Onboarding Permissions for GCP - Assessment + Governance
Introduction
As part of the GCP account preparation required before onboarding cloud accounts into CoreStack, you will need to create least privilege policies— individual policies that must be attached to your cross-account role that allow CoreStack to access the GCP data it needs in order to create its reports.
You can refer to the paths below with template provided based on the type of access you wish to provide for CoreStack after cloning a GitHub repo (https://github.com/corestacklabs/Onboarding_Templates.git):
- FinOps: GCP/Assesment+gov-module-proj/finops/
- SecOps: GCP/Assesment+gov-module-proj/secops/
- CloudOps: GCP/Assesment+gov-module-proj/cloudops/
Each least privilege policy provides the necessary permissions to enable core functions in the CoreStack application, and are listed below organized by product bundle:
FinOps
Capability | Description | Least Privilege Permissions |
---|---|---|
Billing Account | These permissions are required for onboarding a GCP Billing Account. Once onboarded, users can proceed with Linked Project onboarding by segregating as per the needs of the bundles listed here. | storage.buckets.get storage.buckets.list storage.objects.get storage.objects.list compute.regions.get compute.regions.list compute.zones.get compute.zones.list resourcemanager.projects.get |
Cost Visibility and Usage | Allow CoreStack to pull cost data from your GCP cloud account and displaying them as part of cost posturing. | storage.buckets.get storage.buckets.list storage.objects.get storage.objects.list |
Cost Optimization Dashboard | Allow CoreStack to monitoring the utilization of your cloud resources in order to provide cost optimization recommendations through FinOps policies, retrieve native recommendations from GCP, and offer remediation actions. | monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.snoozes.get monitoring.snoozes.list monitoring.timeSeries.list recommender.cloudsqlIdleInstanceRecommendations.get recommender.cloudsqlIdleInstanceRecommendations.list recommender.cloudsqlOverprovisionedInstanceRecommendations.get recommender.cloudsqlOverprovisionedInstanceRecommendations.list recommender.cloudsqlUnderProvisionedInstanceRecommendations.get recommender.cloudsqlUnderProvisionedInstanceRecommendations.list recommender.computeAddressIdleResourceRecommendations.get recommender.computeAddressIdleResourceRecommendations.list recommender.computeDiskIdleResourceRecommendations.get recommender.computeDiskIdleResourceRecommendations.list recommender.computeImageIdleResourceRecommendations.get recommender.computeImageIdleResourceRecommendations.list recommender.computeInstanceIdleResourceRecommendations.get recommender.computeInstanceIdleResourceRecommendations.list recommender.computeInstanceMachineTypeRecommendations.get recommender.computeInstanceMachineTypeRecommendations.list recommender.spendBasedCommitmentRecommendations.get recommender.spendBasedCommitmentRecommendations.list recommender.usageCommitmentRecommendations.get recommender.usageCommitmentRecommendations.list |
Resource Inventory | In order to provide cost recommendations through our FinOps cost policies, we are pulling resources from GCP. | compute.disks.resize compute.instances.delete bigquery.datasets.get bigquery.jobs.get bigquery.jobs.list bigquery.reservations.get bigquery.reservations.list bigtable.tables.get bigtable.tables.list cloudsql.databases.get cloudsql.databases.list cloudsql.instances.get cloudsql.instances.list compute.addresses.delete compute.addresses.get compute.addresses.list compute.commitments.get compute.commitments.list compute.disks.delete compute.disks.get compute.diskTypes.get compute.diskTypes.list compute.images.list compute.instances.get compute.instances.list compute.instances.start compute.instances.stop compute.instances.update compute.regions.get compute.regions.list compute.reservations.get compute.reservations.list compute.zones.get compute.zones.list |
Cost Budget | Allow CoreStack to display cloud-native budgets from the CoreStack portal. | billing.budgets.create billing.budgets.get billing.budgets.get billing.budgets.list billing.budgets.list |
SecOps
Capability | Description | Least Privilege Permissions |
---|---|---|
Governance Configuration > Vulnerability Assessments and Threats | Allow CoreStack to display vulnerabilities and threats from GCP Security Command Center. | securitycenter.containerthreatdetectionsettings.get securitycenter.containerthreatdetectionsettings.update securitycenter.eventthreatdetectionsettings.calculate securitycenter.eventthreatdetectionsettings.get securitycenter.eventthreatdetectionsettings.update securitycenter.findings.group securitycenter.findings.list securitycenter.findings.listFindingPropertyNames securitycenter.rapidvulnerabilitydetectionsettings.get securitycenter.rapidvulnerabilitydetectionsettings.update securitycenter.securitycentersettings.get securitycenter.securitycentersettings.update securitycenter.securityhealthanalyticssettings.get securitycenter.securityhealthanalyticssettings.update securitycenter.sources.get securitycenter.sources.list securitycenter.subscription.get securitycenter.virtualmachinethreatdetectionsettings.get securitycenter.virtualmachinethreatdetectionsettings.update securitycenter.websecurityscannersettings.get securitycenter.websecurityscannersettings.update |
Guardrails/Policies | Allow CoreStack to run security policies against your cloud resources in order to get violations and remediate some of the violated resources. | compute.disks.list compute.instances.get compute.instances.list compute.networks.list compute.networks.get compute.projects.get compute.regions.get compute.regions.list compute.subnetworks.list compute.zones.get compute.zones.list container.clusters.get container.clusters.list cloudsql.databases.get cloudsql.databases.list cloudsql.instances.get cloudsql.instances.list |
Compliance Standards | Allow CoreStack to run Compliance Standards, such as the GCP Cloud Adoption Framework (CAF), against your cloud resources. | compute.disks.list compute.instances.get compute.instances.list compute.networks.list compute.networks.get compute.projects.get compute.regions.get compute.regions.list compute.subnetworks.list compute.zones.get compute.zones.list container.clusters.get container.clusters.list cloudsql.databases.get cloudsql.databases.list cloudsql.instances.get cloudsql.instances.list |
CloudOps
Capability | Description | Least Privilege Permissions |
---|---|---|
Activity and Alerts - Governance Configuration > Operations > Activity Log | Allow CoreStack to configure activity logs and alerts via read and write permissions. Note: CoreStack can't configure activity logs and alerts with only read permissions. | logging.sinks.create logging.sinks.delete logging.sinks.get logging.sinks.list logging.sinks.update logging.views.list pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.subscriptions.getIamPolicy pubsub.subscriptions.setIamPolicy pubsub.topics.getIamPolicy pubsub.topics.setIamPolicy |
Activity and Alerts - Governance Configuration > Operations > Alerts | Allow CoreStack to configure monitoring alerts with a specific template. Note: CoreStack can't configure monitoring templates with read permissions only. | monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.snoozes.get monitoring.snoozes.list monitoring.timeSeries.list monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.publicWidgets.get monitoring.publicWidgets.list monitoring.services.get monitoring.services.list monitoring.slos.get monitoring.slos.list monitoring.snoozes.get monitoring.snoozes.list monitoring.timeSeries.list monitoring.dashboards.get monitoring.dashboards.list monitoring.alertPolicies.create monitoring.alertPolicies.delete monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.alertPolicies.update |
Resource Inventory | Allow CoreStack to pull resources from GCP in order to populate the resource inventory in the portal UI. | appengine.applications.get appengine.instances.list appengine.services.get appengine.services.list appengine.versions.get appengine.versions.list bigquery.datasets.get bigquery.jobs.get bigquery.reservations.get bigquery.reservations.list bigtable.tables.get bigtable.tables.getIamPolicy bigtable.tables.list cloudfunctions.functions.get cloudfunctions.functions.list cloudiot.registries.get cloudiot.registries.list cloudsecurityscanner.scans.list cloudsql.databases.get cloudsql.databases.list cloudsql.instances.get cloudsql.instances.list cloudsql.instances.update composer.environments.list compute.addresses.get compute.addresses.list compute.autoscalers.get compute.autoscalers.list compute.backendBuckets.get compute.backendBuckets.getIamPolicy compute.backendBuckets.list compute.backendServices.get compute.backendServices.getIamPolicy compute.backendServices.list compute.commitments.get compute.commitments.list compute.disks.createSnapshot compute.disks.get compute.disks.getIamPolicy compute.disks.list compute.disks.setLabels compute.diskTypes.get compute.diskTypes.list compute.externalVpnGateways.list compute.firewalls.list compute.images.get compute.images.list compute.images.setLabels compute.instances.get compute.instanceGroups.create compute.instanceGroups.delete compute.instanceGroups.get compute.instanceGroups.list compute.instances.get compute.instances.list compute.instances.setLabels compute.instances.start compute.instances.stop compute.instanceTemplates.create compute.instanceTemplates.delete compute.instanceTemplates.get compute.instanceTemplates.getIamPolicy compute.instanceTemplates.list compute.interconnects.get compute.machineTypes.get compute.machineTypes.list compute.networkEndpointGroups.get compute.networks.get compute.networks.list compute.regions.get compute.regions.list compute.reservations.get compute.reservations.list compute.routers.list compute.routes.get compute.securityPolicies.get compute.snapshots.get compute.snapshots.setLabels compute.sslPolicies.list compute.targetHttpProxies.get compute.targetPools.get compute.vpnGateways.list compute.zones.get compute.zones.list container.clusters.get container.clusters.list dataflow.jobs.list dns.managedZones.get dns.managedZones.list file.backups.list file.instances.list file.locations.list iam.serviceAccounts.get logging.sinks.create logging.sinks.delete logging.sinks.get logging.sinks.list logging.sinks.update logging.views.list monitoring.alertPolicies.create monitoring.alertPolicies.delete monitoring.alertPolicies.get monitoring.alertPolicies.list monitoring.alertPolicies.update monitoring.dashboards.get monitoring.dashboards.list monitoring.groups.get monitoring.groups.list monitoring.metricDescriptors.get monitoring.metricDescriptors.list monitoring.monitoredResourceDescriptors.get monitoring.monitoredResourceDescriptors.list monitoring.notificationChannelDescriptors.get resourcemanager.folders.get resourcemanager.folders.list resourcemanager.projects.get resourcemanager.projects.list storage.buckets.get storage.buckets.list storage.objects.get storage.objects.list pubsub.subscriptions.create pubsub.subscriptions.delete pubsub.subscriptions.get pubsub.subscriptions.list pubsub.subscriptions.update pubsub.topics.attachSubscription pubsub.topics.create pubsub.topics.delete pubsub.topics.detachSubscription pubsub.topics.get pubsub.topics.list pubsub.topics.publish pubsub.topics.update pubsub.subscriptions.getIamPolicy pubsub.subscriptions.setIamPolicy pubsub.topics.getIamPolicy pubsub.topics.setIamPolicy bigquery.datasets.update bigquery.datasets.setIamPolicy appengine.applications.update appengine.services.update cloudfunctions.functions.update run.jobs.update run.services.update compute.disks.setLabels compute.instances.setLabels storage.buckets.update cloudsql.instances.update compute.snapshots.setLabels container.clusters.update |
Note:
Some permissions listed in this guide are not applicable when creating a project-level custom role. Those permissions can be assigned to a custom role only when creating a custom role at the organization-level.
Choosing to skip the below permissions may result in the following effects:
- billing.budgets.create: CoreStack won't be able to create a cloud-native budget through the main portal, whereas CoreStack budget alerts can still be configured.
- billing.budgets.get/list: CoreStack won't be able to list a cloud-native budget through portal.
- billing.budgets.update: CoreStack won't be able to update cloud-native budgets through the main portal.
- resourcemanager.folders.get/list: CoreStack won't be able to pull the folders listed as part of an organization.
- securitycenter.subscription.get: CoreStack won't be able to identify the Security Command Center subscription details. This is needed for access validation to configure threats.
Updated about 1 year ago