Overview
BeBop OS is a managed services deployment. We provision all infra, network, and storage for the BeBop OS deployment. To effectively maintain the deployed application, the following roles and permissions need to be granted:
Access Required:
- Compute Admin
- Launch, terminate and troubleshoot GCP Compute Services as needed
- DNS Administrator
- Used to provision Internal DNS for Internal Services resolution.
- Pub/Sub Editor
- Used to provision compute instance status (started, running, stopped, deleted.. Etc)
- Logging Admin
- Used in provisioning step 3, Logging is a dependency to retrieve instance status.
- Storage Admin
- Used in provisioning Bebop Flex Storage Setup (Optional if Flex is not used)
- Storage HMAC Key Admin
- Used in provisioning Bebop Flex Storage Setup (Optional if Flex is not used)
- Quota Administrator
- Used to create instance quota raise requests under IAM.
- Activate Identity-Aware Proxy for gcpsupport@beboptechnology.com
- For better security we use Identity-Aware Proxy enabled to access instances using Google Authentication instead of traditional SSH keys.
- Service Account User permission required for bbpsrvcuser user.
- The service account is attached to instances that are launched.
Service Accounts Needed:
- Username: bbpsrvcuser
- Roles: Compute Admin
- Used for: Read Network / Subnet Info, Launch VMs, Terminate VMs
- ***Please provide Service Account User permission for this service account.
- Roles: Compute Admin
- Username: bbpflexsrvcuser
- Optional, If Flex is not used.
- Roles: Storage Admin (Used for Flex Storage Setup – Optional when Flex is not needed)
- Read/Write access to GCP Storage Buckets
- Single Bucket Access
- Flex Based Projects
Reason for Console Access:
- For troubleshooting and creating certain initial alert settings from Stack Driver to BeBop, regarding instance statuses.
- Google IAP for SSH/RDP access.
- Manage Bebop Block Storage – Provision, Scale, Monitor and Backup/Restore.