Configuring GCP SDN Connector using service account
See the FortiOS Administration Guide.
Custom role permission guideline
The following provides the least privileged guideline for a custom role when using a GCP SDN connector with a service account for high availability (HA):
- compute.addresses.get
- compute.addresses.use
- compute.instances.addAccessConfig
- compute.instances.deleteAccessConfig
- compute.instances.get
- compute.instances.list
- compute.instances.updateNetworkInterface
- compute.networks.updatePolicy
- compute.networks.useExternalIp
- compute.subnetworks.use
- compute.subnetworks.useExternalIp
- compute.routes.create
- compute.routes.delete
- compute.routes.get
- compute.routes.list
|
This list is a guideline and focuses on the operation of HA between two FortiGate-VMs in a single zone and multizone deployment only. It allows for moving a single public IP address from the primary FortiGate to the secondary and updating the referenced GCP routing table in the FortiOS SDN connector configuration. Your custom role Identity and Access Management (IAM) permissions vary depending on your environment. |
|
The predefined compute admin role includes the aforementioned IAM permissions. See IAM permissions reference. |
API calls
The SDN connector uses API calls to GCP API endpoints respective to its function. You can review the methods, calls, and error codes by using the following diagnostics commands:
|
Command |
Description |
|---|---|
|
diagnose debug reset |
Clears filters or previous diagnostic configuration in the console or SSH session. |
|
diagnose debug console timestamp enable |
Enables timestamp of console output messages. |
|
diagnose debug enable |
Enables diagnostic output to the console. |
|
diagnose debug application gcpd -1 |
Selects the GCP daemon or SDN connector. |
|
|
For information about creating a GCP SDN connector, see GCP SDN connector using service account. |
The following are references for running a VM with a service account: