Step 1
Skip to Step 4 if you came to this guide from the Connect Your GCP Project page.
Navigate to the Account Manager tab and click Add new account. If you already have accounts, your Account Manager page will look similar to the example below.
Step 2
Select ‘Google Cloud Platform’.
Step 3
You’ll be taken to the Connect your GCP project page.
Step 3.1
In the first field, enter an Account name. You can enter a custom name (up to 32 characters) or leave the default GCP.
Step 3.2
Select the 'Single project' account type.
Step 3.3
Select the connection type - Manual.
Auto automatically configures the required IAM roles by running a script in Google Cloud Shell.
Manual set up and assign IAM roles yourself directly in GCP Console
Step 3.4
In this case, we select the Read-Only access type
Next, select the Access type (The selected type will be marked with a blue dot on a white background):
Read/write: Allows you to utilize all functions of our platform. You can view resources and take actions, such as converting to spot, scheduling resources, and removing unused resources.
Read-only: Lets you view resources and see what actions are available, but you can’t make any changes or perform those actions.
You can review the permissions included in the read-only policy.
Optional: View read-only permission list:
Optional: View read-only permission list:
title: Uniskai Service Role
stage: "GA"
includedPermissions:
- appengine.applications.get
- appengine.instances.get
- appengine.instances.list
- appengine.services.get
- appengine.services.list
- appengine.versions.get
- appengine.versions.list
- bigquery.datasets.get
- bigquery.tables.get
- bigquery.tables.list
- bigquery.tables.getData
- bigquery.jobs.create
- bigquery.readsessions.create
- bigquery.readsessions.getData
- bigtable.backups.get
- bigtable.backups.list
- bigtable.clusters.get
- bigtable.clusters.list
- bigtable.instances.get
- bigtable.instances.list
- cloudfunctions.functions.get
- cloudfunctions.functions.list
- cloudfunctions.locations.get
- cloudfunctions.locations.list
- cloudsql.backupRuns.list
- cloudsql.instances.list
- compute.autoscalers.list
- compute.diskTypes.get
- compute.disks.get
- compute.disks.list
- compute.externalVpnGateways.get
- compute.externalVpnGateways.list
- compute.externalVpnGateways.list
- compute.firewalls.get
- compute.firewalls.list
- compute.images.get
- compute.images.list
- compute.instanceGroupManagers.get
- compute.instanceGroupManagers.list
- compute.instanceGroups.get
- compute.instanceGroups.list
- compute.instanceTemplates.get
- compute.instanceTemplates.list
- compute.instances.get
- compute.instances.list
- compute.machineImages.get
- compute.machineImages.list
- compute.machineTypes.get
- compute.networks.get
- compute.networks.list
- compute.regions.list
- compute.routers.get
- compute.routers.list
- compute.routes.get
- compute.routes.list
- compute.snapshots.get
- compute.snapshots.list
- compute.subnetworks.get
- compute.subnetworks.list
- compute.vpnGateways.list
- compute.vpnTunnels.list
- compute.zones.list
- compute.targetVpnGateways.get
- compute.targetVpnGateways.list
- compute.healthChecks.get
- compute.healthChecks.list
- compute.addresses.get
- compute.addresses.list
- compute.globalAddresses.get
- compute.globalAddresses.list
- compute.interconnects.get
- compute.interconnects.list
- compute.interconnectAttachments.get
- compute.interconnectAttachments.list
- compute.forwardingRules.get
- compute.forwardingRules.list
- container.clusters.get
- container.clusters.list
- dns.managedZones.list
- file.backups.list
- file.instances.list
- file.locations.get
- file.locations.list
- memcache.instances.get
- memcache.instances.list
- recommender.locations.get
- recommender.locations.list
- redis.instances.get
- redis.instances.list
- spanner.backups.get
- spanner.backups.list
- spanner.instanceConfigs.get
- spanner.instanceConfigs.list
- spanner.instances.get
- spanner.instances.list
- storage.buckets.get
- storage.buckets.list
- serviceusage.services.list
- resourcemanager.projects.getIamPolicy
- iam.roles.list
- iam.serviceAccounts.list
- iam.serviceAccountKeys.list
- cloudasset.assets.searchAllResources
- compute.instances.listReferrers
- compute.instances.setServiceAccount
- iam.serviceAccounts.actAs
- compute.backendServices.list
- compute.targetPools.list
- eventarc.locations.list
- eventarc.providers.list
- eventarc.triggers.list
- eventarc.triggers.get
- eventarc.channels.list
- cloudkms.locations.list
- cloudkms.keyRings.list
- cloudkms.cryptoKeys.get
- cloudkms.cryptoKeys.list
- cloudkms.cryptoKeyVersions.list
- cloudkms.importJobs.list
- monitoring.groups.get
- monitoring.groups.list
- monitoring.alertPolicies.get
- monitoring.alertPolicies.list
- monitoring.notificationChannels.get
- monitoring.notificationChannels.list
- monitoring.notificationChannelDescriptors.list
- monitoring.uptimeCheckConfigs.get
- monitoring.uptimeCheckConfigs.list
- monitoring.monitoredResourceDescriptors.list
- monitoring.timeSeries.list
- pubsub.topics.get
- pubsub.topics.list
- pubsub.subscriptions.list
- pubsub.subscriptions.get
- pubsub.subscriptions.list
- pubsublite.topics.list
- pubsublite.reservations.list
- pubsublite.subscriptions.get
- pubsublite.subscriptions.list
To continue, make sure you have permission to create roles and service accounts in GCP.
Step 4
Log in to GCP and select your Project
Step 5
Open the Cloud Shell and authorize it
Step 6 — Create a permissions file
You can download the template directly from the UI or via CLI (curl).
Option A — Download via UI (recommended)
In the Uniskai interface, under Uniskai service role permissions, click Download template.
Save the file to your local machine.
Upload the file to the Cloud Shell Terminal.
Option B — Download via CLI
If you prefer using Cloud Shell or terminal, run the following command to download the role template file:
curl -o role-template.yaml \
"https://uniskai-eu-templates.s3.eu-central-1.amazonaws.com/gcp/role-template.yaml?versionId=du7HFyHAUefOCCV2WMtz_U5rHlvrOCV8"
Optional: review the permissions before applying the role
To inspect the contents of the downloaded file, run:
cat role-template.yaml
This lets you review the permissions included in the role template before applying it.
Step 7 — Create a custom IAM role
You must create the role. Replace YOUR_PROJECT_ID with your actual GCP Project ID.
In Google Cloud Console, open the Select a project window from the project selector at the top of the page. Your GCP Project ID is displayed in the ID column next to corresponding project.
gcloud iam roles create "uniskai_service_role" --project="YOUR_PROJECT_ID" --file=role-template.yaml
Wait until the script finishes.
Step 8
Return to Uniskai and generate Service Account Email. This email is used to grant Uniskai access to your GCP project.
Click Generate email, then copy the generated email
Step 9
In the side menu or the search field, navigate to the IAM page.
Then click Grant access.
Step 9
Paste the email from Step 8 into New principals.
Add the following roles:
Uniskai Service Role
Browser (under Basic roles)
Click Save.
Step 10
Return to Uniskai and click Connect project. The connection may take a few minutes.
Step 11
(Optional) To enable billing features in Uniskai, refer to the billing setup guide. This step can be completed later.
For instructions on adding billing permissions, see the billing setup manual.
Step 12
Once completed the account appears in Account Manager. Status shows Connected (Read-only). No further action is required
