Google Cloud organizes resources in a way that resembles a file system, where:
-
The Organization at the top level can have multiple Folders.
-
Every Folder can contain other Folders, or can contain Projects, where every Project has a unique ID.
-
Cloud resources (such as VMs, VPCs, and subnets) are contained within a Project.
While the Organization and Folder levels are useful areas to understand from the Google Cloud perspective, the Project level is the most relevant from the Cisco Cloud APIC perspective.
Each Cisco Cloud APIC tenant is mapped one-to-one to a Google Cloud Project, which means that:
With Cisco Cloud APIC, Google Cloud provides access to Projects using Service Accounts. These accounts are meant for applications that need to access Google Cloud services. They can be used to run and deploy Cisco Cloud APIC and to push policies for other tenants. Service accounts used
in applications running within Google Cloud do not need credentials, whereas applications that are run external to Google Cloud need a pre-generated private key. Service Accounts reside in one Google Cloud Project, but they can also be given access to manage policies for other Projects (for Cisco Cloud APIC, other tenants).
The following sections provide more information on different ways that Cisco Cloud APIC tenants can be configured with Google Cloud:
User Tenants With Managed Credentials
This type of user tenant has the following characteristics:
-
This tenant account is managed by the Cisco Cloud APIC.
-
You will first choose Managed Identity in the Cisco Cloud APIC GUI as part of the tenant configuration process for this type of user tenant.
-
After you have configured the necessary parameters in the Cisco Cloud APIC, you must then set the necessary roles for this
tenant in Google Cloud. Add the service account created by the Cloud APIC as an IAM user with the following rules:
For instructions on creating this sort of tenant, see Creating a Managed Tenant Using the Cisco Cloud APIC GUI.
User Tenants With Unmanaged Credentials
This type of user tenant has the following characteristics:
-
This tenant account is not managed by the Cisco Cloud APIC.
-
Before configuring the necessary parameters in the Cisco Cloud APIC for this type of tenant, you must first download the JSON
file that contains the necessary private key information from Google Cloud for the service account associated with this tenant.
-
You will then choose Unmanaged Identity in the Cisco Cloud APIC GUI as part of the tenant configuration process for this type of user tenant. As part of the configuration
process for this type of tenant in Cisco Cloud APIC, you will provide the following information from the downloaded JSON file:
-
Key ID
-
RSA Private Key
-
Client ID
-
Email
For instructions on creating this sort of tenant, see Creating an Unmanaged Tenant Using the Cisco Cloud APIC GUI.