1. Manage StreamNative Clusters
  2. Manage BYOC Infrastructure
  3. BYOC on GCP

Set up Project Access for BYOC on Google Cloud

Before you can provision a BYOC infrastructure pool, you will need to authorize the StreamNative Cloud control plane to access your cloud accounts. This enables StreamNative to provision and manage clusters within your GCP project.

This document outlines the procedure for granting this access to StreamNative Cloud for GCP projects.

Access model in Google Cloud

StreamNative Cloud leverages GCP's IAM role bindings to manage access to customer's projects, allowing for efficient management of only necessary resources. Access to customer projects is segmented into three Google Service Accounts (abbr. GSA):

  • Provisioning GSA: This service account handles the provisioning and maintenance of the underlying infrastructure like DNS Zone, VPCs, GKE clusters (and associated node groups, and so on). Default to [email protected].

  • Management GSA: This service account is primarily for automated management tasks, the core responsibility of this service account is interact with the GKE cluster to deploy and manage Pulsar clusters. Default to [email protected].

  • Support GSA: This service account is used by the StreamNative SRE and Support team for troubleshooting during incidents. Default to [email protected].

These GSA and role bindings can be implemented using the StreamNative Vendor Access Terraform module. The following diagram illustrates GCP access:

BYOC Google Cloud Access

Provision Google Cloud Access

StreamNative facilitates the setup of necessary service accounts and permissions via a

module. This module can be provisioned in a standalone Terraform project (as documented here), but can also be integrated into existing Terraform projects.

For full documentation of inputs and outputs of the Terraform module, see the module's README on GitHub.


If you run into issues, please contact StreamNative Support team.

Step 1: Create a new project and instantiate the module

Terraform works by having Terraform codes (in the form of *.tf files) and state files that represent the current resources. If you are using Terraform locally, without a remote state store, these files should be checked into source control for future updates. Create a new folder and add a file called main.tf with the following content, replacing the referenced variables.

provider "google" {
  project = "<YOUR_PROJECT>"

module "sn_managed_cloud" {
  source = "github.com/streamnative/terraform-managed-cloud//modules/gcp/vendor-access?ref=v3.7.0"
  project = "<YOUR_PROJECT>"
  • <YOUR_PROJECT>: your Google Project ID.

If you are using git as source control, you need to use the git init command to initialize this folder as a git project.

Step 2: Initialize the Terraform

While the above Terraform code is all needed, the module needs to be downloaded to this Terraform project.

To do so, run terraform init.

This will download the module and required dependencies.

Step 3: Create a shell with the correct GCP credentials

Terraform requires GCP credentials with the proper permissions in the target project to create the resources to grant access. The permissions required by the module are all GCP project permissions, specifically to manage the GCP services, roles, and service accounts. The GCP built-in role of Editor to the GCP project is sufficient to perform these operations.

All of the methods in Authenticating to GCP are compatible with the Terraform module.

Step 4: Run the Terraform

After initialization, and with credentials in the shell, the next step is to run the Terraform with terraform apply.

This will create a Terraform plan which shows all the resources to be created. To see an example plan, see the example plan in the GitHub readme.

Step 5: Provide the output to StreamNative

Once completed, provide the output of the terraform apply to your CSM or support representative.

Next steps

After granting access, you can set up a Cloud Connection to allow the StreamNative Cloud control plane to interact with your GCP project.

Account Access for BYOC on Azure