Skip to main content
Version: 0.7

GCP Project Automation

Overview#

To enable Kore's GCP Project Automation feature, we need to create a service account for Kore, and give that service account the relevant permissions to allow it to create and manage GCP projects in your GCP organization. This page provides detailed instructions for these steps.

Pre-requisites#

In order to use GCP Project Automation, you need to have an organization set up with Google Cloud Platform. See Creating and managing organizations in the Google Cloud documentation if you do not have an organization set up with GCP. You cannot use GCP Project Automation in Kore without a GCP organization.

You will also need to have an administrative GCP project created inside this organization, in which you can set up Kore's service account, as service accounts must be created inside a project.

Once you have these in place, you can now create the pre-requisites for Kore to use.

Service Account#

Kore will access GCP using a service account. To create one, use the GCP console, navigate to 'IAM & Admin' in your administrative GCP project (not in the organization). Choose 'Service Accounts' then 'Create service account'. Give it a name (e.g. 'kore-project-automation') but do not grant it any access to the administrative project, nor to any users.

Once created, select the service account and choose 'Add key', generating a key in JSON format.

warning

Take care with this file, it contains the secret values required to act as this service account. You must give this information to Kore (see below), after which we recommend removing any local copy of the file. Do not share or store this file once it has been given to Kore - you can always add a new key if you need to re-enter this information into Kore later.

Allow service account to manage GCP Projects#

In order to create and manage projects under a GCP organization, you need to grant the service account created above the following roles on the organization:

  • Project Creator
  • Project Deleter
  • Viewer
  • Browser
  • Billing Account User
  • Security Reviewer
  • Organisation Policy Viewer

Configuring GCP Organization in Kore#

To configure using the UI, enter the Admin section and choose Configure > Cloud > Google Cloud Platform > Organization. Select + Add organization (for GCP Project automation).

To configure using the CLI, use kore create cloudcredentials to add the key for the service account created above then kore create cloudaccount to add the GCP organization.

The key pieces of information you need to provide are detailed in the below table.

OptionDescription
Organization IDNumerical identifier of the organization - from the GCP console, open the project selector dropdown where you can see the ID next to your organization
Project IDAdministrative GCP project created above
Billing accountGuid-style identifier for the billing account associated with your organization - from the GCP console, open the Billing section, where you can see the billing account ID listed
Note

Once the organization is created, an administrator should test account creation before handing it over to teams.

Closing GCP Projects created by Kore#

If a GCP project is no longer in use, it has to be removed manually using the process below.

warning

Do not close a project before it has been removed from Kore else it may be re-created

Discovering unused Kore created GCP Projects#

Use the UI ((Admin > Configure > Cloud > Google Cloud Platform > Managed Projects) or the CLI (kore get cloudaccounts --all-managed --cloud gcp) to see all cloud accounts which have been provisioned for your teams. If you are removing a team from Kore and want to close their cloud account entirely, follow the steps below.

Removing the project from Kore#

Note

Unlike with AWS or Azure, on GCP a project can be re-activated by Kore successfully shortly after it has been closed, so it is not required to delete the team or de-allocate the GCP organization in this case. However, do consider carefully whether closing the project is the correct approach where the team continues to exist.

  1. From the UI, select 'Remove from Kore', or from the CLI run kore delete cloudaccount -t teamname cloud-account-name.

  2. This will attempt to remove the project from Kore's management. If the project is in use by any team clusters, you will be informed of this and the removal will not succeed. Ensure the clusters are deleted first.

Closing a GCP project#

To close a GCP project after it has been removed from Kore, follow GCP's documented procedure to delete the project via CLI, API or web console.

Last updated on Aug 5, 2021