GCP Connection Configuration

To work with GCP, OpeNgine requires 3 pre-requisites:

  • ID of the GCP Project;

  • GCP service account with corresponding permissions;

  • Service account json key file.

GCP Project

Please store identifier of the target GCP project into GOOGLE_PROJECT environment variable, for example:

export GOOGLE_PROJECT='yourprojectid'

GCP Service Account

You can provision service account using command line or UI (Cloud Console). The following role memberships are required:


Kubernetes Engine Admin

Cloud KMS Admin (for vault)

Service Account Key Admin

Service Account User

Compute Admin

Storage Admin

Organization Role Viewer

Be sure to have Google SDK CLI installed as per following manual.


gcloud beta iam service-accounts create [SA-NAME] \
 --description "[SA-DESCRIPTION]" \
 --display-name "[SA-DISPLAY-NAME]"

 gcloud projects add-iam-policy-binding [PROJECT-NAME] \
 --member serviceAccount:[SA-NAME] \
 --role roles/container.admin \
 --role roles/cloudkms.admin \
 --role roles/iam.serviceAccountKeyAdmin \
 --role roles/iam.serviceAccountUser \
 --role roles/compute.admin \
 --role roles/storage.admin \
 --role roles/iam.organizationRoleViewer

Json Key File

Create new key for service account, save json file and save path to key file into GOOGLE_APPLICATION_CREDENTIALS environment variable, for example:

export GOOGLE_APPLICATION_CREDENTIALS=${home}/.ssh/my-key.json