Skip to content

Connect to GCP

Connecting Nullstone to your GCP account is necessary for Nullstone to manage your infrastructure. Nullstone provides one method for access: Service Account Keys.

Service Account

In the Service Account pattern, an admin creates a service account granting explicit access to a single Google Cloud project. Throughout this guide, we refer to a "Google Cloud Project" which represents an isolated namespace for creating infrastructure. Typically, organizations use projects to create environments (e.g. dev, staging, prod). If you have a larger organization, we advise creating projects for each environment and product.

CLI

WARNING

In order to use the CLI, you must configure your terminal with access to the target Google Cloud project. See Installing Google Cloud SDK.

Before we begin, we are going to export 2 environment variables that are used throughout this guide. Set up the PROJECT_ID based on the ID in the Google Cloud console. The service account ID will be used by Nullstone create infrastructure.

shell
export PROJECT_ID=...
export SERVICE_ACCOUNT_ID=nullstone
export PROJECT_ID=...
export SERVICE_ACCOUNT_ID=nullstone

Create Service Account

Now, let's create the service account in the target Google Cloud Project.

shell
gcloud iam service-accounts create "${SERVICE_ACCOUNT_ID}" \
  --description="Nullstone Agent" \
  --display-name="nullstone"
gcloud iam service-accounts create "${SERVICE_ACCOUNT_ID}" \
  --description="Nullstone Agent" \
  --display-name="nullstone"

Add Role to Service Account

Now that the service account exists, we need to give it permission to create infrastructure. Issue the following command to add a role to this service account.

shell
gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
  --member="serviceAccount:${SERVICE_ACCOUNT_ID}@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/editor"
gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
  --member="serviceAccount:${SERVICE_ACCOUNT_ID}@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role="roles/editor"

Create Service Account Key

Now, we need to generate service account keys that will be used by Nullstone to authenticate.

shell
gcloud iam service-accounts keys create "nullstone.json" \
  --iam-account=${SERVICE_ACCOUNT_ID}@${PROJECT_ID}.iam.gserviceaccount.com
gcloud iam service-accounts keys create "nullstone.json" \
  --iam-account=${SERVICE_ACCOUNT_ID}@${PROJECT_ID}.iam.gserviceaccount.com

Enable Service Usage and Cloud Resource Manager APIs

Enable Service Usage and Cloud Resource Manager APIs for the project so that Nullstone can retrieve metadata about the project.

shell
gcloud services enable serviceusage.googleapis.com
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable serviceusage.googleapis.com
gcloud services enable cloudresourcemanager.googleapis.com

Configure Nullstone

Finally, let's create a provider in Nullstone and upload the service account keys. Visit Nullstone and navigate to Org Settings (bottom left) > Providers Tab. Once there, click "Configure New Provider" in the top right to open a dialog.

Select gcp for Provider Type. Enter the Project ID. Choose to upload credentials; use the nullstone.json file created in the previous step.

FINISH

In the Nullstone UI, make sure to Test Connection before proceeding.

Management console

Follow this link to begin creating a Service Account: https://console.cloud.google.com/iam-admin/serviceaccounts/create.

DANGER

Make sure to select the desired project in the header bar. If not, you may create a service account for the wrong Google Cloud project. Admins usually configure projects to map a single project to a single environment (e.g. dev, staging, prod).

Create Service Account

Enter nullstone in "Service account name" and Nullstone Agent in "Service account description". Click "Create and Continue" to proceed to Step 2.

Create ServiceAccount - Step 1

Add Role to Service Account

In Step 2, add the Editor role listed under Basic. Click "Continue" to proceed to Step 3.

Create ServiceAccount - Step 2

Create Service Account Key

You can skip Step 3 by clicking "Done". Next, we need to create a Service Account Key. In the Service accounts list, click on the service account we just created. Navigate to the "KEYS" tab and click "ADD KEY" (Create new key). Leave the default "JSON" option selected and click Create.

Enable Service Usage and Cloud Resource Manager APIs

Enable Service Usage and Cloud Resource Manager APIs for the project so that Nullstone can retrieve metadata about the project.

Visit Service Usage API.

Make sure the correct project is listed in the header! Click Enable.

Enable Service Usage API - Step 3

Visit Cloud Resource Manager API.

Make sure the correct project is listed in the header! Click Enable.

Enable CloudResourceManager - Step 3

Configure Nullstone

Finally, let's create a provider in Nullstone and upload the service account keys. Visit Nullstone and navigate to Org Settings (bottom left) > Providers Tab. Once there, click "Configure New Provider" in the top right to open a dialog.

Select gcp for Provider Type. Enter the Project ID. Choose to upload credentials; use the downloaded key file created in the previous step.

FINISH

In the Nullstone UI, make sure to Test Connection before proceeding.