Skip to main content
Google Cloud NetApp Volumes

Set up Google Cloud NetApp Volumes

Contributors netapp-sineadd
PDFs

The NetApp Console needs the right permissions through a Google Cloud service account.

Complete the following tasks so that NetApp Console can access your Google Cloud project.

Note You can use the Google Cloud console or the gcloud CLI for these tasks. To use the gcloud CLI, you must have installed the Google Cloud CLI first.

  • If you do not already have an existing service account, create a new one.

  • Grant access for impersonation.

  • Grant the IAM role in the shared project.

Set up a service account

  1. In the Google Cloud console, go to the Service accounts page.

  2. Click Select a project, choose your project, and click Open.

  3. To create a service account, do the following:

    1. Click Create service account.

    2. Enter the service account name (friendly display name) and description.

      The Google Cloud Console generates a service account ID based on this name. Edit the ID if necessary - you cannot change the ID later.

    3. Click Create and continue.

    4. From the Role list, select the Google Cloud NetApp Volumes admin or Google Cloud NetApp viewer role.

    5. Select Continue.

      Alternatively, you can assign the role using the gcloud CLI:

      gcloud projects add-iam-policy-binding <YOUR_PROJECT_ID> --member="serviceAccount:<YOUR_SA_EMAIL>" --role="roles/netapp.admin"

    6. Grant impersonation access to this service account: credentials-sa@wf-production-netapp.iam.gserviceaccount.com. For details, see Create a self-signed JSON Web Token (JWT).

      The service account owned by NetApp is used to request a short-lived access token that lets you act as that service account without needing access to its private key.

      Alternatively, you can grant impersonation access using the gcloud CLI:

      gcloud iam service-accounts add-iam-policy-binding <YOUR_SA_EMAIL> --member="serviceAccount:credentials-sa@wf-production-netapp.iam.gserviceaccount.com" --role="roles/iam.serviceAccountTokenCreator" --project=<YOUR_PROJECT_ID>

    7. Click DONE at the bottom of the page, and continue to the next step.

Shared VPC

In each additional GCP project that will use the service account, do the following:

  1. In the IAM page, select the Shared VPC host project from the project dropdown menu.

  2. Click Add Principal.

  3. In the New principals field, enter the email address of your service account.

  4. From the Select a role dropdown, choose the Google Cloud NetApp Volumes admin role.

  5. Click Save.

    Alternatively, you can add the IAM policy binding using the gcloud CLI:

    gcloud projects add-iam-policy-binding <SHARED_VPC_HOST_PROJECT_ID> --member="serviceAccount:<YOUR_SA_EMAIL>" --role="roles/netapp.admin"

For detailed steps, refer to Google Cloud documentation:

Troubleshooting

If you encounter an error, the iam.disableCrossProjectServiceAccountUsage policy might be enforced. To fix this, do the following:

  1. In the Google Cloud console, go to the Organization policies page.

  2. Find the Disable cross-project service account usage policy and disable it.

What's next?

Assign Google Cloud NetApp Volumes roles.