Enable privileges

The Google Cloud environment requires certain privileges in order to import a virtual application.  These privileges are:

  • roles/compute.admin
  • roles/storage.admin
  • roles/iam.serviceAccountUser
  • roles/iam.serviceAccountTokenCreator

  1. Sign in to the Google Cloud portal.
  2. Click Console.
  3. In the Console menu select APIs & Services.
  4. In the APIs and Services Dashboard click Enable APIS and SERVICES
  5. In the Search window enter Cloud Build API. and click its name.
  6. Click Enable.

Project id and project number are required to enable the required privileges to import a virtual appliance.
To display project information use the gcloud projects describe <project>
For example:

gcloud projects describe accessgateway
Which should produce results resembling:
createTime: '2020-01-07T21:11:56.257Z'
lifecycleState: ACTIVE
name: accessgateway
projectId: accessgateway
projectNumber: '840912134923

To enable privileges at the command line use the gcloud projects add-iam-policy-binding command which should resemble:

gcloud projects add-iam-policy-binding <projectId> 
--member serviceAccount:<projectNumber>@cloudbuild.gserviceaccount.com --role <role>
where:

  • <projectId> is the project
  • <projectNumber> is the project number
  • <role> is one of the required roles.
  1. Add the roles/compute.admin privilege.
    For example:
  2. gcloud projects add-iam-policy-binding accessgateway-264515 
           --member serviceAccount:840912134923@cloudbuild.gserviceaccount.com 
          --role roles/compute.admin

    Which will return a result resembling:

    Updated IAM policy for project [accessgateway-264515].
    . . . 
    role: roles/compute.admin - members:
         - serviceAccount:service-840912134923@compute-system.iam.gserviceaccount.com
    . . .
    - members:
    - user:user@tld.com
    role: roles/owner
    etag: BwWcBqsBK84=
    version: 1												
    

  3. Repeat for roles/iam.serviceAccountUser.
    For example:
    gcloud projects add-iam-policy-binding accessgateway-264515 
          --member serviceAccount:840912134923@cloudbuild.gserviceaccount.com 
          --role roles/iam.serviceAccountUser
  4. And
  5. roles/iam.serviceAccountTokenCreator:
    For example:
    gcloud projects add-iam-policy-binding accessgateway-264515 
          --member serviceAccount:840912134923@cloudbuild.gserviceaccount.com 
          --role roles/iam.serviceAccountTokenCreator

Reference