Grant Suger the necessary access to manage your GCP Marketplace & Producer Portal on your behalf, no more no less.
To sell on GCP Marketplace, you must sign up to become a Google Cloud Build partner
and Google Cloud Marketplace vendor
. There are several requirements to meet before you can list products/services on Google Cloud Marketplace
. More details can be found here.
Once your organization is approved as a Google Cloud Marketplace vendor
and integrate with Suger, all product listing, private offers, entitlements & metering on GCP Marketplace can be managed in Suger platform on your behalf.
Suger relies on workload identity federation
to get access to integrate & manage your GCP Marketplace. Follow the steps below to prepare resources required for Suger integration.
Service Account
to let Suger AWS Account impersonate. You can name the Service Account with suger
. Grant the Service Account with all IAM roles listed below:Service Account
needs to be linked within your GCP Producer Portal. Follow the official guidelines to allow the Service Account
to access Billing Integration, call Procurement API and subscribe to Pub/Sub topic.gcloud auth activate-service-account --key-file=<path to your service account json file>
Workload Identity Federation
. Here is the quick link to setup. More details can be found in the official guideline.Service Account
and access resources on your Google Cloud Marketplace. Here is the official guideline. You can name the Workload Identity Pool with suger-wip
.Identity Provider
to the Workload Identity Pool
(created in Step 2). You can name the Identity Provider with suger-aws-ip
.Service Account
via the Workload Identity Federation
. Go to the details page of the Workload Identity Pool
(created in Step 2), click GRANT ACCESS
, select the Service Account
(created in Step 4) and save.Grant access to service account
, there will be a dialog pop-up, as shown below. Select the Identity Provider
(created in Step 3).{ "type": "external_account", "audience": "//iam.googleapis.com/projects/***/locations/global/workloadIdentityPools/***/providers/***", "subject_token_type": "urn:ietf:params:aws:token-type:aws4_request", "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/***@***.iam.gserviceaccount.com:generateAccessToken", "token_url": "https://sts.googleapis.com/v1/token", "credential_source": { "environment_id": "aws1", "region_url": "http://169.254.169.254/latest/meta-data/placement/availability-zone", "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials", "regional_cred_verification_url": "https://sts.{region}.amazonaws.com?Action=GetCallerIdentity&Version=2011-06-15" }}
principalSet://iam.googleapis.com/projects/gcp-project-number/locations/global/workloadIdentityPools/suger-wip/*
with the role Workload Identity User
in the permissions of the service account.Project Editor
Service Management Administrator
Service Config Editor
Commerce Producer Viewer
Service Controller
, Service Usage Controller
AND Service Consumer
Service Management Administrator
gcloud endpoints services add-iam-policy-binding \"{your-product-service-id}.endpoints.{your-gcp-project-id}.cloud.goog" \--member='serviceAccount:cloud-commerce-procurement@system.gserviceaccount.com' \--role='roles/servicemanagement.serviceConsumer'
gcloud endpoints services add-iam-policy-binding \"{your-product-service-id}.endpoints.{your-gcp-project-id}.cloud.goog" \--member='serviceAccount:cloud-commerce-procurement@system.gserviceaccount.com' \--role='roles/servicemanagement.serviceConsumer'
Click the button CONNECT
and fill the dialog of GCP integration on Suger Console with info below.
Workload Identity Pool
created in Step 2.Identity Provider
created in Step 3.Service Acccount
created in Step 4.Project ID
.Editing an existing GCP integration is not supported. The practical way is to delete it and then re-connect it with new inputs.
The GCP integration can be deleted like all other integrations. Once the deletion is triggered, all integration info will be deleted immediately & permanently from Suger. No time window or methods to recover.
The GCP Marketplace currently does not provide comprehensive API capabilities for operations. To enhance the ability of Suger on your behalf in managing the GCP Marketplace efficiently, we recommend granting the 'Suger GCP User Account' specific IAM roles within your GCP project
. These roles include
If you wish to enable Suger to support resell offer discounts (CPPO), it is advisable to provide the 'Suger GCP User Account' with additional IAM roles within your GCP organization
(Not the GCP Project). These roles are:
By assigning these roles strategically, you empower Suger with the necessary permissions to effectively manage and optimize GCP Marketplace operations on your behalf.