GCP Environments
Applies to: IBM StreamSets as a Service
A Google Cloud Platform (GCP) environment represents the Google virtual private cloud (VPC) network in your Google Cloud account where engines are deployed.
Your GCP administrator must designate a project for the resources, create a VPC network in the project, and configure Google Cloud credentials for Control Hub to use. You then create a GCP environment in Control Hub that represents the VPC network. When you activate the environment, Control Hub connects to the project and VPC network using the configured credentials, provisions the Google Cloud resources needed to run engines, and deploys engine instances to those resources.
While the environment is in an active state, Control Hub periodically verifies that the project and VPC network exist and that the credentials are valid. Control Hub does not provision resources in the VPC network until you create and start a deployment for this environment.
Before you create a GCP environment, your Google Cloud administrator must complete several prerequisites.
Feature Versions
At this time, GCP environments include the initial GCP_2021_06_01 feature version that includes all available features for GCP environments and deployments.
Prerequisites
The prerequisites require logging into IBM StreamSets to retrieve information generated for the organization.
You first must invite your Google Cloud administrator to join your organization. You can invite the administrator using the default role assignments, or you can modify the role assignments to grant the administrator the Environment Manager role only.
- Designate a Google Cloud project for the Google Cloud resources that Control Hub provisions. Then, enable the required Google APIs on the project.
- Create a Google VPC network in the designated project for the IBM StreamSets GCP environment to use.
- Configure the Google Clouds credentials that Control Hub uses to access and provision resources in your project.
- Create instance service accounts to associate with the provisioned VM instances.
Designate a Project and Enable Google APIs
Designate a Google Cloud project for the resources that Control Hub provisions. You can use an existing project or create a new project. You'll select this project when you create the IBM StreamSets GCP environment.
For instructions on creating or managing Google Cloud projects, see the Google Cloud Resource Manager documentation.
- Cloud Resource Manager API
- Compute Engine API
- Identity and Access Management (IAM) API
- Cloud Deployment Manager V2 API
- Secret Manager API
- Service Usage API
gcloud
command line tool. For instructions
on using other methods, such as using the Google Cloud Console, see the Google Cloud Endpoints documentation.- Run the following
gcloud
command to set your designated project as the current project:gcloud config set project <PROJECT_ID>
- Run the following command to view the list of Google APIs currently enabled on the
project:
gcloud services list
- Run the following command to enable the required APIs on the
project:
gcloud services enable cloudresourcemanager.googleapis.com compute.googleapis.com iam.googleapis.com deploymentmanager.googleapis.com secretmanager.googleapis.com serviceusage.googleapis.com
Create a Google VPC Network
Create a Google virtual private cloud (VPC) network in your designated Google Cloud project. Or, create a shared VPC network in a host project and then attach your designated project to the host project. For more information on shared VPC networks, see the Google Cloud VPC documentation.
You can use an existing VPC network. However, as a best practice, create a new VPC network for the exclusive use of each IBM StreamSets GCP environment.
You can use private or public subnets within the VPC network, as long as the subnets can send outbound traffic to the internet.
For instructions on creating a VPC network and on allowing subnets internet access, see the Google Cloud VPC documentation.
Firewall Rules
Define the required firewall rules for the VPC network.
- Inbound and outbound connections required by IBM StreamSets engines, as described in Firewall Configuration.
- Outbound connections to Google Secret Manager. Add the IP address of the
https://secretmanager.googleapis.com
host as an allowed destination.For the list of Google Cloud IP addresses, see this Google support article.
You can define the firewall rules for the entire VPC network. Or, you can apply network tags to the firewall rules. Network tags allow you to apply firewall rules to specific VM instances within the network.
When you configure a GCE deployment for the environment, you specify the network tags to use for the provisioned VM instances. For more information on configuring network tags, see the Google Cloud VPC documentation.
Optionally Create a Cloud NAT Gateway
By default, Control Hub provisions Google Cloud VM instances with external IP addresses.
If your GCP project does not allow externally accessible IP addresses, create a Cloud NAT gateway for the VPC network in the region that you plan to provision Google Cloud resources. A Cloud NAT gateway provides outgoing connectivity for Compute Engine VM instances without external IP addresses. For more information on Cloud NAT gateways, see the Google Cloud NAT documentation.
When you configure a GCE deployment for the environment, you specify that the deployment provision VM instances without external IP addresses in the Configure GCE SSH Access step.
Configure Google Cloud Credentials
You can grant Control Hub access to your Google Cloud project using service account impersonation or a service account key. Control Hub uses the credentials to access and provision resources in the project. Use service account impersonation for production.
- Create an IAM service account and add IAM roles to the account to delegate limited access to Control Hub. Create the service account with the same roles when using either credential type.
- Allow Control Hub to impersonate the service account, or create the service account key that Control Hub uses.
Create a Service Account
For either credential type, create a service account in Google Cloud that delegates limited access to Control Hub.
The service account requires the following IAM roles:
- Compute Network Viewer role
- Deployment Manager Editor role, with a condition that limits access to resources provisioned by Control Hub
- Service Account User role
- Secret Manager Admin role, with a condition that limits access to resources provisioned by Control Hub
gcloud
command line tool. For instructions on
using other methods, such as using the Google Cloud Console, see the Google Cloud IAM documentation.-
To use service account impersonation, first retrieve the unique service account
name generated for your Control Hub organization.
Important: Using the generated service account name prevents the confused deputy problem and ensures that Control Hub can impersonate this service account only when acting on behalf of your organization.
If using a service account key, skip this step.
-
Run the following
gcloud
command to create a new service account with a display name of StreamSets Service Account:gcloud iam service-accounts create <SA_NAME> --display-name="StreamSets Service Account"
To use service account impersonation, replace the <SA_NAME> parameter with the generated service account name that you retrieved from Control Hub.
To use a service account key, replace the <SA_NAME> parameter with an alphanumeric ID that meets the naming requirements for Google Cloud service accounts, as described in the Google Cloud IAM documentation. For example, you might enter the name streamsets-service-account.
-
To grant the service account the Compute Network Viewer role on your project,
run the following command:
gcloud projects add-iam-policy-binding <PROJECT_ID> --member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com --role=roles/compute.networkViewer
Replace the following parameters in the command:
Parameter Replacement Value <PROJECT_ID> ID of the project designated for the IBM StreamSets GCP environment. <SA_NAME> When using service account impersonation, the service account name that you retrieved from Control Hub. When using a service account key, the name that you used to create the service account.
-
To grant the service account the Deployment Manager Editor role with the
required condition, run the following command:
gcloud projects add-iam-policy-binding <PROJECT_ID> --member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com --role=roles/deploymentmanager.editor --condition=expression=resource.name.startsWith\(\"projects/<PROJECT_ID>/global/deployments/streamsets-\"\),title="StreamSets Limited"
Replace the parameters as described above.
-
To grant the service account the Service Account User role, run the following
command:
gcloud projects add-iam-policy-binding <PROJECT_ID> --member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com --role=roles/iam.serviceAccountUser
Replace the parameters as described above.
-
To grant the service account the Secret Manager Admin role with the required
condition, run the following command:
gcloud projects add-iam-policy-binding <PROJECT_ID> --member=serviceAccount:<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com --role=roles/secretmanager.admin --condition=expression=resource.name.startsWith\(\"projects/<PROJECT_NUMBER>/secrets/StreamSets-Deployment-Token-\"\),title="StreamSets Limited"
Replace the parameters as described above. Replace the <PROJECT_NUMBER> parameter with the number of the project designated for the GCP environment.
Use the Service Account for Impersonation
To use service account impersonation as the credential type, add Control Hub as a member of the service account that you created. This allows Control Hub to impersonate the service account to perform tasks in your Google Cloud project.
gcloud
command line tool. For instructions on using other
methods, such as using the Google Cloud Console, see the Google Cloud IAM documentation.gcloud
command to add the Control Hub service account as a member of this service account:
gcloud iam service-accounts add-iam-policy-binding <SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com --member=serviceAccount:streamsets@streamsets-gcp-bridge.iam.gserviceaccount.com --role=roles/iam.serviceAccountTokenCreator
Replace the following parameters in the command:
Parameter | Replacement Value |
---|---|
<SA_NAME> | Service account name that you retrieved from Control Hub. |
<PROJECT_ID> | ID of the project designated for the IBM StreamSets GCP environment. |
<SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com
, when you
create the GCP environment in Control Hub.Use the Service Account Key
To use service account key as the credential type, create a key for the service account that you created. Control Hub uses the key to perform tasks in your Google Cloud project.
gcloud
command line tool,
see the Google Cloud IAM documentation. - In the Google Cloud Console, go to the Service Accounts page.
- Select the project designated for the IBM StreamSets GCP environment.
- Click the email address of the service account that you want to create a key for.
- Click the Keys tab.
- Click .
-
Select JSON as the Key type, and
then click Create.
The service account key file downloads. You will enter the full contents of this key file when you create the GCP environment in Control Hub.
Create Instance Service Accounts for VM Instances
Create instance service accounts for Google Compute Engine VM instances. When Control Hub provisions VM instances for a GCE deployment belonging to this environment, it associates these instance service accounts with the VM instances.
Instance service accounts require the Secret Manager Secret Accessor role with a condition that limits access to resources provisioned by Control Hub.
In addition, when GCE deployments managed by this environment are configured to use an external resource archive file stored in a private Google Cloud Storage bucket, the service account requires the Storage Legacy Object Reader role with a condition that limits access to the bucket containing the archive file.
- Configure a default instance service account for the environment
- Configure a default instance service account for the parent GCP environment. When you create a GCE deployment for this environment, you can simply use the default instance service account configured for the environment.
- Configure a unique instance service account for each deployment
- Do not configure a default instance service account for the parent GCP environment. When you create a GCE deployment for this environment, you must configure the instance service account to use for the deployment.
- Configure a default instance service account and override as needed
- Configure a default instance service account for the parent GCP environment. When you create a GCE deployment for this environment, you can use the default instance service account configured for the environment, or you can override the default and configure a different instance service account for the deployment to use.
gcloud
command line tool. For instructions on using
other methods, such as using the Google Cloud Console, see the Google Cloud Compute Engine
documentation.-
Run the following
gcloud
command to create a new instance service account with a display name of StreamSets Instance Service Account:
Replace the <INSTANCE_SA_NAME> parameter with an alphanumeric ID that meets the naming requirements for Google Cloud service accounts, as described in the Google Cloud IAM documentation. For example, you might enter streamsets-instance-sa.gcloud iam service-accounts create <INSTANCE_SA_NAME> --display-name="StreamSets Instance Service Account"
-
To grant the instance service account the Secret Manager Secret Accessor role
with the required condition, run the following command:
gcloud projects add-iam-policy-binding <PROJECT_ID> --member=serviceAccount:<INSTANCE_SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com --role=roles/secretmanager.secretAccessor --condition=expression=resource.name.startsWith\(\"projects/<PROJECT_NUMBER>/secrets/StreamSets-Deployment-Token-\"\),title="StreamSets Limited"
Replace the following parameters in the command:
Parameter Replacement Value <PROJECT_ID> ID of the project designated for the IBM StreamSets GCP environment. <INSTANCE_SA_NAME> Name that you used to create the instance service account. <PROJECT_NUMBER>
Number of the project designated for the IBM StreamSets GCP environment. -
Optionally, to grant the service account the Storage Legacy Object Reader role
when GCE deployments managed by this environment are configured to use an
external resource archive file stored in a private Google Cloud Storage bucket,
run the following command:
gcloud projects add-iam-policy-binding <PROJECT_ID> --member=serviceAccount:<INSTANCE_SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com --role=roles/storage.legacyObjectReader --condition=expression=resource.name.startsWith\(\"projects/_/buckets/<BUCKET_NAME>/\"\),title="StreamSets Limited"
Replace the parameters as described above.
For more information about configuring external resources for deployments, see External Resources.
-
Grant the instance service account any additional roles required by the IBM StreamSets engines running on the VM instances.
For example, if your pipelines process Google Cloud Storage data, grant the appropriate Cloud Storage roles as well.
- To use a unique instance service account for each deployment, simply repeat these steps to create another instance service account.
Configuring a GCP Environment
Configure a Google Cloud Platform (GCP) environment to define where to deploy IBM StreamSets engines in your Google Cloud project.
To create a new environment, click Create Environment icon: . Or, if you saved an incomplete environment when you retrieved the information required by the prerequisites, simply edit that environment. in the Navigation panel, and then click the
To edit an existing environment, click Edit.
in the Navigation panel, click the environment name, and then clickDefine the Environment
Define the environment essentials, including the environment name and type, and optional tags to identify similar environments.
-
Configure the following properties:
Define Environment Property Description Environment Name Name of the environment. Use a brief name that informs your team of the environment use case.
Environment Type Select Google Cloud Platform (GCP). Once saved, you cannot change the environment type.
Environment Tags Optional tags that identify similar environments within Control Hub. Use environment tags to easily search and filter environments. Enter nested tags using the following format:
<tag1>/<tag2>/<tag3>
Feature Version Feature version to use for the environment and all deployments created for the environment. Each feature version typically requires different permissions or a restart of engines belonging to the deployments.
When creating a new environment, use the latest feature version. When a new feature version is available, change your existing environments to use the new feature version as soon as possible.
-
Optionally, click Show Advanced Options and configure
the following advanced property:
Define Environment Advanced Property Description Allow Nightly Builds Allows deployments for this environment to use nightly engine builds in addition to released engine versions. Nightly builds are for testing features under development and should not be used in production systems.
The version number of a nightly build includes a -SNAPSHOT suffix and the build number. For example, 5.2.0-SNAPSHOT (Build 1013).
-
If creating the environment, click one of the following buttons:
- Cancel - Cancels creating the environment and exits the wizard.
- Save & Next - Saves the environment and continues.
- Save & Exit - Saves the environment and exits the wizard, displaying the incomplete environment in the Environments view.
Configure GCP Credentials
-
Configure the following properties:
Credentials Property Description Credential Type Type of credentials to authenticate with Google Cloud: - Service Account Impersonation
- Service Account Key
Important: Use service account impersonation for production.Service Account Email Email of the service account created as an environment prerequisite by your Google Cloud administrator. Enter using the following format: <SA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com
Required when using service account impersonation to authenticate with Google Cloud.
Account Key JSON Full contents of the service account key file created and downloaded as an environment prerequisite by your Google Cloud administrator. Required when using a service account key to authenticate with Google Cloud.
Default Instance Service Account Optional instance service account to associate with the VM instances provisioned for all deployments belonging to this environment. Select the instance service account created as an environment prerequisite by your Google Cloud administrator. If you do not define a default instance service account, then you must define an instance service account when you create a deployment for this environment.
-
If creating the environment, click one of the following buttons:
- Back - Returns to the previous step in the wizard.
- Save & Next - Saves the environment and continues.
- Save & Exit - Saves the environment and exits the wizard, displaying the incomplete environment in the Environments view.
Configure the GCP Project
Select the GCP project prepared as a prerequisite by your Google Cloud administrator.
- Select the GCP project designated for the IBM StreamSets environment.
-
If creating the environment, click one of the following buttons:
- Back - Returns to the previous step in the wizard.
- Save & Next - Saves the environment and continues.
- Save & Exit - Saves the environment and exits the wizard, displaying the incomplete environment in the Environments view.
Select the GCP VPC
Select the VPC network created as a prerequisite by your Google Cloud administrator, and optionally define GCP labels to apply to provisioned GCP resources.
-
Configure the following properties:
GCP VPC Property Description VPC ID ID of the Google VPC network created as an environment prerequisite by your Google Cloud administrator. GCP Labels Labels to apply to all Google Cloud resources provisioned for this environment. Enter the labels as key-value pairs. For label naming requirements, see the Google Cloud Compute Engine documentation.
You can define the labels using simple or bulk edit mode. In simple edit mode, click Add to define additional labels. In bulk edit mode, configure labels in JSON format.
Important: These labels are applied to Google Cloud resources, not to Control Hub environments. -
If creating the environment, click one of the following buttons:
- Back - Returns to the previous step in the wizard.
- Save & Next - Saves the environment and continues.
- Save & Exit - Saves the environment and exits the wizard, displaying the incomplete environment in the Environments view.
Share the Environment
By default, the environment can only be seen by you. Share the environment with other users and groups to grant them access to it.
- In the Select Users and Groups field, type a user email address or a group name.
-
Select users or groups from the list, and then click
Add.
The added users and groups display in the User / Group table.
-
Modify permissions as needed. By default, each added user
or group is granted the following permissions:
- Read - View the details of the environment. Create and edit a deployment for the environment.
- Write - Edit, activate, deactivate, and delete the environment.
For more information, see Environment Permissions.
-
Click one of the following buttons:
- Back - Returns to the previous step in the wizard.
- Save & Next - Saves the environment and continues.
- Save & Exit - Saves the environment and exits the wizard, displaying the incomplete environment in the Environments view.
Review and Activate the Environment
You've successfully finished creating the environment. Activate the environment so that you can create deployments for the environment.
- Exit - Saves the environment and exits the wizard, displaying the Deactivated environment in the Environments view.
- Activate & Add Deployment - Activates the environment and opens the deployment wizard so that you can create a deployment for the environment.
- Activate & Exit - Activates the environment and exits the wizard, displaying the Active environment in the Environments view.