Onboarding Permissions for GCP - Read-Write
Introduction
As part of the GCP account preparation required before onboarding cloud accounts into the platform, you will need to create least privilege policies— individual policies that must be attached to your cross-account role that allow the platform to access the GCP data it needs in order to create its reports.
Pre-configured automation templates for allowing access
You can refer to the paths below to access templates provided based on the type of access you wish to provide for the platform after cloning a GitHub repo (https://github.com/corestacklabs/Onboarding_Templates.git):
- FinOps: GCP/Assesment+gov-module-proj/finops/
- SecOps: GCP/Assesment+gov-module-proj/secops/
- CloudOps: GCP/Assesment+gov-module-proj/cloudops/
Least Privilege Polices by Product (Read-Write)
Each least privilege policy provides the necessary permissions to enable core functions in the platform. The policies for enabling Read-Write access to the platform are listed below organized by product and platform capability:
Note:
Some permissions listed in this guide are not applicable when creating a project-level custom role. Those permissions can be assigned to a custom role only when creating a custom role at the organization-level.
Choosing to skip the below permissions may result in the following effects:
- billing.budgets.create: The platform won't be able to create a cloud-native budget through the main portal, whereas platform-native budget alerts can still be configured.
- billing.budgets.get/list: The platform won't be able to list a cloud-native budget through portal.
- billing.budgets.update: The platform won't be able to update cloud-native budgets through the main portal.
- resourcemanager.folders.get/list: The platform won't be able to pull the folders listed as part of an organization.
- securitycenter.subscription.get: The platform won't be able to identify the Security Command Center subscription details. This is needed for access validation to configure threats.
FinOps
| Capability | Description | Least Privilege Permissions |
|---|---|---|
| Billing Account | These permissions are required for onboarding a GCP Billing Account. Once onboarded, users can proceed with Linked Project onboarding by segregating as per the needs of the bundles listed here. | storage.buckets.getstorage.buckets.liststorage.objects.getstorage.objects.listcompute.regions.getcompute.regions.listcompute.zones.getcompute.zones.listresourcemanager.projects.get |
| Cost Visibility and Usage | Allow the platform to pull cost data from your GCP cloud account and displaying them as part of cost posturing. | storage.buckets.getstorage.buckets.liststorage.objects.getstorage.objects.list |
| Cost Optimization Dashboard | Allow the platform to monitoring the utilization of your cloud resources in order to provide cost optimization recommendations through FinOps policies, retrieve native recommendations from GCP, and offer remediation actions. | monitoring.alertPolicies.getmonitoring.alertPolicies.listmonitoring.metricDescriptors.getmonitoring.metricDescriptors.listmonitoring.monitoredResourceDescriptors.getmonitoring.publicWidgets.getmonitoring.publicWidgets.listmonitoring.services.getmonitoring.services.listmonitoring.slos.getmonitoring.slos.listmonitoring.snoozes.getmonitoring.snoozes.listmonitoring.timeSeries.listrecommender.cloudsqlIdleInstanceRecommendations.getrecommender.cloudsqlIdleInstanceRecommendations.listrecommender.cloudsqlOverprovisionedInstanceRecommendations.getrecommender.cloudsqlOverprovisionedInstanceRecommendations.listrecommender.cloudsqlUnderProvisionedInstanceRecommendations.getrecommender.cloudsqlUnderProvisionedInstanceRecommendations.listrecommender.computeAddressIdleResourceRecommendations.getrecommender.computeAddressIdleResourceRecommendations.listrecommender.computeDiskIdleResourceRecommendations.getrecommender.computeDiskIdleResourceRecommendations.listrecommender.computeImageIdleResourceRecommendations.getrecommender.computeImageIdleResourceRecommendations.listrecommender.computeInstanceIdleResourceRecommendations.getrecommender.computeInstanceIdleResourceRecommendations.listrecommender.computeInstanceMachineTypeRecommendations.getrecommender.computeInstanceMachineTypeRecommendations.listrecommender.spendBasedCommitmentRecommendations.getrecommender.spendBasedCommitmentRecommendations.listrecommender.usageCommitmentRecommendations.getrecommender.usageCommitmentRecommendations.list |
| Resource Inventory | In order to provide cost recommendations through our FinOps cost policies, we are pulling resources from GCP. | compute.disks.resizecompute.instances.deletebigquery.datasets.getbigquery.jobs.getbigquery.jobs.listbigquery.reservations.getbigquery.reservations.listbigtable.tables.getbigtable.tables.listcloudsql.databases.getcloudsql.databases.listcloudsql.instances.getcloudsql.instances.listcompute.addresses.deletecompute.addresses.getcompute.addresses.listcompute.commitments.getcompute.commitments.listcompute.disks.deletecompute.disks.getcompute.diskTypes.getcompute.diskTypes.listcompute.images.listcompute.instances.getcompute.instances.listcompute.instances.startcompute.instances.stopcompute.instances.updatecompute.regions.getcompute.regions.listcompute.reservations.getcompute.reservations.listcompute.zones.getcompute.zones.list |
| Cost Budget | Allow the platform to display cloud-native budgets from the CoreStack portal. Note: The billing.budget API should be enabled in the billing project for budgets to be synced along with the Viewer permissions. | billing.budgets.createbilling.budgets.getbilling.budgets.list |
SecOps
| Capability | Description | Least Privilege Permissions |
|---|---|---|
| Governance Configuration > Vulnerability Assessments and Threats | Allow the platform to display vulnerabilities and threats from GCP Security Command Center. | securitycenter.containerthreatdetectionsettings.getsecuritycenter.containerthreatdetectionsettings.updatesecuritycenter.eventthreatdetectionsettings.calculatesecuritycenter.eventthreatdetectionsettings.getsecuritycenter.eventthreatdetectionsettings.updatesecuritycenter.findings.groupsecuritycenter.findings.listsecuritycenter.findings.listFindingPropertyNamessecuritycenter.rapidvulnerabilitydetectionsettings.getsecuritycenter.rapidvulnerabilitydetectionsettings.updatesecuritycenter.securitycentersettings.getsecuritycenter.securitycentersettings.updatesecuritycenter.securityhealthanalyticssettings.getsecuritycenter.securityhealthanalyticssettings.updatesecuritycenter.sources.getsecuritycenter.sources.listsecuritycenter.subscription.getsecuritycenter.virtualmachinethreatdetectionsettings.getsecuritycenter.virtualmachinethreatdetectionsettings.updatesecuritycenter.websecurityscannersettings.getsecuritycenter.websecurityscannersettings.update |
| Guardrails/Policies | Allow the platform to run security policies against your cloud resources in order to get violations and remediate some of the violated resources. | compute.disks.listcompute.instances.getcompute.instances.listcompute.networks.listcompute.networks.getcompute.projects.getcompute.regions.getcompute.regions.listcompute.subnetworks.listcompute.zones.getcompute.zones.listcontainer.clusters.getcontainer.clusters.listcloudsql.databases.getcloudsql.databases.listcloudsql.instances.getcloudsql.instances.list |
| Compliance Standards | Allow the platform to run Compliance Standards, such as the GCP Cloud Adoption Framework (CAF), against your cloud resources. | compute.disks.listcompute.instances.getcompute.instances.listcompute.networks.listcompute.networks.getcompute.projects.getcompute.regions.getcompute.regions.listcompute.subnetworks.listcompute.zones.getcompute.zones.listcontainer.clusters.getcontainer.clusters.listcloudsql.databases.getcloudsql.databases.listcloudsql.instances.getcloudsql.instances.list |
CloudOps
| Capability | Description | Least Privilege Permissions |
|---|---|---|
| Activity and Alerts - Governance Configuration > Operations > Activity Log | Allow the platform to configure activity logs and alerts via read and write permissions. Note: The platform can't configure activity logs and alerts with only read permissions. | logging.sinks.createlogging.sinks.deletelogging.sinks.getlogging.sinks.listlogging.sinks.updatelogging.views.listpubsub.subscriptions.createpubsub.subscriptions.deletepubsub.subscriptions.getpubsub.subscriptions.listpubsub.subscriptions.updatepubsub.topics.attachSubscriptionpubsub.topics.createpubsub.topics.deletepubsub.topics.detachSubscriptionpubsub.topics.getpubsub.topics.listpubsub.topics.publishpubsub.topics.updatepubsub.subscriptions.getIamPolicypubsub.subscriptions.setIamPolicypubsub.topics.getIamPolicypubsub.topics.setIamPolicy |
| Activity and Alerts - Governance Configuration > Operations > Alerts | Allow the platform to configure monitoring alerts with a specific template. Note: The platform can't configure monitoring templates with read permissions only. | monitoring.alertPolicies.getmonitoring.alertPolicies.listmonitoring.metricDescriptors.getmonitoring.metricDescriptors.listmonitoring.monitoredResourceDescriptors.getmonitoring.publicWidgets.getmonitoring.publicWidgets.listmonitoring.services.getmonitoring.services.listmonitoring.slos.getmonitoring.slos.listmonitoring.snoozes.getmonitoring.snoozes.listmonitoring.timeSeries.listmonitoring.alertPolicies.getmonitoring.alertPolicies.listmonitoring.metricDescriptors.getmonitoring.metricDescriptors.listmonitoring.monitoredResourceDescriptors.getmonitoring.publicWidgets.getmonitoring.publicWidgets.listmonitoring.services.getmonitoring.services.listmonitoring.slos.getmonitoring.slos.listmonitoring.snoozes.getmonitoring.snoozes.listmonitoring.timeSeries.listmonitoring.dashboards.getmonitoring.dashboards.listmonitoring.alertPolicies.createmonitoring.alertPolicies.deletemonitoring.alertPolicies.getmonitoring.alertPolicies.listmonitoring.alertPolicies.update |
| Resource Inventory | Allow the platform to pull resources from GCP in order to populate the resource inventory in the portal UI. | appengine.applications.getappengine.instances.listappengine.services.getappengine.services.listappengine.versions.getappengine.versions.listbigquery.datasets.getbigquery.jobs.getbigquery.reservations.getbigquery.reservations.listbigtable.tables.getbigtable.tables.getIamPolicybigtable.tables.listcloudfunctions.functions.getcloudfunctions.functions.listcloudiot.registries.getcloudiot.registries.listcloudsecurityscanner.scans.listcloudsql.databases.getcloudsql.databases.listcloudsql.instances.getcloudsql.instances.listcloudsql.instances.updatecomposer.environments.listcompute.addresses.getcompute.addresses.listcompute.autoscalers.getcompute.autoscalers.listcompute.backendBuckets.getcompute.backendBuckets.getIamPolicycompute.backendBuckets.listcompute.backendServices.getcompute.backendServices.getIamPolicycompute.backendServices.listcompute.commitments.getcompute.commitments.listcompute.disks.createSnapshotcompute.disks.getcompute.disks.getIamPolicycompute.disks.listcompute.disks.setLabelscompute.diskTypes.getcompute.diskTypes.listcompute.externalVpnGateways.listcompute.firewalls.listcompute.images.getcompute.images.listcompute.images.setLabelscompute.instances.getcompute.instanceGroups.createcompute.instanceGroups.deletecompute.instanceGroups.getcompute.instanceGroups.listcompute.instances.getcompute.instances.listcompute.instances.setLabelscompute.instances.startcompute.instances.stopcompute.instanceTemplates.createcompute.instanceTemplates.deletecompute.instanceTemplates.getcompute.instanceTemplates.getIamPolicycompute.instanceTemplates.listcompute.interconnects.getcompute.machineTypes.getcompute.machineTypes.listcompute.networkEndpointGroups.getcompute.networks.getcompute.networks.listcompute.regions.getcompute.regions.listcompute.reservations.getcompute.reservations.listcompute.routers.listcompute.routes.getcompute.securityPolicies.getcompute.snapshots.getcompute.snapshots.setLabelscompute.sslPolicies.listcompute.targetHttpProxies.getcompute.targetPools.getcompute.vpnGateways.listcompute.zones.getcompute.zones.listcontainer.clusters.getcontainer.clusters.listdataflow.jobs.listdns.managedZones.getdns.managedZones.listfile.backups.listfile.instances.listfile.locations.listiam.serviceAccounts.getlogging.sinks.createlogging.sinks.deletelogging.sinks.getlogging.sinks.listlogging.sinks.updatelogging.views.listmonitoring.alertPolicies.createmonitoring.alertPolicies.deletemonitoring.alertPolicies.getmonitoring.alertPolicies.listmonitoring.alertPolicies.updatemonitoring.dashboards.getmonitoring.dashboards.listmonitoring.groups.getmonitoring.groups.listmonitoring.metricDescriptors.getmonitoring.metricDescriptors.listmonitoring.monitoredResourceDescriptors.getmonitoring.monitoredResourceDescriptors.listmonitoring.notificationChannelDescriptors.getresourcemanager.folders.getresourcemanager.folders.listresourcemanager.projects.getresourcemanager.projects.liststorage.buckets.getstorage.buckets.liststorage.objects.getstorage.objects.listpubsub.subscriptions.createpubsub.subscriptions.deletepubsub.subscriptions.getpubsub.subscriptions.listpubsub.subscriptions.updatepubsub.topics.attachSubscriptionpubsub.topics.createpubsub.topics.deletepubsub.topics.detachSubscriptionpubsub.topics.getpubsub.topics.listpubsub.topics.publishpubsub.topics.updatepubsub.subscriptions.getIamPolicypubsub.subscriptions.setIamPolicypubsub.topics.getIamPolicypubsub.topics.setIamPolicybigquery.datasets.updatebigquery.datasets.setIamPolicyappengine.applications.updateappengine.services.updatecloudfunctions.functions.updaterun.jobs.updaterun.services.updatecompute.disks.setLabelscompute.instances.setLabelsstorage.buckets.updatecloudsql.instances.updatecompute.snapshots.setLabelscontainer.clusters.update |
Updated about 2 months ago