IAM Prerequisites

It is recommended to create a dedicated GCP IAM service account to create and manage the cluster.

The service account needs the following roles/permissions:

• Compute Admin
• Security Admin
• Service Account Admin
• Service Account User
• Storage Admin
• DNS Administrator
• Service Account Key Admin

The following commands need to be executed by the cloud system administrator.

# Create service account
gcloud iam service-accounts create SERVICE_ACCOUNT_ID \
--display-name="Display Name for Service Account" \
--description="Optional description for the service account's purpose" \
--project=YOUR_GCP_PROJECT_ID
# Create and download json key for the service account
gcloud iam service-accounts keys \
create /path/to/your/keyfile.json \
--iam-account=SERVICE_ACCOUNT_ID@YOUR_GCP_PROJECT_ID.iam.gserviceaccount.com \
--project=YOUR_GCP_PROJECT_ID
# Export SA key path; this is needed for all subsequent steps.
export  GOOGLE_APPLICATION_CREDENTIALS="/path/to/your/keyfile.json"

where:

Parameter	Description
SERVICE_ACCOUNT_ID	A unique identifier for your service account (e.g., my-app-sa, data-processor-sa). This will be part of the service account's email address (SERVICE_ACCOUNT_ID@YOUR_GCP_PROJECT_ID.iam.gserviceaccount.com). It must be lowercase and can contain hyphens.
Display Name for Service Account	A human-readable name that will appear in the GCP console (e.g., "My Application Service Account").
Optional description for the service account's purpose	A brief explanation of what the service account is for.
YOUR_GCP_PROJECT_ID	Your Google Cloud Project ID (e.g., my-gcp-project-12345).
/path/to/your/keyfile.json	The local path where you want to save the JSON key file (e.g., ~/gcp-keys/my-data-pipeline-sa-key.json). The key will be downloaded to /path/to/your/keyfile.json

Permissions to the service account can be assigned in the file service_account_iam_assignments.sh.