Using Google GCE with Juju
Juju already has knowledge of the GCE cloud, which means adding your GCE account to Juju is quick and easy.
You can see more specific information on Juju's GCE support (e.g. the supported regions) by running:
juju show-cloud google
If at any point you believe Juju's information is out of date (e.g. Google just announced support for a new region), you can update Juju's public cloud data by running:
juju update-clouds
Preparing your GCE account
Although Juju knows how GCE works, there are a few tasks you must perform in order to integrate your account with Juju. We give an overview of the steps here:
- Using the CLI tools
- Assigning user permissions
- Managing service accounts
- Gathering credential information
- Enabling the Compute Engine API
Note: The Google Cloud Platform Console (web UI) can also be used to complete the above steps.
The instructions on this page make use of the Identity and Access Management (IAM) framework to control access to your GCP account. Read Google's Cloud IAM page for an overview.
Using the CLI tools
We show how to use the Cloud SDK tools from Google to manage your GCP (Google Cloud Platform) account. The tools installation instructions presented here are for Ubuntu/Debian. See the link above for how to install on other platforms.
Install the tools in this way:
export CLOUD_SDK_REPO="cloud-sdk-$(lsb_release -c -s)" echo "deb http://packages.cloud.google.com/apt $CLOUD_SDK_REPO main" \ | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add - sudo apt update && sudo apt install google-cloud-sdk
Now initialise the tool:
gcloud init
Among other things, you will be asked to enter a verification code in order to log in to GCP. This code is acquired by following a supplied hyperlink, which, in turn, will have you agree on the resulting page to allow Google Cloud SDK to access your Google account.
You will be given the choice of selecting an existing GCE project or of
creating a new one. If creating, pick a unique name to prevent the command from
exiting. If it does, re-invoke gcloud init
and choose option [1] to
re-initialise.
When you're done, try out the following commands (we created a project called 'juju-gce-1' during the init phase):
gcloud components list gcloud config list gcloud projects list gcloud projects describe juju-gce-1
See the gcloud command reference for more help with this tool.
Assigning user permissions
Using the IAM framework, we'll be associating credentials with our project at the Compute Engine service account level and not at the level of your Google user.
To download such credentials, however, your user (now known to the CLI tool) must have the authorisation to do so. This is done by assigning the role of 'Service Account Key Admin' to your user (insert your project ID and your user's email address):
gcloud projects add-iam-policy-binding juju-gce-1 \ --member user:javierlarin72@gmail.com \ --role roles/iam.serviceAccountKeyAdmin
Managing service accounts
A project's service accounts are listed in this way:
gcloud iam service-accounts list --project juju-gce-1
You can create a new service account if:
- you are having trouble identifying an existing one to use
- your project does not yet have any service accounts
- you want one dedicated to Juju
Here, we will create a new one called 'juju-gce-1-sa':
gcloud iam service-accounts create juju-gce-1-sa \ --display-name "Compute Engine Juju service account"
For our example project, the list of service accounts is now:
NAME EMAIL Compute Engine Juju service account juju-gce-1-sa@juju-gce-1.iam.gserviceaccount.com
We must now give our chosen service account enough permissions so it can do what Juju asks of it. The roles of 'Compute Instance Admin (v1)' and 'Compute Security Admin' are sufficient:
gcloud projects add-iam-policy-binding juju-gce-1 \ --member serviceAccount:juju-gce-1-sa@juju-gce-1.iam.gserviceaccount.com \ --role roles/compute.instanceAdmin.v1 gcloud projects add-iam-policy-binding juju-gce-1 \ --member serviceAccount:juju-gce-1-sa@juju-gce-1.iam.gserviceaccount.com \ --role roles/compute.securityAdmin
Permissions can be configured in multiple ways due to the many IAM roles available. See upstream document Compute Engine IAM Roles for details.
Verify the roles now assigned to both your user and your service account:
gcloud projects get-iam-policy juju-gce-1
Gathering credential information
You are now ready to download credentials for your chosen service account.
Here we've called the download file juju-gce-1-sa.json
:
gcloud iam service-accounts keys create juju-gce-1-sa.json \ --iam-account=juju-gce-1-sa@juju-gce-1.iam.gserviceaccount.com
Store this file on the Juju client (e.g. ~/.local/share/juju/juju-gce-1-sa.json
).
The section Using environment variables below
explains where this data can be stored if you wish to use the
autoload-credentials
command to add credentials to Juju.
Enabling the Compute Engine API
The Compute Engine API needs to be enabled for your project but this requires your billing account to be first linked to your project.
Your billing (credit card) should have been set up when you registered with GCE. To see your billing account number:
gcloud alpha billing accounts list
Sample output:
ACCOUNT_ID NAME OPEN MASTER_ACCOUNT_ID 01ACD0-B3D759-187641 My Billing Account True
Use the account number/ID to link your project:
gcloud alpha billing projects link juju-gce-1 --billing-account 01ACD0-B3D759-187641
You can now enable the Compute Engine API for your project (this can take a few minutes to complete):
gcloud services enable compute.googleapis.com --project juju-gce-1
For some integrated Juju services (e.g. the Charmed Distribution of Kubernetes) it is useful to also enable the IAM management API:
gcloud services enable iam.googleapis.com --project juju-gce-1
Verify by listing all currently enabled services/APIs:
gcloud services list --project juju-gce-1
Adding credentials
The Credentials page offers a full treatment of credential management.
In order to access Google GCE, you will need to add credentials to Juju. This can be done in one of three ways (as shown below).
Important: The project that gets used by Juju is determined by the service account's credentials used to create a controller. It is therefore recommended that the user-defined credential name strongly reflects the project name. This is chiefly relevant in a multi-project (multi-credential) scenario.
Alternately, you can use your credentials with Juju as a Service, where charms can be deployed within a graphical environment that comes equipped with a ready-made controller.
Using the interactive method
Armed with the gathered information, credentials can be added interactively:
juju add-credential google
The command will prompt you for information that the chosen cloud needs. An example session follows:
Enter credential name: juju-gce-1-sa Auth Types jsonfile oauth2 Select auth type [jsonfile]: Enter file: ~/.local/share/juju/juju-gce-1-sa.json Credential "juju-gce-1-sa" added locally for cloud "google".`
Using a file
A YAML-formatted file, say mycreds.yaml
, can be used to store credential
information for any cloud. This information is then added to Juju by pointing
the add-credential
command to the file:
juju add-credential google -f mycreds.yaml
See section Adding credentials from a file for guidance on what such a file looks like.
Using environment variables
With GCE you have the option of adding credentials using the following environment variable that may already be present (and set) on your client system:
CLOUDSDK_COMPUTE_REGION
In addition, a special variable may contain the path to a JSON-formatted file which, in turn, contains credential information:
GOOGLE_APPLICATION_CREDENTIALS
Finally, on Linux systems, the file
$HOME/.config/gcloud/application_default_credentials.json
may be used to
contain credential data and is parsed by the above command as part of the
scanning process. On Windows systems, the file is
%APPDATA%\gcloud\application_default_credentials.json
.
Add this credential information to Juju in this way:
juju autoload-credentials
For any found credentials you will be asked which ones to use and what name to store them under.
For background information on this method read section Adding credentials from environment variables.
Creating a controller
You are now ready to create a Juju controller for cloud 'google':
juju bootstrap google google-controller
Above, the name given to the new controller is 'google-controller'. GCE will provision an instance to run the controller on.
For a detailed explanation and examples of the bootstrap
command see the
Creating a controller page.
Next steps
A controller is created with two models - the 'controller' model, which should be reserved for Juju's internal operations, and a model named 'default', which can be used for deploying user workloads.
See these pages for ideas on what to do next: