Creation of Groups for Project Access
Prior to making a request for GCP projects, it is first necessary to request access groups to be able to attribute access to the projects. Typically the Application owner should be making the request for groups. This person will become the manager of each group and be able to assign, or delegate assess to those working on, and using the project.
The permissions to be requested for the project will vary depending on the types of access on the project.
It is not necessary to provide an exhaustive list of groups when requesting a project, as further access can be requested and granted later, but at least one group should be provided at the beginning for the data engineers and architects to being working on the project. A generic group for technical users (data architects and engineers) can follow the format of gcp-sl-data-{product_name}-nonprod@solvay.com and gcp-sl-data-{product_name}-prod@solvay.com. The Application Owner should never add end users to the technical user group.
Additionally, it should be considered whether or not business users or other end users will need to have direct access to BigQuery. If this is the case, additional groups should be requested by the Product Application Owner and the accesses granted to this group should be limited based on the actions they require. For example, if end users will require the ability to create their own datasets and tables, then these permissions should be requested accordingly. The end user groups should not have broad permissions on the projects like the technical user group. See the attached template for reference concerning the details.
In keeping with the architecture of the Data Ocean, when requesting a GCP projects, the following request should be made to the Cloud Operations Team in Service One.
When requesting a name for Project ID in Google Cloud Platform, use the format of prj-data-{product_name/usecase}
The request should be for 4 GCP projects, dev, test, preprod, prod
Product Project Configuration and Resources
All buckets can be in the location of europe-west1 with standard class (unless otherwise required for legal reasons)
Lifecycle and object versioning to be determined at a later date or enabled manually if possible
- cs-ew1-{gcp_project_id}-dm
- cs-ew1-{gcp_project_id}-staging
- cs-ew1-{gcp_project_id}-wdl
- cs-ew1-{gcp_project_id}-temp
- cs-ew1-{gcp_project_id}-bigquery-state
- API Activation
- In addition to the standard APIs, the following APIs should be activated.
- BigQuery
- BigQuery API
- BigQuery Storage API
- BigQuery Data Transfer API
- BigQuery Connection API
- BigQuery Data Policy API
- Cloud Storage
- Cloud Storage
- Storage Transfer API
- Cloud Storage JSON API
- Google Sheets API
- Google Drive API
- Cloud Build
- Data Catalog API
- Data Lineage API
Product Project Permissions for Groups
gcp-sl-data-{product}-prod@solvay.com & gcp-sl-data-{product}-nonprod@solvay.com. The distinction is that groups suffixed with prod are reserved for prod and pre-prod GCP projects, while groups suffixed with non-prod are reserved for dev and test GCP projects.
In the dev and test environment, both groups will require the following permissions
- BigQuery User & BigQuery Data Editor (Only in DEV environment. In other environments, Bigquery admin will be reserved for service accounts)
- Cloud Storage: permission granted at bucket level - not at project level, as follows:
- Storage Object Admin (on all requested buckets)
- GCS Developer (Solvay) - custom role
- Permissions to view all project logs (Private Log Viewer)
- Viewer - at project level
- Error Reporting Access
- Cloud Monitoring Viewer
- Cloud Build (usage)
- Product GCP Project Resources:
- Service Accounts & Key Files
- talend (sa-talend)
- Keys
- JSON & P12
- Project Permissions
- BigQuery Admin
- Cloud Storage Role to list all buckets and have full permissions inside buckets
- cicd (sa-cicd)
- Keys
- JSON
- Project Permissions
- BigQuery Admin
- Service Usage Consumer
- Necessary permissions for access to build & state buckets
- Google Cloud Storage Buckets