Merge pull request #82603 from mletalie/OSDOCS-11916

[OSDOCS-11916] Update required APIs and roles/permissions required for Private Service Connect

Author: EricPonvelle

modules/ccs-aws-customer-requirements.adoc

@@ -69,4 +69,4 @@ This policy only provides Red Hat with permissions and capabilities to change re
 
 * Red Hat must have ingress access to EC2 hosts and the API server through white-listed Red Hat machines.
 
-* Red Hat must have egress allowed to forward system and audit logs to a Red Hat managed central logging stack.
+* Red Hat must have egress allowed to forward system and audit logs to a Red Hat managed central logging stack.

modules/ccs-gcp-customer-procedure.adoc

@@ -5,8 +5,6 @@
 [id="ccs-gcp-customer-procedure_{context}"]
 
 = Required customer procedure
-// TODO: Same as other module - Better procedure heading that tells you what this is doing
-
 
 The Customer Cloud Subscription (CCS) model allows Red Hat to deploy and manage {product-title} into a customer's Google Cloud Platform (GCP) project. Red Hat requires several prerequisites to provide these services.
 [NOTE]
@@ -76,4 +74,79 @@ To use {product-title} in your GCP project, the following GCP organizational pol
 |link:https://console.cloud.google.com/apis/library/orgpolicy.googleapis.com?project=openshift-gce-devel&folder=&organizationId=[Organization Policy API]
 |`orgpolicy.googleapis.com`
 
+|link:https://console.cloud.google.com/marketplace/product/google/iap.googleapis.com?q=search&referrer=search&hl=en&project=openshift-gce-devel[Cloud Identity-Aware Proxy API]
+|`iap.googleapis.com` ^[*]^
+
 |===
+
++
+[.small]
+--
+*Required for clusters deployed with Private Service Connect.
+--
+
+
+. To ensure that Red Hat can perform necessary actions, you must create an `osd-ccs-admin` IAM link:https://cloud.google.com/iam/docs/creating-managing-service-accounts#creating_a_service_account[service account] user within the GCP project.
+
++
+
+The following roles must be link:https://cloud.google.com/iam/docs/granting-roles-to-service-accounts#granting_access_to_a_service_account_for_a_resource[granted to the service account]:
++
+.Required roles
+[cols="2a,3a",options="header"]
+
+|===
+
+|Role|Console role name
+
+|Compute Admin
+|`roles/compute.admin`
+
+|DNS Administrator
+|`roles/dns.admin`
+
+|Organization Policy Viewer
+|`roles/orgpolicy.policyViewer`
+
+|Service Management Administrator
+|`roles/servicemanagement.admin`
+
+|Service Usage Admin
+|`roles/serviceusage.serviceUsageAdmin`
+
+|Storage Admin
+|`roles/storage.admin`
+
+|Compute Load Balancer Admin
+|`roles/compute.loadBalancerAdmin`
+
+|Role Viewer
+|`roles/viewer`
+
+|Role Administrator
+|`roles/iam.roleAdmin`
+
+|Security Admin
+|`roles/iam.securityAdmin`
+
+|Service Account Key Admin
+|`roles/iam.serviceAccountKeyAdmin`
+
+|Service Account Admin
+|`roles/iam.serviceAccountAdmin`
+
+|Service Account User
+|`roles/iam.serviceAccountUser`
+
+|IAP-Secured Tunnel User
+|`roles/iap.tunnelResourceAccessor`^[*]^
+
+|===
+
++
+[.small]
+--
+*Required for clusters deployed with Private Service Connect.
+--
+
+. link:https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating_service_account_keys[Create the service account key] for the `osd-ccs-admin` IAM service account. Export the key to a file named `osServiceAccount.json`; this JSON file will be uploaded in {cluster-manager-first} when you create your cluster.

modules/policy-identity-access-management.adoc

@@ -170,4 +170,4 @@ Customer access is limited to namespaces created by the customer and permissions
 
 [id="access-approval_{context}"]
 == Access approval and review
-New SRE user access requires management approval. Separated or transferred SRE accounts are removed as authorized users through an automated process. Additionally, SRE performs periodic access review including management sign-off of authorized user lists.
+New SRE user access requires management approval. Separated or transferred SRE accounts are removed as authorized users through an automated process. Additionally, SRE performs periodic access review including management sign-off of authorized user lists.