forked from trailofbits/algo
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add documentation on how to setup GCE accounts (trailofbits#1164)
* Add documentation on how to setup GCE accounts This commit adds the steps needed to create a credential with the needed access on Google Cloud Platform to be able to successfully create a new algo VPN. Related to: - trailofbits#682 - trailofbits#658 * Adds links on main README to GCP * Adds link to Ansible documentation * Update cloud-gce.md
- Loading branch information
1 parent
3468d27
commit 54a9144
Showing
2 changed files
with
42 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| # Google Cloud Platform setup | ||
|
|
||
| Follow the [installation instructions](https://cloud.google.com/sdk/) to have the CLI commands to interact with Google. | ||
|
|
||
| After creating an account and installing, login in on your account using `gcloud init` | ||
|
|
||
| ### Creating a project | ||
|
|
||
| The recommendation on GCP is to group resources on **Projets**, so we will create one project to put our VPN server and service account restricted to it. | ||
|
|
||
| ```bash | ||
| ## Create the project to group the resources | ||
| ### You might need to change it to have a global unique project id | ||
| PROJECT_ID=${USER}-algo-vpn | ||
| BILLING_ID="$(gcloud beta billing accounts list --format="value(ACCOUNT_ID)")" | ||
|
|
||
| gcloud projects create ${PROJECT_ID} --name algo-vpn --set-as-default | ||
| gcloud beta billing projects link ${PROJECT_ID} --billing-account ${BILLING_ID} | ||
|
|
||
| ## Create an account that have access to the VPN | ||
| gcloud iam service-accounts create algo-vpn --display-name "Algo VPN" | ||
| gcloud iam service-accounts keys create configs/gce.json \ | ||
| --iam-account algo-vpn@${PROJECT_ID}.iam.gserviceaccount.com | ||
| gcloud projects add-iam-policy-binding ${PROJECT_ID} \ | ||
| --member serviceAccount:algo-vpn@${PROJECT_ID}.iam.gserviceaccount.com \ | ||
| --role roles/compute.admin | ||
| gcloud projects add-iam-policy-binding ${PROJECT_ID} \ | ||
| --member serviceAccount:algo-vpn@${PROJECT_ID}.iam.gserviceaccount.com \ | ||
| --role roles/iam.serviceAccountUser | ||
|
|
||
| ## Enable the services | ||
| gcloud services enable compute.googleapis.com | ||
|
|
||
| ./algo -e "provider=gce" -e "gce_credentials_file=$(pwd)/configs/gce.json" | ||
|
|
||
| ``` | ||
|
|
||
| **Attention:** take care of the `configs/gce.json` file, which contains the credentials to manage your Google Cloud account, including create and delete servers on this project. | ||
|
|
||
|
|
||
| There are more advanced arguments available for deploynment [using ansible](deploy-from-ansible.md) |