Google Cloud IAM Policy

The IAM roles required for NightOps to manage your Google Cloud resources.

Service Account Setup

NightOps uses a service account to access your Google Cloud resources. You can authenticate using a service account key or Workload Identity Federation.

Step 1: Create a Service Account

Create a new service account for NightOps:

gcloud iam service-accounts create nightops \
  --display-name="NightOps Service Account" \
  --description="Service account for NightOps resource management"

Step 2: Grant IAM Roles

Grant the required IAM roles to the service account:

# Compute Engine
gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:nightops@PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/compute.instanceAdmin.v1"

# Cloud SQL
gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:nightops@PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/cloudsql.admin"

# Cloud Run
gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:nightops@PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/run.admin"

# GKE
gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:nightops@PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/container.clusterAdmin"

Step 3: Create a Key (Option A)

Create a service account key and download it:

gcloud iam service-accounts keys create nightops-key.json \
  --iam-account=nightops@PROJECT_ID.iam.gserviceaccount.com

Upload this key file in the NightOps dashboard under Settings → Cloud Providers → Add Google Cloud Project.

Workload Identity Federation (Option B - Recommended)

For enhanced security, use Workload Identity Federation instead of a service account key. This eliminates the need for long-lived credentials.

# Create a Workload Identity Pool
gcloud iam workload-identity-pools create nightops-pool \
  --location="global" \
  --display-name="NightOps Pool"

# Create a Provider
gcloud iam workload-identity-pools providers create-oidc nightops-provider \
  --location="global" \
  --workload-identity-pool="nightops-pool" \
  --issuer-uri="https://auth.nightops.dev" \
  --allowed-audiences="nightops" \
  --attribute-mapping="google.subject=assertion.sub"

# Allow the pool to impersonate the service account
gcloud iam service-accounts add-iam-policy-binding \
  nightops@PROJECT_ID.iam.gserviceaccount.com \
  --role="roles/iam.workloadIdentityUser" \
  --member="principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/nightops-pool/*"

Custom IAM Role (Minimal Permissions)

For more granular control, create a custom IAM role with only the permissions you need:

title: "NightOps Resource Manager"
description: "Minimal permissions for NightOps to manage compute resources"
stage: "GA"
includedPermissions:
  # Compute Engine
  - compute.instances.get
  - compute.instances.list
  - compute.instances.start
  - compute.instances.stop
  # Cloud SQL
  - cloudsql.instances.get
  - cloudsql.instances.list
  - cloudsql.instances.update
  # GKE
  - container.clusters.get
  - container.clusters.list
  - container.nodePools.get
  - container.nodePools.list
  - container.nodePools.update
  # Cloud Run
  - run.services.get
  - run.services.list
  - run.services.update

Security Considerations

• Use Workload Identity Federation when possible to avoid long-lived credentials
• NightOps only requests permissions for start/stop operations, never data access
• You can further restrict permissions using IAM Conditions based on resource labels
• Consider using VPC Service Controls for additional network-level security