Adding a GCP Single Account with read-only access

Step 1

Skip to Step 4 if you came to this guide from the Connect Your GCP Project page.

Navigate to the ‘Account Manager’ tab and click the ‘Add new account’ button. If you already have accounts, your Account Manager menu will appear as shown in the picture below.

Step 2

Click on the ‘Google Cloud Platform’ button.

Step 3

You'll be directed to the ‘Connect your GCP project’ page.

Step 3.1

In the first field, enter an Account name. You can choose a specific name (up to 32 characters) or leave it as the default ‘GCP.’

Step 3.2

Select the 'Single project' account type, which allows you to add one account.

Step 3.3

In this case, we select the read-only access type

Next, select the Access type (The selected type will be marked with a white dot on a blue background):

Read/write: Allows you to utilize all functions, such as converting to spot, scheduling resources, and removing unused resources.
Read-only: Permits viewing of resources and possible actions but restricts the use of main functionality.

This is how the read-only policy appear:

Read-only policy

title: Uniskai Service Role

stage: "GA"

includedPermissions:

- appengine.applications.get

- appengine.instances.get

- appengine.instances.list

- appengine.services.get

- appengine.services.list

- appengine.versions.get

- appengine.versions.list

- bigquery.datasets.get

- bigquery.tables.get

- bigquery.readsessions.create
- bigquery.readsessions.getData

- bigquery.tables.list

- bigquery.tables.getData

- bigquery.jobs.create

- bigtable.backups.get

- bigtable.backups.list

- bigtable.clusters.get

- bigtable.clusters.list

- bigtable.instances.get

- bigtable.instances.list

- cloudfunctions.functions.get

- cloudfunctions.functions.list

- cloudfunctions.locations.get

- cloudfunctions.locations.list

- cloudsql.backupRuns.list

- cloudsql.instances.list

- compute.autoscalers.list

- compute.diskTypes.get

- compute.disks.get

- compute.disks.list

- compute.externalVpnGateways.get

- compute.externalVpnGateways.list

- compute.firewalls.get

- compute.firewalls.list

- compute.images.get

- compute.images.list

- compute.instanceGroupManagers.get

- compute.instanceGroupManagers.list

- compute.instanceGroups.get

- compute.instanceGroups.list

- compute.instanceTemplates.get

- compute.instanceTemplates.list

- compute.instances.get

- compute.instances.list

- compute.machineImages.get

- compute.machineImages.list

- compute.machineTypes.get

- compute.networks.get

- compute.networks.list

- compute.regions.list

- compute.routers.get

- compute.routers.list

- compute.routes.get

- compute.routes.list

- compute.snapshots.get

- compute.snapshots.list

- compute.subnetworks.get

- compute.subnetworks.list

- compute.vpnGateways.list

- compute.vpnTunnels.list

- compute.zones.list

- compute.targetVpnGateways.get

- compute.targetVpnGateways.list

- compute.healthChecks.get

- compute.healthChecks.list

- compute.addresses.get

- compute.addresses.list

- compute.globalAddresses.get

- compute.globalAddresses.list

- compute.interconnects.get

- compute.interconnects.list

- compute.interconnectAttachments.get

- compute.interconnectAttachments.list

- compute.forwardingRules.get

- compute.forwardingRules.list

- container.clusters.get

- container.clusters.list

- dns.managedZones.list

- file.backups.list

- file.instances.list

- file.locations.get

- file.locations.list

- memcache.instances.get

- memcache.instances.list

- recommender.locations.get

- recommender.locations.list

- redis.instances.get

- redis.instances.list

- spanner.backups.get

- spanner.backups.list

- spanner.instanceConfigs.get

- spanner.instanceConfigs.list

- spanner.instances.get

- spanner.instances.list

- storage.buckets.get

- storage.buckets.list

- serviceusage.services.list

- resourcemanager.projects.getIamPolicy

- iam.roles.list

- iam.serviceAccounts.list

- iam.serviceAccountKeys.list

- cloudasset.assets.searchAllResources

- compute.instances.listReferrers

- compute.instances.setServiceAccount

- iam.serviceAccounts.actAs

- compute.backendServices.list

- compute.targetPools.list

- eventarc.locations.list

- eventarc.providers.list

- eventarc.triggers.list

- eventarc.triggers.get

- eventarc.channels.list

- cloudkms.locations.list

- cloudkms.keyRings.list

- cloudkms.cryptoKeys.get

- cloudkms.cryptoKeys.list

- cloudkms.cryptoKeyVersions.list

- cloudkms.importJobs.list

- monitoring.groups.get

- monitoring.groups.list

- monitoring.alertPolicies.get

- monitoring.alertPolicies.list

- monitoring.notificationChannels.get

- monitoring.notificationChannels.list

- monitoring.notificationChannelDescriptors.list

- monitoring.uptimeCheckConfigs.get

- monitoring.uptimeCheckConfigs.list

- monitoring.monitoredResourceDescriptors.list

- monitoring.timeSeries.list

- pubsub.topics.get

- pubsub.topics.list

- pubsub.subscriptions.list

- pubsub.subscriptions.get

- pubsub.subscriptions.list

- pubsublite.topics.list

- pubsublite.reservations.list

- pubsublite.subscriptions.get

- pubsublite.subscriptions.list

Step 3.4

The Connection type is already selected as Automatic, and a JSON key file will be automatically created by the shell script.

To set up a GCP project, ensure you have the necessary permissions to create roles and service accounts!

Step 4

Step 5

Open Shell console

Step 6

Copy your Project ID and Run.sh script below. Insert your GCP project ID instead of “PROJECT_ID”

sh <(curl -s https://uniskai-eu-templates.s3.eu-central-1.amazonaws.com/gcp/create_serviceaccount.sh?versionId=0YeAa4DYoutsOp4h9XKdjKAHF2HMArFg) PROJECT_ID read

Step 7

Click Authorize to authorize Cloud Shell

Step 8

Wait until the script is finished. Then click Open editor

Step 9

Find and mouse right-click your project and save the JSON. Upload it to the Uniskai tab.
If you want to add billing, copy client_email for the following steps