to create a service account that is used to build application- consistent Snapshot integration. -
Build a custom role to delegate
volumereplication.*
to specific users.
Service accounts
To make Google Cloud NetApp Volumes API calls through scripts or Terraform, you must create a service account with the roles/netappcloudvolumes.admin
role. You can use this service account to generate the JWT tokens required to authenticate Google Cloud NetApp Volumes API requests in two different ways:
-
Generate a JSON key and use Google APIs to derive a JWT token from it. This is the simplest approach, but it involves manual secrets (the JSON key) management.
-
Use Service account impersonation with
roles/iam.serviceAccountTokenCreator
. The code (script, Terraform, and so on.) runs with Application Default Credentials and impersonates the service account to gain its permissions. This approach reflects Google security best practices.
See Creating your service account and private key in the Google cloud documentation for more information.
Google Cloud NetApp Volumes API
Google Cloud NetApp Volumes API uses a REST-based API by using HTTPS (TLSv1.2) as the underlying network transport. You can find the latest API definition here and information about how to use the API at Cloud Volumes APIs in the Google cloud documentation.
The API endpoint is operated and secured by NetApp using standard HTTPS (TLSv1.2) functionality.
JWT tokens
Authentication to the API is performed with JWT bearer tokens (RFC-7519). Valid JWT tokens must be obtained by using Google Cloud IAM authentication. This must be done by fetching a token from IAM by providing a service account JSON key.
Audit logging
Currently, no user-accessible control plane audit logs are available.