From 54a91447bf9e873c7bbd7066d5f5ba8dae2d6064 Mon Sep 17 00:00:00 2001 From: Bruno Tavares Date: Sun, 28 Oct 2018 03:35:43 -0300 Subject: [PATCH] Add documentation on how to setup GCE accounts (#1164) * Add documentation on how to setup GCE accounts This commit adds the steps needed to create a credential with the needed access on Google Cloud Platform to be able to successfully create a new algo VPN. Related to: - https://github.com/trailofbits/algo/issues/682 - https://github.com/trailofbits/algo/issues/658 * Adds links on main README to GCP * Adds link to Ansible documentation * Update cloud-gce.md --- README.md | 1 + docs/cloud-gce.md | 41 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 docs/cloud-gce.md diff --git a/README.md b/README.md index ccd21c4..68b2648 100644 --- a/README.md +++ b/README.md @@ -195,6 +195,7 @@ After this process completes, the Algo VPN server will contains only the users l - Configure [Amazon EC2](docs/cloud-amazon-ec2.md) - Configure [Azure](docs/cloud-azure.md) - Configure [DigitalOcean](docs/cloud-do.md) + - Configure [Google Cloud Platform](docs/cloud-gce.md) * Advanced Deployment - Deploy to your own [FreeBSD](docs/deploy-to-freebsd.md) server - Deploy to your own [Ubuntu 18.04](docs/deploy-to-ubuntu.md) server diff --git a/docs/cloud-gce.md b/docs/cloud-gce.md new file mode 100644 index 0000000..fe43c43 --- /dev/null +++ b/docs/cloud-gce.md @@ -0,0 +1,41 @@ +# Google Cloud Platform setup + +Follow the [installation instructions](https://cloud.google.com/sdk/) to have the CLI commands to interact with Google. + +After creating an account and installing, login in on your account using `gcloud init` + +### Creating a project + +The recommendation on GCP is to group resources on **Projets**, so we will create one project to put our VPN server and service account restricted to it. + +```bash +## Create the project to group the resources +### You might need to change it to have a global unique project id +PROJECT_ID=${USER}-algo-vpn +BILLING_ID="$(gcloud beta billing accounts list --format="value(ACCOUNT_ID)")" + +gcloud projects create ${PROJECT_ID} --name algo-vpn --set-as-default +gcloud beta billing projects link ${PROJECT_ID} --billing-account ${BILLING_ID} + +## Create an account that have access to the VPN +gcloud iam service-accounts create algo-vpn --display-name "Algo VPN" +gcloud iam service-accounts keys create configs/gce.json \ + --iam-account algo-vpn@${PROJECT_ID}.iam.gserviceaccount.com +gcloud projects add-iam-policy-binding ${PROJECT_ID} \ + --member serviceAccount:algo-vpn@${PROJECT_ID}.iam.gserviceaccount.com \ + --role roles/compute.admin +gcloud projects add-iam-policy-binding ${PROJECT_ID} \ + --member serviceAccount:algo-vpn@${PROJECT_ID}.iam.gserviceaccount.com \ + --role roles/iam.serviceAccountUser + +## Enable the services +gcloud services enable compute.googleapis.com + +./algo -e "provider=gce" -e "gce_credentials_file=$(pwd)/configs/gce.json" + +``` + +**Attention:** take care of the `configs/gce.json` file, which contains the credentials to manage your Google Cloud account, including create and delete servers on this project. + + +There are more advanced arguments available for deploynment [using ansible](deploy-from-ansible.md)