forked from gravitational/teleport
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: updates for GCP discovery instructions (gravitational#36952)
* docs: updates for GCP discovery instructions * Include required permissions
- Loading branch information
1 parent
fc65c2c
commit 875e933
Showing
2 changed files
with
12 additions
and
4 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -73,6 +73,9 @@ discover instances. | |
| - `compute.instances.getGuestAttributes` | ||
| - `compute.instances.list` | ||
| - `compute.instances.setMetadata` | ||
| - `iam.serviceAccounts.actAs` | ||
| - `iam.serviceAccounts.get` | ||
| - `iam.serviceAccounts.list` | ||
|
|
||
|  | ||
|
|
||
|
|
@@ -103,6 +106,9 @@ discover instances. | |
| - compute.instances.getGuestAttributes | ||
| - compute.instances.list | ||
| - compute.instances.setMetadata | ||
| - iam.serviceAccounts.actAs | ||
| - iam.serviceAccounts.get | ||
| - iam.serviceAccounts.list | ||
| ``` | ||
|
|
||
| Then run the following command to create the role: | ||
|
|
@@ -123,7 +129,7 @@ discover instances. | |
| ```code | ||
| $ gcloud projects add-iam-policy-binding <Var name="project_id" description="GCP project ID" /> \ | ||
| --member="serviceAccount:teleport-discovery@<Var name="project_id" />.iam.gserviceaccount.com" \ | ||
| --role="projects/<Var name="project_id" />/role/teleport_discovery" | ||
| --role="projects/<Var name="project_id" />/roles/teleport_discovery" | ||
| ``` | ||
| </TabItem> | ||
| </Tabs> | ||
|
|
@@ -212,12 +218,12 @@ In order to enable GCP instance discovery the `discovery_service.gcp` section | |
| of `teleport.yaml` must include at least one entry: | ||
|
|
||
| ```yaml | ||
| version: v2 | ||
| version: v3 | ||
| teleport: | ||
| join_params: | ||
| token_name: "/tmp/token" | ||
| method: token | ||
| proxy_server: "teleport.example.com:443" | ||
| proxy_server: "<Var name="teleport.example.com" />:443" | ||
| auth_service: | ||
| enabled: off | ||
| proxy_service: | ||
|
|
@@ -239,6 +245,8 @@ discovery_service: | |
| # (Optional) Labels that joining VMs must have. | ||
| labels: | ||
| "env": "prod" # Match virtual machines where label:env=prod | ||
| installer: | ||
| public_proxy_addr: "<Var name="teleport.example.com" />:443" | ||
| ``` | ||
|
|
||
| - Edit the `teleport.auth_server` or `teleport.proxy_server` key to match your Auth Service or Proxy Service's domain name | ||
|
|
@@ -269,4 +277,4 @@ for details on alternate methods. | |
| - Full documentation on GCP discovery configuration can be found through the [ | ||
| config file reference documentation](../../reference/config.mdx). | ||
| - The complete default installer can be found [with the Teleport source | ||
| ](https://github.com/gravitational/teleport/blob/branch/v(=teleport.major_version=)/api/types/installers/installer.sh.tmpl). | ||
| ](https://github.com/gravitational/teleport/blob/branch/v(=teleport.major_version=)/api/types/installers/installer.sh.tmpl). | ||