Configure Privileged Access Manager for evict operation
This page describes how to set up Privileged Access Manager to evict LUNs and storage volumes.
Privileged Access Manager ensures that critical operations on sensitive resources, like permanently deleting LUNs and storage volumes, are only performed with a valid justification and for a limited time. For more information, see Privileged Access Manager overview.
Only a project owner or an Identity and Access Management (IAM) administrator can create a custom role, set up Privileged Access Manager, create an entitlement, and approve or deny a grant request.
Before you begin
Create a custom IAM role with the following permissions:
baremetalsolution.volumes.onDemandEvictbaremetalsolution.luns.onDemandEvict
To learn how to create a custom role, see Create and manage custom roles.
Set up Privileged Access Manager and grant required permissions.
Create an entitlement
Create an entitlement for Bare Metal Solution evict operation with the following information:
- Custom role that you created for the evict operation in Before you begin.
- Maximum duration for a grant. For example, 2 hours.
- Approval Requirement: We recommended that you set mandatory approver requirement to authorize the request.
Request Elevated Access
If you're a user who needs to perform evict operation, you can request a grant against the Bare Metal Solution evict operation entitlement with a justification.
You can check your grant request status.
Approve or deny grant
After you request a grant, the approver specified in the entitlement receives your grant request. Once the approver approves the request, your access is activated.
If you're an approver, to learn how to approve a grant, see Approve or deny grants using Google Cloud console.