You grant access to Google Cloud Managed Lustre operations by granting Identity and Access Management (IAM) roles to users.
IAM permissions only control access to Google Cloud Managed Lustre operations, like creating a Google Cloud Managed Lustre instance. To control access to file system operations on the instance, like reading or writing to a file, use POSIX file permissions.
Permissions and roles
Managed Lustre uses the following permissions:
| Permission | Description |
|---|---|
lustre.instances.create |
Create new instances |
lustre.instances.delete |
Delete instances |
lustre.instances.update |
Update instances. Does not allow deletion |
lustre.instances.get |
Describe instances |
lustre.instances.list |
List all instances |
lustre.instances.exportData
|
Export data from Managed Lustre to Cloud Storage |
lustre.instances.importData
|
Import data from Cloud Storage to Managed Lustre |
lustre.locations.get |
Get a location |
lustre.locations.list |
List all supported locations |
lustre.operations.list |
List operations |
lustre.operations.get |
Get an operation |
lustre.operations.cancel |
Cancel an operation |
lustre.operations.delete |
Delete an operation |
Google Cloud doesn't support granting individual permissions directly; you must grant a role that contains permissions. Managed Lustre's predefined roles are:
- Managed Lustre Admin (
roles/lustre.admin) - Managed Lustre Viewer (
roles/lustre.viewer)
The following table lists the permissions granted by the predefined roles for Managed Lustre, as well as the basic Editor role:
| Capability | Editor (roles/editor) |
Managed Lustre (roles/lustre.*)
|
|
|---|---|---|---|
admin |
viewer |
||
| Create instances | |||
| Delete instances | |||
| Update instances | |||
| Get instances | |||
| List instances | |||
| Import/export data from/to Cloud Storage | |||
| Get a location | |||
| List supported locations | |||
| List long-running operations | |||
| Get an operation | |||
| Cancel an operation | |||
| Delete an operation | |||
Custom roles
If the available predefined roles don't meet your organization's access requirements, you can create and apply custom IAM roles.
When creating custom roles, we recommend using a combination of predefined roles to ensure that the correct permissions are included together.
Additional required Google Cloud permissions
In addition to the lustre permissions, there are some Google Cloud
permissions required to complete specific tasks.
| Task | Permission |
|---|---|
| Create a VPC network | servicenetworking.services.addPeering is required.
Grant roles/compute.networkAdmin or
roles/servicenetworking.networksAdmin. |
| Import from Cloud Storage | The Managed Lustre service
account requires roles/storage.admin on the
source bucket.
See the Required permissions section of
Transfer data to or from Cloud Storage for instructions. |
| Export to Cloud Storage | The Managed Lustre service
account requires roles/storage.admin on the
destination bucket.
See the Required permissions section of
Transfer data to or from Cloud Storage for instructions. |
| Create Compute Engine VMs | Compute Instance Admin (v1).
(roles/compute.instanceAdmin.v1)
For more information, refer to the
Compute Engine documentation. |
| Create and manage Google Kubernetes Engine clusters | Container Admin.
(roles/container.admin)
For more information, refer to the Google Kubernetes Engine documentation. |