forked from trailofbits/algo
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add documentation on how to setup GCE accounts
This commit adds the steps needed to create a credential with the needed access on Google Cloud Platform to be able to successfully create a new algo VPN. Related to: - trailofbits#682 - trailofbits#658
- Loading branch information
Showing
1 changed file
with
38 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# Google Cloud Platform setup | ||
|
||
Follow the [installation instructions](https://cloud.google.com/sdk/) to have the CLI commands to interact with Google. | ||
|
||
After creating an account and installing, login in on your account using `gcloud init` | ||
|
||
### Creating a project | ||
|
||
The recommendation on GCP is to group resources on **Projets**, so we will create one project to put our VPN server and service account restricted to it. | ||
|
||
```bash | ||
## Create the project to group the resources | ||
### You might need to change it to have a global unique project id | ||
PROJECT_ID=${USER}-algo-vpn | ||
BILLING_ID="$(gcloud beta billing accounts list --format="value(ACCOUNT_ID)")" | ||
|
||
gcloud projects create ${PROJECT_ID} --name algo-vpn --set-as-default | ||
gcloud beta billing projects link ${PROJECT_ID} --billing-account ${BILLING_ID} | ||
|
||
## Create an account that have access to the VPN | ||
gcloud iam service-accounts create algo-vpn --display-name "Algo VPN" | ||
gcloud iam service-accounts keys create configs/gce.json \ | ||
--iam-account algo-vpn@${PROJECT_ID}.iam.gserviceaccount.com | ||
gcloud projects add-iam-policy-binding ${PROJECT_ID} \ | ||
--member serviceAccount:algo-vpn@${PROJECT_ID}.iam.gserviceaccount.com \ | ||
--role roles/compute.admin | ||
gcloud projects add-iam-policy-binding ${PROJECT_ID} \ | ||
--member serviceAccount:algo-vpn@${PROJECT_ID}.iam.gserviceaccount.com \ | ||
--role roles/iam.serviceAccountUser | ||
|
||
## Enable the services | ||
gcloud services enable compute.googleapis.com | ||
|
||
./algo -e "provider=gce" -e "gce_credentials_file=$(pwd)/configs/gce.json" | ||
|
||
``` | ||
|
||
**Attention:** take care of the `configs/gce.json` file, which contains the credentials to manage your Google Cloud account, including create and delete servers on this project. |