Onboarding Permissions for GCP - Assessment + Governance

Introduction

As part of the GCP account preparation required before onboarding cloud accounts into CoreStack, you will need to create least privilege policies— individual policies that must be attached to your cross-account role that allow CoreStack to access the GCP data it needs in order to create its reports.

You can refer to the paths below with template provided based on the type of access you wish to provide for CoreStack after cloning a GitHub repo (https://github.com/corestacklabs/Onboarding_Templates.git):

  • FinOps: GCP/Assesment+gov-module-proj/finops/
  • SecOps: GCP/Assesment+gov-module-proj/secops/
  • CloudOps: GCP/Assesment+gov-module-proj/cloudops/

Each least privilege policy provides the necessary permissions to enable core functions in the CoreStack application, and are listed below organized by product bundle:

FinOps

CapabilityDescriptionLeast Privilege Permissions
Billing AccountThese permissions are required for onboarding a GCP Billing Account. Once onboarded, users can proceed with Linked Project onboarding by segregating as per the needs of the bundles listed here.storage.buckets.get
storage.buckets.list
storage.objects.get
storage.objects.list
compute.regions.get
compute.regions.list
compute.zones.get
compute.zones.list
resourcemanager.projects.get
Cost Visibility and UsageAllow CoreStack to pull cost data from your GCP cloud account and displaying them as part of cost posturing.storage.buckets.get
storage.buckets.list
storage.objects.get
storage.objects.list
Cost Optimization DashboardAllow CoreStack to monitoring the utilization of your cloud resources in order to provide cost optimization recommendations through FinOps policies, retrieve native recommendations from GCP, and offer remediation actions. monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.list
recommender.cloudsqlIdleInstanceRecommendations.get
recommender.cloudsqlIdleInstanceRecommendations.list
recommender.cloudsqlOverprovisionedInstanceRecommendations.get
recommender.cloudsqlOverprovisionedInstanceRecommendations.list
recommender.cloudsqlUnderProvisionedInstanceRecommendations.get
recommender.cloudsqlUnderProvisionedInstanceRecommendations.list
recommender.computeAddressIdleResourceRecommendations.get
recommender.computeAddressIdleResourceRecommendations.list
recommender.computeDiskIdleResourceRecommendations.get
recommender.computeDiskIdleResourceRecommendations.list
recommender.computeImageIdleResourceRecommendations.get
recommender.computeImageIdleResourceRecommendations.list
recommender.computeInstanceIdleResourceRecommendations.get
recommender.computeInstanceIdleResourceRecommendations.list
recommender.computeInstanceMachineTypeRecommendations.get
recommender.computeInstanceMachineTypeRecommendations.list
recommender.spendBasedCommitmentRecommendations.get
recommender.spendBasedCommitmentRecommendations.list
recommender.usageCommitmentRecommendations.get
recommender.usageCommitmentRecommendations.list
Resource InventoryIn order to provide cost recommendations through our FinOps cost policies, we are pulling resources from GCP.compute.disks.resize
compute.instances.delete
bigquery.datasets.get
bigquery.jobs.get
bigquery.jobs.list
bigquery.reservations.get
bigquery.reservations.list
bigtable.tables.get
bigtable.tables.list
cloudsql.databases.get
cloudsql.databases.list
cloudsql.instances.get
cloudsql.instances.list
compute.addresses.delete
compute.addresses.get
compute.addresses.list
compute.commitments.get
compute.commitments.list
compute.disks.delete
compute.disks.get
compute.diskTypes.get
compute.diskTypes.list
compute.images.list
compute.instances.get
compute.instances.list
compute.instances.start
compute.instances.stop
compute.instances.update
compute.regions.get
compute.regions.list
compute.reservations.get
compute.reservations.list
compute.zones.get
compute.zones.list
Cost BudgetAllow CoreStack to display cloud-native budgets from the CoreStack portal.billing.budgets.create
billing.budgets.get
billing.budgets.get
billing.budgets.list
billing.budgets.list

SecOps

CapabilityDescriptionLeast Privilege Permissions
Governance Configuration > Vulnerability Assessments and ThreatsAllow CoreStack to display vulnerabilities and threats from GCP Security Command Center.securitycenter.containerthreatdetectionsettings.get
securitycenter.containerthreatdetectionsettings.update
securitycenter.eventthreatdetectionsettings.calculate
securitycenter.eventthreatdetectionsettings.get
securitycenter.eventthreatdetectionsettings.update
securitycenter.findings.group
securitycenter.findings.list
securitycenter.findings.listFindingPropertyNames
securitycenter.rapidvulnerabilitydetectionsettings.get
securitycenter.rapidvulnerabilitydetectionsettings.update
securitycenter.securitycentersettings.get
securitycenter.securitycentersettings.update
securitycenter.securityhealthanalyticssettings.get
securitycenter.securityhealthanalyticssettings.update
securitycenter.sources.get
securitycenter.sources.list
securitycenter.subscription.get
securitycenter.virtualmachinethreatdetectionsettings.get
securitycenter.virtualmachinethreatdetectionsettings.update
securitycenter.websecurityscannersettings.get
securitycenter.websecurityscannersettings.update
Guardrails/PoliciesAllow CoreStack to run security policies against your cloud resources in order to get violations and remediate some of the violated resources. compute.disks.list
compute.instances.get
compute.instances.list
compute.networks.list
compute.networks.get
compute.projects.get
compute.regions.get
compute.regions.list
compute.subnetworks.list
compute.zones.get
compute.zones.list
container.clusters.get
container.clusters.list
cloudsql.databases.get
cloudsql.databases.list
cloudsql.instances.get
cloudsql.instances.list
Compliance StandardsAllow CoreStack to run Compliance Standards, such as the GCP Cloud Adoption Framework (CAF), against your cloud resources.compute.disks.list
compute.instances.get
compute.instances.list
compute.networks.list
compute.networks.get
compute.projects.get
compute.regions.get
compute.regions.list
compute.subnetworks.list
compute.zones.get
compute.zones.list
container.clusters.get
container.clusters.list
cloudsql.databases.get
cloudsql.databases.list
cloudsql.instances.get
cloudsql.instances.list

CloudOps

CapabilityDescriptionLeast Privilege Permissions
Activity and Alerts -
Governance Configuration > Operations > Activity Log
Allow CoreStack to configure activity logs and alerts via read and write permissions.

Note: CoreStack can't configure activity logs and alerts with only read permissions.
logging.sinks.create
logging.sinks.delete
logging.sinks.get
logging.sinks.list
logging.sinks.update
logging.views.list
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.setIamPolicy
pubsub.topics.getIamPolicy
pubsub.topics.setIamPolicy
Activity and Alerts -
Governance Configuration > Operations > Alerts
Allow CoreStack to configure monitoring alerts with a specific template.

Note: CoreStack can't configure monitoring templates with read permissions only.
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.publicWidgets.get
monitoring.publicWidgets.list
monitoring.services.get
monitoring.services.list
monitoring.slos.get
monitoring.slos.list
monitoring.snoozes.get
monitoring.snoozes.list
monitoring.timeSeries.list
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update
Resource InventoryAllow CoreStack to pull resources from GCP in order to populate the resource inventory in the portal UI. appengine.applications.get
appengine.instances.list
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
bigquery.datasets.get
bigquery.jobs.get
bigquery.reservations.get
bigquery.reservations.list
bigtable.tables.get
bigtable.tables.getIamPolicy
bigtable.tables.list
cloudfunctions.functions.get
cloudfunctions.functions.list
cloudiot.registries.get
cloudiot.registries.list
cloudsecurityscanner.scans.list
cloudsql.databases.get
cloudsql.databases.list
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.update
composer.environments.list
compute.addresses.get
compute.addresses.list
compute.autoscalers.get
compute.autoscalers.list
compute.backendBuckets.get
compute.backendBuckets.getIamPolicy
compute.backendBuckets.list
compute.backendServices.get
compute.backendServices.getIamPolicy
compute.backendServices.list
compute.commitments.get
compute.commitments.list
compute.disks.createSnapshot
compute.disks.get
compute.disks.getIamPolicy
compute.disks.list
compute.disks.setLabels
compute.diskTypes.get
compute.diskTypes.list
compute.externalVpnGateways.list
compute.firewalls.list
compute.images.get
compute.images.list
compute.images.setLabels
compute.instances.get
compute.instanceGroups.create
compute.instanceGroups.delete
compute.instanceGroups.get
compute.instanceGroups.list
compute.instances.get
compute.instances.list
compute.instances.setLabels
compute.instances.start
compute.instances.stop
compute.instanceTemplates.create
compute.instanceTemplates.delete
compute.instanceTemplates.get
compute.instanceTemplates.getIamPolicy
compute.instanceTemplates.list
compute.interconnects.get
compute.machineTypes.get
compute.machineTypes.list
compute.networkEndpointGroups.get
compute.networks.get
compute.networks.list
compute.regions.get
compute.regions.list
compute.reservations.get
compute.reservations.list
compute.routers.list
compute.routes.get
compute.securityPolicies.get
compute.snapshots.get
compute.snapshots.setLabels
compute.sslPolicies.list
compute.targetHttpProxies.get
compute.targetPools.get
compute.vpnGateways.list
compute.zones.get
compute.zones.list
container.clusters.get
container.clusters.list
dataflow.jobs.list
dns.managedZones.get
dns.managedZones.list
file.backups.list
file.instances.list
file.locations.list
iam.serviceAccounts.get
logging.sinks.create
logging.sinks.delete
logging.sinks.get
logging.sinks.list
logging.sinks.update
logging.views.list
monitoring.alertPolicies.create
monitoring.alertPolicies.delete
monitoring.alertPolicies.get
monitoring.alertPolicies.list
monitoring.alertPolicies.update
monitoring.dashboards.get
monitoring.dashboards.list
monitoring.groups.get
monitoring.groups.list
monitoring.metricDescriptors.get
monitoring.metricDescriptors.list
monitoring.monitoredResourceDescriptors.get
monitoring.monitoredResourceDescriptors.list
monitoring.notificationChannelDescriptors.get
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.get
storage.buckets.list
storage.objects.get
storage.objects.list
pubsub.subscriptions.create
pubsub.subscriptions.delete
pubsub.subscriptions.get
pubsub.subscriptions.list
pubsub.subscriptions.update
pubsub.topics.attachSubscription
pubsub.topics.create
pubsub.topics.delete
pubsub.topics.detachSubscription
pubsub.topics.get
pubsub.topics.list
pubsub.topics.publish
pubsub.topics.update
pubsub.subscriptions.getIamPolicy
pubsub.subscriptions.setIamPolicy
pubsub.topics.getIamPolicy
pubsub.topics.setIamPolicy
bigquery.datasets.update
bigquery.datasets.setIamPolicy
appengine.applications.update
appengine.services.update
cloudfunctions.functions.update
run.jobs.update
run.services.update
compute.disks.setLabels
compute.instances.setLabels
storage.buckets.update
cloudsql.instances.update
compute.snapshots.setLabels
container.clusters.update

📘

Note:

Some permissions listed in this guide are not applicable when creating a project-level custom role. Those permissions can be assigned to a custom role only when creating a custom role at the organization-level.

Choosing to skip the below permissions may result in the following effects:

  • billing.budgets.create: CoreStack won't be able to create a cloud-native budget through the main portal, whereas CoreStack budget alerts can still be configured.
  • billing.budgets.get/list: CoreStack won't be able to list a cloud-native budget through portal.
  • billing.budgets.update: CoreStack won't be able to update cloud-native budgets through the main portal.
  • resourcemanager.folders.get/list: CoreStack won't be able to pull the folders listed as part of an organization.
  • securitycenter.subscription.get: CoreStack won't be able to identify the Security Command Center subscription details. This is needed for access validation to configure threats.