On Demand Cloud Connect - GCP Private prerequisites
This section describes the Google Cloud Platform (GCP) prerequisites for using Evolution Platform Cloud Connect with Private Interconnect.
Here are the prerequisites:
- Creating a Dedicated Service Account
- Defining IAM Permissions
- Attribution des droits minimum requis
Prerequisite 1: Creating a Dedicated Service Account
Google Cloud IAM allows you to create Service Accounts in order to represent technical accounts dedicated to automated services, such as the Evolution platform.
These accounts are not intended for users or developers, but for third-party integrations requiring controlled access to GCP APIs.
We strongly recommend creating a dedicated Service Account for Evolution (for example: evolve-cloudconnect) to ensure a clear separation between:
- User accounts in your organization
- Technical accounts used by third-party services (so-called robot accounts)
This separation helps improve:
- Permission management
- Access traceability
- Overall security
Associated documentation:
Prerequisite 2: Defining IAM Permissions
Once the dedicated Service Account is created, you must assign it IAM roles that precisely define the allowed actions in your GCP project.
Recommendations:
- Grant only the strictly necessary permissions
- Avoid using broad roles such as Owner or Editor
- Prefer:
- Custom roles
- Or carefully evaluated predefined roles
- Document the roles associated with this Service Account
Minimum Required Permissions
Below are the minimum IAM permissions that must be assigned to allow Evolution to manage VLAN Attachments for Private Interconnect.
Covered Functionalities:
- Acceptance and management of Private Interconnect connections
- Listing existing VLAN Attachments
- Creating new VLAN Attachments
- Deleting VLAN Attachments
- Listing associated Interconnects
Required IAM Permissions
| Function | Required GCP Permissions |
|---|---|
| List VLAN Attachments | compute.interconnectAttachments.list |
| Read a VLAN Attachment | compute.interconnectAttachments.get |
| Create a VLAN Attachment | compute.interconnectAttachments.create |
| Delete a VLAN Attachment | compute.interconnectAttachments.delete |
Recommended IAM Role
Option 1 – Predefined Role (broader)
roles/compute.interconnectAdmin
⚠️ This role includes more permissions than strictly necessary.
Option 2 – Custom Role (recommended)
Create a Custom IAM Role containing only the following permissions:
compute.interconnectAttachments.listcompute.interconnectAttachments.getcompute.interconnectAttachments.createcompute.interconnectAttachments.delete
This role must be assigned to the dedicated Service Account used by Evolution.