Google Cloud organizes resources in a way that resembles a file system, where:
-
The Organization at the top level can have multiple Folders.
-
Every Folder can contain other Folders, or can contain Projects, where every Project has a unique ID.
-
Cloud resources (such as VMs, VPCs, and subnets) are contained within a Project.
While the Organization and Folder levels are useful areas to understand from the Google Cloud perspective, the Project level is the most relevant from the Cisco Cloud Network Controller perspective.
Each Cisco Cloud Network Controller tenant is mapped one-to-one to a Google Cloud Project, which means that:
With Cisco Cloud Network Controller, Google Cloud provides access to Projects using Service Accounts. These accounts are meant for applications that need to access Google Cloud services. They can be used to run and deploy Cisco Cloud Network Controller and to push policies for other tenants. Service
accounts used in applications running within Google Cloud do not need credentials, whereas applications that are run external to Google Cloud need a pre-generated private key. Service Accounts reside in one Google Cloud Project, but they can also be given access to manage policies for other Projects (for Cisco Cloud Network Controller, other
tenants).
The following sections provide more information on different ways that Cisco Cloud Network Controller tenants can be configured
with Google Cloud:
User Tenants With Managed Credentials
This type of user tenant has the following characteristics:
-
This tenant account is managed by the Cisco Cloud Network Controller.
-
You will first choose Managed Identity in the Cisco Cloud Network Controller GUI as part of the tenant configuration process for this type of user tenant.
-
After you have configured the necessary parameters in the Cisco Cloud Network Controller, you must then set the necessary
roles for this tenant in Google Cloud. Add the service account created by the Cisco Cloud Network Controller as an IAM user with the following rules:
For instructions on creating this sort of tenant, see Creating a Managed Tenant Using the Cisco Cloud Network Controller GUI.
User Tenants With Unmanaged Credentials
This type of user tenant has the following characteristics:
-
This tenant account is not managed by the Cisco Cloud Network Controller.
-
Before configuring the necessary parameters in the Cisco Cloud Network Controller for this type of tenant, you must first
download the JSON file that contains the necessary private key information from Google Cloud for the service account associated with this tenant.
-
You will then choose Unmanaged Identity in the Cisco Cloud Network Controller GUI as part of the tenant configuration process for this type of user tenant. As part
of the configuration process for this type of tenant in Cisco Cloud Network Controller, you will provide the following information
from the downloaded JSON file:
-
Key ID
-
RSA Private Key
-
Client ID
-
Email
For instructions on creating this sort of tenant, see Creating an Unmanaged Tenant Using the Cisco Cloud Network Controller GUI.