Service Accounts¶
Valtix requires two (2) service accounts created in your GCP project.
-
valtix-controller: This account is used by the Valtix Controller to access your GCP project to create resources (Valtix Gateways), load balancers for Valtix Gateways, and read information about the VPCs, Subnets, Security Group tags etc.
-
valtix-gateway: This account is assigned to the Valtix Gateways (Compute VM instances). The account provides access to the secret manager (private keys for TLS decryption) and storage.
valtix-controller service account¶
The valtix-controller service account is used by the Valtix Controller to access and manage resources in your GCP project. You must create the account and generate a key. The key is added to the Controller as part of Account onboarding to the Controller.
Below are two (2) methods of creating this service account.
- Open IAM in your GCP project
- Click Service Accounts
- Create Service Account
- Provide a name and ID (e.g valtix-controller) and click Create
- Add Compute Admin and Service Account User roles
- Click Continue
- Click Done (Note: there is no requirement to add any users)
- Click on the newly created account, scroll down to Keys and in the dropdown for Add Key and select Create New Key
- Choose JSON (default option) and click Create
- A file is downloaded to your computer. Save this file.
Commands to create Valtix Controller service account
# change these two (2) variable values
valtix_controller_account_name="valtix-controller"
project_name="project1-lastname-123456"
valtix_controller_account_email="$valtix_controller_account_name@$project_name.iam.gserviceaccount.com"
gcloud iam service-accounts create $valtix_controller_account_name \
--description="service account used by Valtix to create resources in the project" \
--display-name="valtix-controller-account"
gcloud projects add-iam-policy-binding $project_name \
--member serviceAccount:$valtix_controller_account_email \
--role "roles/compute.admin"
gcloud projects add-iam-policy-binding $project_name \
--member serviceAccount:$valtix_controller_account_email \
--role "roles/iam.serviceAccountUser"
gcloud iam service-accounts keys create ~/key.json \
--iam-account $valtix_controller_account_email
valtix-firewall service account¶
The valtix-firewall service account is used by the Valtix Gateway instances running inside your GCP project. The Gateways may need to access the private keys stored in the SecretManager for TLS decryption and access storage to store PCAP files etc. (if configured by the user). Also, the Gateways many need Log Writer permissions to send logs from Valtix Gateway to the GCP logging instance (if configured by the user).
Below are two (2) methods of creating this service account.
- Open IAM in your GCP project
- Click Service Accounts
- Create Service Account
- Provide a name and ID (e.g valtix-firewall) and click Create
- Add Secret Manager Secret Accessor and Logs Writer roles
- Click Continue
- Click Done (Note: there is no requirement to add any users)
Commands to create Valtix firewall service account
# change these two (2) variable values
valtix_firewall_account_name="valtix-firewall"
project_name="project1-lastname-123456"
valtix_firewall_account_email="$valtix_firewall_account_name@$project_name.iam.gserviceaccount.com"
gcloud iam service-accounts create $valtix_firewall_account_name \
--description="service account used by Valtix firewall to access secrets, storage" \
--display-name="valtix-firewall-account"
gcloud projects add-iam-policy-binding $project_name \
--member serviceAccount:$valtix_firewall_account_email \
--role "roles/secretmanager.secretAccessor"
gcloud projects add-iam-policy-binding $project_name \
--member serviceAccount:$valtix_firewall_account_email \
--role "roles/logging.logWriter"
Using a GCloud Shell script¶
Use this script in GCloud Shell in the current project to create the service accounts