Getting Started

Opal can quickly get your team up and running with temporary access to Google Cloud! We're still expanding our GCP offering, but for now we support the following services:

Supported Services

  • Projects: Request and grant read and write access to GCP Projects and all the resources in them.

  • Folders: Request and grant read and write access to GCP Folders and all the resources in them.

  • Storage buckets: Request and grant read and write access to storage buckets.

  • SQL Instances: Request and grant read and write access to SQL instances.

  • Google Kubernetes Engine (GKE): Request and grant read and write access to Kubernetes clusters. For access at the project level, please follow the instructions below. For access at the cluster level, please follow these instructions instead.

Setup

Create a service account

In order for Opal to manage your Google Groups on your behalf, we'll need you to create a service account with proper permission scopes.

  • Open the Service accounts page. If prompted, select a project.

  • Click + Create Service Account. Enter a name and description for the service account. When done click Create.

  • The Service account permissions section that follows is not required. Click Continue.

  • On the Grant users access to this service account screen, click Done.

  • Select the new service account.

  • Click the Keys tab.

  • Click the Add key drop-down menu, then select Create new key.

  • Select JSON as the Key type and click Create.

  • Your new public/private key pair is generated and downloaded to your machine.

  • Click Close on the Private key saved to your computer dialog, then return to the table of your service accounts.

  • Make a copy of the full email of the service account.

Let's now create a custom role in IAM.

  • Select the organization level at the top:

  • Click + Create Role.

  • Give it a title, ID and set the launch stage to General Availability.

  • Click + Add Permissions.

  • Add the following permissions:

iam.roles.get
iam.roles.list
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
storage.buckets.setIamPolicy
cloudsql.instances.get
cloudsql.instances.list
  • Click Create.

Then open the Resource Manager page.

  • Select the top level organization:

  • On the right side, click Add Member:

  • Enter the service account email, and select the new custom role. Then click Save.

Your service account now has organization wide access to the Google IAM API.


❗️Enable Opal for access management

If you want to use Opal to manage access to GCP resources, you will need to enable the Manage resources and groups from Opal in the Admin page. You can read more about how to do that here.


NEXT UP ➡️

Did this answer your question?