Aviatrix controller provides unified control and management plane for Google Cloud. Aviatrix allows enterprises to on-board hundreds of GCP projects/accounts into the controller. Once these projects are on-boarded, Aviatrix controller is intelligent to control and manage networking and security across those projects.
On the Aviatrix document page one of the options is to use the “Editor” service account to on-board the project.
This might not be desirable for many enterprises as they would want to use least privileged service account credentials. In such a situation Aviatrix recommendation is to have at least following roles assigned to service account so that Aviatrix can perform its functions properly. For instance managing the compute resources, route tables, firewall rules, shared service vpc network etc.
- Compute Admin
- Service Account User
- Organization Administrator (optional and required for Shared VPC)
- Project IAM Admin (optional and required for Shared VPC)
Compute Admin role
|Full control of all Compute Engine resources. If the user will be managing virtual machine instances that are configured to run as a service account, you must also grant the |
Service Account User role
|Run operations as the service account.|