Merge pull request #101987 from AedinC/OSDOCS-17271

AedinC · web-flow · commit 3fa5566370c6 · 2025-12-22T13:56:49.000Z
OSDOCS-17271:Add new required roles for Google Cloud marketplace billing module
diff --git a/modules/ccs-gcp-customer-procedure-wif.adoc b/modules/ccs-gcp-customer-procedure-wif.adoc
@@ -6,6 +6,8 @@
 
 = Workload Identity Federation authentication type procedure
 // TODO: Same as other module - Better procedure heading that tells you what this is doing
+
+[role="_abstract"]
 Besides the required customer procedures listed in _Required customer procedure_, there are other specific actions that you must take when creating an {product-title} cluster on {GCP} using Workload Identity Federation (WIF) as the authentication type.
 
 .Procedure
@@ -28,80 +30,91 @@ The following roles are only required when creating, updating, or deleting WIF c
 Required by the {gcp-short} client in the OCM CLI for creating custom role.
 
 |`roles/iam.roleAdmin`
-|* iam.roles.create
-* iam.roles.delete
-* iam.roles.get
-* iam.roles.list
-* iam.roles.undelete
-* iam.roles.update
-* resourcemanager.projects.get
-* resourcemanager.projects.getIamPolicy
+
+|iam.roles.create
+
+iam.roles.delete
+
+iam.roles.get
+
+iam.roles.list
+
+iam.roles.undelete
+
+iam.roles.update
+
+resourcemanager.projects.get
+resourcemanager.projects.getIamPolicy
 
 |Service Account Admin
 
 Required for the pre-creation of the service accounts used by the deployer, support, and Operators.
 |`roles/iam.serviceAccountAdmin`
-|* iam.serviceAccountApiKeyBindings.create
-* iam.serviceAccountApiKeyBindings.delete
-* iam.serviceAccountApiKeyBindings.undelete
-* iam.serviceAccounts.create
-* iam.serviceAccounts.createTagBinding
-* iam.serviceAccounts.delete
-* iam.serviceAccounts.deleteTagBinding
-* iam.serviceAccounts.disable
-* iam.serviceAccounts.enable
-* iam.serviceAccounts.get
-* iam.serviceAccounts.getIamPolicy
-* iam.serviceAccounts.list
-* iam.serviceAccounts.listEffectiveTags
-* iam.serviceAccounts.listTagBindings
-* iam.serviceAccounts.setIamPolicy
-* iam.serviceAccounts.undelete
-* iam.serviceAccounts.update
-* resourcemanager.projects.get
-* resourcemanager.projects.list
+
+a| iam.serviceAccountApiKeyBindings.create
+iam.serviceAccountApiKeyBindings.delete
+iam.serviceAccountApiKeyBindings.undelete
+iam.serviceAccounts.create
+iam.serviceAccounts.create
+iam.serviceAccounts.create
+iam.serviceAccounts.createTagBinding
+iam.serviceAccounts.delete
+iam.serviceAccounts.deleteTagBinding
+iam.serviceAccounts.disable
+iam.serviceAccounts.enable
+iam.serviceAccounts.get
+iam.serviceAccounts.getIamPolicy
+iam.serviceAccounts.list
+iam.serviceAccounts.listEffectiveTags
+iam.serviceAccounts.listTagBindings
+iam.serviceAccounts.setIamPolicy
+iam.serviceAccounts.undelete
+iam.serviceAccounts.update
+resourcemanager.projects.get
+resourcemanager.projects.list
 
 |Workload Identity Pool Admin
 
 Required to create and configure the workload identity pool.
 |`roles/iam.workloadIdentityPoolAdmin`
-|* iam.googleapis.com/workloadIdentityPoolProviderKeys.create
-* iam.googleapis.com/workloadIdentityPoolProviderKeys.delete
-* iam.googleapis.com/workloadIdentityPoolProviderKeys.get
-* iam.googleapis.com/workloadIdentityPoolProviderKeys.list
-* iam.googleapis.com/workloadIdentityPoolProviderKeys.undelete
-* iam.googleapis.com/workloadIdentityPoolProviders.create
-* iam.googleapis.com/workloadIdentityPoolProviders.delete
-* iam.googleapis.com/workloadIdentityPoolProviders.get
-* iam.googleapis.com/workloadIdentityPoolProviders.list
-* iam.googleapis.com/workloadIdentityPoolProviders.undelete
-* iam.googleapis.com/workloadIdentityPoolProviders.update
-* iam.googleapis.com/workloadIdentityPools.create
-* iam.googleapis.com/workloadIdentityPools.delete
-* iam.googleapis.com/workloadIdentityPools.get
-* iam.googleapis.com/workloadIdentityPools.list
-* iam.googleapis.com/workloadIdentityPools.undelete
-* iam.googleapis.com/workloadIdentityPools.update
-* iam.workloadIdentityPools.createPolicyBinding
-* iam.workloadIdentityPools.deletePolicyBinding
-* iam.workloadIdentityPools.searchPolicyBindings
-* iam.workloadIdentityPools.updatePolicyBinding
-* resourcemanager.projects.get
-* resourcemanager.projects.list
+
+a| iam.googleapis.com/workloadIdentityPoolProviderKeys.create
+iam.googleapis.com/workloadIdentityPoolProviderKeys.delete
+iam.googleapis.com/workloadIdentityPoolProviderKeys.get
+iam.googleapis.com/workloadIdentityPoolProviderKeys.list
+iam.googleapis.com/workloadIdentityPoolProviderKeys.undelete
+iam.googleapis.com/workloadIdentityPoolProviders.create
+iam.googleapis.com/workloadIdentityPoolProviders.delete
+iam.googleapis.com/workloadIdentityPoolProviders.get
+iam.googleapis.com/workloadIdentityPoolProviders.list
+iam.googleapis.com/workloadIdentityPoolProviders.undelete
+iam.googleapis.com/workloadIdentityPoolProviders.up
+iam.googleapis.com/workloadIdentityPools.delete
+iam.googleapis.com/workloadIdentityPools.get
+iam.googleapis.com/workloadIdentityPools.list
+iam.googleapis.com/workloadIdentityPools.undelete
+iam.googleapis.com/workloadIdentityPools.update
+iam.workloadIdentityPools.createPolicyBinding
+iam.workloadIdentityPools.deletePolicyBinding
+iam.workloadIdentityPools.searchPolicyBindings
+iam.workloadIdentityPools.updatePolicyBinding
+resourcemanager.projects.get
+resourcemanager.projects.list
 
 |Project IAM Admin
 
 Required for assigning roles to the service account and giving permissions to those roles that are necessary to perform operations on cloud resources.
 |`roles/resourcemanager.projectIamAdmin`
-|* iam.policybindings.get
-* iam.policybindings.list
-* resourcemanager.projects.createPolicyBinding
-* resourcemanager.projects.deletePolicyBinding
-* resourcemanager.projects.get
-* resourcemanager.projects.getIamPolicy
-* resourcemanager.projects.searchPolicyBindings
-* resourcemanager.projects.setIamPolicy
-* resourcemanager.projects.updatePolicyBinding
+
+a|iam.policybindings.get
+iam.policybindings.list
+resourcemanager.projects.createPolicyBinding
+resourcemanager.projects.deletePolicyBinding
+resourcemanager.projects.get
+resourcemanager.projects.getIamPolicy
+resourcemanager.projects.searchPolicyBindings
+resourcemanager.projects.setIamPolicy
+resourcemanager.projects.updatePolicyBinding
 
 |===
 
diff --git a/modules/ccs-gcp-customer-procedure.adoc b/modules/ccs-gcp-customer-procedure.adoc
@@ -6,6 +6,7 @@
 
 = Required customer procedure
 
+[role="_abstract"]
 The Customer Cloud Subscription (CCS) model allows Red{nbsp}Hat to deploy and manage {product-title} into a customer's {gcp-first} project. Red{nbsp}Hat requires several prerequisites to be completed before providing these services.
 [NOTE]
 ====
@@ -108,6 +109,12 @@ For more information about configuring {gcp-short} organization policy constrain
 |`orgpolicy.googleapis.com`
 |Used to identify governance rules applied to customer’s {gcp-full} that might impact cluster creation or management.
 
+|link:https://docs.cloud.google.com/marketplace/docs/reference/consumerprocurement/rest[Cloud Commerce Consumer Procurement API]
+|`cloudcommerceconsumerprocurement.googleapis.com`
+|Enables users to procure products from the {gcp-short}  Marketplace. Specifically, this permission is required to validate through this API that customers have accepted the  Marketplace terms and conditions for {product-title}.
+
+This API is required when transacting through the {gcp-short} Marketplace.
+
 |link:https://cloud.google.com/iap/docs/reference/rest[Cloud Identity-Aware Proxy API]
 |`iap.googleapis.com`
 |Used in emergency situations to troubleshoot cluster nodes that are otherwise inaccessible.
diff --git a/modules/ccs-gcp-permissions-marketplace-billing.adoc b/modules/ccs-gcp-permissions-marketplace-billing.adoc
@@ -0,0 +1,51 @@
+// Module included in the following assemblies:
+//
+// * osd_planning/gcp-ccs.adoc
+:_mod-docs-content-type: CONCEPT
+[id="ccs-gcp-permissions-marketplace-billing_{context}"]
+
+= Roles required for {GCP} Marketplace billing
+
+[role="_abstract"]
+To deploy an {product-title} cluster using {GCP} Marketplace-based billing, your {GCP} account must first be prepared. This involves accepting the {GCP} Marketplace terms and agreements for the OpenShift Dedicated product listing. Contact your {GCP} administrator who has the `Consumer Procurement Entitlement Manager` role to enable {product-title} cluster deployments in your {GCP} project.
+
+To automate the checking and acceptance of these terms and agreements during OpenShift Dedicated cluster creation, you must grant the `Consumer Procurement Entitlement Viewer` role to the {GCP} identity (user or service account) that is creating the cluster. The `Consumer Procurement Entitlement Viewer` role includes the necessary permissions to check for existing consent to the {GCP} terms and agreements and grants consent if that has not yet been given.
+
+The following table lists the permissions that are included in the `Consumer Procurement Entitlement Viewer` role.
+
+.Required permissions in the Consumer Procurement Entitlement Viewer role
+[cols="2a,3a,3a",options="header"]
+|===
+
+|Role and description|Console role name|Permissions
+
+|link:https://docs.cloud.google.com/iam/docs/roles-permissions/consumerprocurement[Consumer Procurement Entitlement Viewer]
+
+Allows for the inspecting of entitlements and service states for a consumer project.
+|`consumerprocurement.entitlementViewer`
+|commerceoffercatalog.offers.get
+consumerprocurement.consents.check
+consumerprocurement.consents.list
+consumerprocurement.entitlements.get
+consumerprocurement.entitlements.list
+consumerprocurement.freeTrials.get
+consumerprocurement.freeTrials.list
+orgpolicy.policy.get
+resourcemanager.projects.get
+resourcemanager.projects.list
+serviceusage.consumerpolicy.analyze
+serviceusage.consumerpolicy.get
+serviceusage.effectivepolicy.get
+serviceusage.groups.list
+serviceusage.groups.listExpandedMembers
+serviceusage.groups.listMembers
+serviceusage.services.get
+serviceusage.services.list
+serviceusage.values.test
+
+|===
+
+For more information about {GCP} Marketplace roles and permissions, see link:https://docs.cloud.google.com/marketplace/docs/access-control[Access control with IAM] in the {GCP} documentation.
+
+
+
diff --git a/osd_planning/gcp-ccs.adoc b/osd_planning/gcp-ccs.adoc
@@ -12,8 +12,9 @@ toc::[]
 include::modules/ccs-gcp-understand.adoc[leveloffset=+1]
 include::modules/ccs-gcp-customer-requirements.adoc[leveloffset=+1]
 include::modules/ccs-gcp-customer-procedure.adoc[leveloffset=+1]
-include::modules/ccs-gcp-customer-procedure-wif.adoc[leveloffset=+2]
-include::modules/ccs-gcp-customer-procedure-serviceaccount.adoc[leveloffset=+2]
+include::modules/ccs-gcp-permissions-marketplace-billing.adoc[leveloffset=+1]
+include::modules/ccs-gcp-customer-procedure-wif.adoc[leveloffset=+1]
+include::modules/ccs-gcp-customer-procedure-serviceaccount.adoc[leveloffset=+1]
 include::modules/ccs-gcp-iam.adoc[leveloffset=+1]
 include::modules/ccs-gcp-provisioned.adoc[leveloffset=+1]
 include::modules/gcp-limits.adoc[leveloffset=+1]
