Before you begin with Kyvos Free on GCP

Applies to:

Kyvos Enterprise

Kyvos Cloud (SaaS on AWS)

Kyvos AWS Marketplace

Kyvos Azure Marketplace

Kyvos GCP Marketplace

Kyvos Single Node Installation (Kyvos SNI)

You must fulfill the following prerequisites to deploy Kyvos in a GCP environment.
Permissions required by Google Console users:

Logged-in users must have the Viewer and Editor role predefined role attached
Logged-in user will need access to VPN, Subnet, Network Interface/Security Group, and Service Account, which will be used by Kyvos to launch compute engines, and Instance Group.
The GCP Terraform template is deployed through the logged-in user, and the resources inside the template are created through the primary service account.
Static External IP will be required. For more information, see Google documentation.
Private Google Access must be enabled for the subnet that you will use for deploying Kyvos.
Secret Manager API Should be enabled.
If ephemeral IP is selected during Kyvos deployment then the address to static must be promoted . Conversely, if ephemeral IP is not selected, then while restarting the VM, following error messages will appear:
1. URLs received via email notification will no longer be correct as the IP will change.
2. URL on Kyvos Manager page to navigate to Kyvos will not be correct as the IP will change.
If the deployment network is in the standard tier, the external static IP should be in the standard tier. Conversely, if the deployment network is in the premium tier, the external static IP should be in the premium tier.
The iam.serviceAccounts.create permission is required for creating a new service account (logged-in user).
Deploying Kyvos in Shared VPC (in the Shared Project), ensure that the following prerequisites are met.
- Add the COMPUTE NETWORK USER permission on the subnet for the following service account:
  [PROJECT_NUMBER]@cloudservices.gserviceaccount.com
- If VPC is in a different project, add the firewall rules:
  - For adding firewall rules, refer to Google documentation to create VPC firewall rules.
  - For Kyvos Firewall rules, do the following:
    1. Ensure that the following ports are opened/allowed in the Firewall inbound rules for all internal communication between Kyvos instances.
      2121, 2181, 2888, 3888, 4000, 6602, 6903, 6703, 45450, 45460, 45461, 45462, 45463, 45464, 45465, 6603, 6702, 6803, 7003, 45440, 6605, 45421, 45564, 4000, 8080, 8081, 8005, 8009, 8443, 8444, 9443, 22 and 9444.
    2. Ensure that the following ports are opened/allowed in the Firewall inbound rules for all internal communication for Kyvos.
      3306, 8030, 8031, 8032, 8033, 8042, 8088, 9083, 8188, 18080, 8050, 8051, 8020, 10020, 19888, 10033, 8188, 9870, 10200, 10000, 10002, 22, 45460, 9866, 8998, and 9867
    3. Ports 22, 8080, and 8081 should be accessible from outside of the cluster from where you want to access the Web application.
If using shared VPC, the VPC must be shared with the project that you want to access.
1. Navigate to the VPC network.
2. Click the Shared VPC.
3. Go to the ATTACHED PROJECTS tab and attach the project.
  NOTE: This should be performed from the project where the shared VPC network originally resides.
When the None option is selected for External IP.
1. Enable Public NAT Gateway, which will let VM connect to Internet Privately without External IP
2. Use respective VPC which has tunneling configured.
  NOTE: If the prerequisites mentioned above are not completed, there will be discrepancies in Installing Kyvos.
For Deployment Service, the primary service account acts as the deployment service and is responsible for provisioning the Kyvos environment. If you choose to use an existing service account, ensure that it has the following required roles:
- roles/deploymentmanager.editor
- roles/compute.networkAdmin
- roles/iam.roleViewer
- roles/resourcemanager.projectIamAdmin
- roles/iam.serviceAccountUser
- roles/compute.instanceAdmin.v1
- roles/cloudscheduler.serviceAgent
- roles/cloudfunctions.admin
- roles/bigquery.user
- roles/bigquery.dataViewer
- roles/config.agent
- roles/bigquery.dataEditor
- roles/storage.admin
- roles/cloudfunctions.invoker
- roles/iam.roleAdmin
- roles/iam.serviceAccountAdmin
- roles/logging.logWriter
- roles/secretmanager.admin
- roles/compute.instanceAdmin
- roles/resourcemanager.projectIamAdmin
- roles/compute.instanceAdmin
- roles/iam.roleAdmin
  The above permissions are only required to launch deployment. To view the resources after deployment, the user must have permission on the relevant resources.
For Kyvos Service Account, if you choose an existing service account, select the account that includes the necessary IAM roles and permissions. This service account will be attached to the Kyvos VM instance and used to manage its access and permissions.
Following is the list of required IAM Permissions:

List of Custom roles:

deploymentmanager.deployments.list
deploymentmanager.resources.list
deploymentmanager.manifests.list
cloudfunctions.functions.get
dataproc.clusters.list
dataproc.clusters.get
compute.disks.setLabels
compute.instances.start
compute.instances.stop
compute.instances.list
compute.instances.setLabels
storage.buckets.get
storage.buckets.list
storage.objects.create
storage.objects.delete
storage.buckets.update

compute.disks.get
compute.instances.get
dataproc.clusters.update
storage.objects.get
storage.objects.list
storage.objects.update
cloudfunctions.functions.update
compute.subnetworks.get
resourcemanager.projects.getIamPolicy
compute.firewalls.list
iam.roles.get
compute.machineTypes.get
compute.machineTypes.list
compute.instances.setMachineType
compute.instances.setMetadata
secretmanager.versions.access
Secretmanager.versions.add