Required Permissions
This page lists the IAM policies required during the deployment of Zilliz BYOC data plane on your VPC network.
Zilliz BYOC is currently available in General Availability. For access and implementation details, please contact Zilliz Cloud sales.
Storage service account
You should create a Cloud Storage bucket and a storage service account so that Zilliz Cloud can assume the service account to access the bucket.
The following table lists the roles that should be assigned to the storage service account.
Role | Description | Condition |
|---|---|---|
Grants full control of objects, including listing, creating, viewing, and deleting objects. | Name of the target bucket | |
Grants permission to view buckets and their metadata, excluding IAM policies. | Name of the target bucket |
GKE service account
You should create a GKE service account so that Zilliz Cloud can assume this service account to manage the GKE clusters.
The following table lists the roles that should be assigned to the GKE service account.
Role | Description | Condition |
|---|---|---|
Minimal set of permissions required by a GKE node to support standard capabilities such as logging and monitoring. | -- |
Cross-account service account
You should create a cross-account service account so Zilliz Cloud can assume this service account to manage network resources.
The following table lists the roles that should be assigned to the cross-account service account.
Role | Description | Condition |
|---|---|---|
Grants permission to view buckets and their metadata, excluding IAM policies. | Name of the target bucket | |
Provides access to full management of clusters and their Kubernetes API objects. | -- | |
Binds the following permissions: | Name of the GKE cluster to create | |
Binds the following permissions: | ||
Run operations as the service account. | -- |