To enable Kore's GCP Project Automation feature, we need to create a service account for Kore, and give that service account the relevant permissions to allow it to create and manage GCP projects in your GCP organization. This page provides detailed instructions for these steps.
In order to use GCP Project Automation, you need to have an organization set up with Google Cloud Platform. See Creating and managing organizations in the Google Cloud documentation if you do not have an organization set up with GCP. You cannot use GCP Project Automation in Kore without a GCP organization.
You will also need to have an administrative GCP project created inside this organization, in which you can set up Kore's service account, as service accounts must be created inside a project.
Once you have these in place, you can now create the pre-requisites for Kore to use.
Kore will access GCP using a service account. To create one, use the GCP console, navigate to 'IAM & Admin' in your administrative GCP project (not in the organization). Choose 'Service Accounts' then 'Create service account'. Give it a name (e.g. 'kore-project-automation') but do not grant it any access to the administrative project, nor to any users.
Once created, select the service account and choose 'Add key', generating a key in JSON format.
Take care with this file, it contains the secret values required to act as this service account. You must give this information to Kore (see below), after which we recommend removing any local copy of the file. Do not share or store this file once it has been given to Kore - you can always add a new key if you need to re-enter this information into Kore later.
In order to create and manage projects under a GCP organization, you need to grant the service account created above the following roles on the organization:
- Project Creator
- Project Deleter
- Billing Account User
- Security Reviewer
- Organisation Policy Viewer
To configure using the UI, enter the Admin section and choose
Configure > Cloud > Google Cloud Platform > Organization. Select
+ Add organization (for GCP Project automation).
The key pieces of information you need to provide are detailed in the below table.
|Organization ID||Numerical identifier of the organization - from the GCP console, open the project selector dropdown where you can see the ID next to your organization|
|Project ID||Administrative GCP project created above|
|Billing account||Guid-style identifier for the billing account associated with your organization - from the GCP console, open the Billing section, where you can see the billing account ID listed|
Once the organization is created, an administrator should test account creation before handing it over to teams.
If a GCP project is no longer in use, it has to be removed manually using the process below.
Do not close a project before it has been removed from Kore else it may be re-created
Use the UI ((Admin > Configure > Cloud > Google Cloud Platform > Managed Projects) or the CLI
kore get cloudaccounts --all-managed --cloud gcp) to
see all cloud accounts which have been provisioned for your teams. If you are removing a team from
Kore and want to close their cloud account entirely, follow the steps below.
Unlike with AWS or Azure, on GCP a project can be re-activated by Kore successfully shortly after it has been closed, so it is not required to delete the team or de-allocate the GCP organization in this case. However, do consider carefully whether closing the project is the correct approach where the team continues to exist.
From the UI, select 'Remove from Kore', or from the CLI run
kore delete cloudaccount -t teamname cloud-account-name.
This will attempt to remove the project from Kore's management. If the project is in use by any team clusters, you will be informed of this and the removal will not succeed. Ensure the clusters are deleted first.
To close a GCP project after it has been removed from Kore, follow GCP's documented procedure to delete the project via CLI, API or web console.