Fortinet white logo
Fortinet white logo

GCP Administration Guide

Configuring GCP SDN Connector using service account

Configuring GCP SDN Connector using service account

See the FortiOS Administration Guide.

Custom role permission guideline

The following provides the least privileged guideline for a custom role when using a GCP SDN connector with a service account for high availability (HA):

  • compute.addresses.get
  • compute.addresses.use
  • compute.instances.addAccessConfig
  • compute.instances.deleteAccessConfig
  • compute.instances.get
  • compute.instances.list
  • compute.instances.updateNetworkInterface
  • compute.networks.updatePolicy
  • compute.networks.useExternalIp
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.routes.create
  • compute.routes.delete
  • compute.routes.get
  • compute.routes.list
Note

This list is a guideline and focuses on the operation of HA between two FortiGate-VMs in a single zone and multizone deployment only. It allows for moving a single public IP address from the primary FortiGate to the secondary and updating the referenced GCP routing table in the FortiOS SDN connector configuration. Your custom role Identity and Access Management (IAM) permissions vary depending on your environment.

Tooltip

The predefined compute admin role includes the aforementioned IAM permissions. See IAM permissions reference.

API calls

The SDN connector uses API calls to GCP API endpoints respective to its function. You can review the methods, calls, and error codes by using the following diagnostics commands:

Command

Description

diagnose debug reset

Clears filters or previous diagnostic configuration in the console or SSH session.

diagnose debug console timestamp enable

Enables timestamp of console output messages.

diagnose debug enable

Enables diagnostic output to the console.

diagnose debug application gcpd -1

Selects the GCP daemon or SDN connector.

Note

For information about creating a GCP SDN connector, see GCP SDN connector using service account.

The following are references for running a VM with a service account:

Configuring GCP SDN Connector using service account

Configuring GCP SDN Connector using service account

See the FortiOS Administration Guide.

Custom role permission guideline

The following provides the least privileged guideline for a custom role when using a GCP SDN connector with a service account for high availability (HA):

  • compute.addresses.get
  • compute.addresses.use
  • compute.instances.addAccessConfig
  • compute.instances.deleteAccessConfig
  • compute.instances.get
  • compute.instances.list
  • compute.instances.updateNetworkInterface
  • compute.networks.updatePolicy
  • compute.networks.useExternalIp
  • compute.subnetworks.use
  • compute.subnetworks.useExternalIp
  • compute.routes.create
  • compute.routes.delete
  • compute.routes.get
  • compute.routes.list
Note

This list is a guideline and focuses on the operation of HA between two FortiGate-VMs in a single zone and multizone deployment only. It allows for moving a single public IP address from the primary FortiGate to the secondary and updating the referenced GCP routing table in the FortiOS SDN connector configuration. Your custom role Identity and Access Management (IAM) permissions vary depending on your environment.

Tooltip

The predefined compute admin role includes the aforementioned IAM permissions. See IAM permissions reference.

API calls

The SDN connector uses API calls to GCP API endpoints respective to its function. You can review the methods, calls, and error codes by using the following diagnostics commands:

Command

Description

diagnose debug reset

Clears filters or previous diagnostic configuration in the console or SSH session.

diagnose debug console timestamp enable

Enables timestamp of console output messages.

diagnose debug enable

Enables diagnostic output to the console.

diagnose debug application gcpd -1

Selects the GCP daemon or SDN connector.

Note

For information about creating a GCP SDN connector, see GCP SDN connector using service account.

The following are references for running a VM with a service account: