Create a Service Account With a Custom Role

If you prefer to create a service account with more granular permissions to onboard your GCP Organization or oonboard your GCP Project, instead of using the Terraform template which grants the Viewer (primitive) role for read-only access to resources in your GCP account, follow the steps listed below.
  • If you enable granular permissions, you must update the custom role and add additional permissions that maybe required to ingest data from any new service that is added on Prisma Cloud.
  • To enable dataflow log compression using the Dataflow service, you must enable additional permissions. See Flow Logs Compression on GCP for details on ingesting network log data.
  1. Create a YAML file with the custom permissions.
    1. Create a YAML file and add the granular permissions for the custom role.
      Use this YAML format as an example. You must add the permissions for onboarding your GCP organization or project, from the link above, to this file:
      title: prisma-custom-role description: prisma-custom-role stage: beta includedPermissions: - compute.networks.list - compute.backendServices.list
  2. Create the custom role.
    When creating a service account, you must select a GCP project because GCP does not allow the service account to belong directly under the GCP Organization.
    1. Select the GCP project in which you want to create the custom role.
    2. Upload the YAML file to the Cloud Shell.
    3. Run the gcloud command
      gcloud iam roles create <prisma customrole name> --project <project-ID> --file <YAML file name>
  3. Create a Service Account and attach the custom role to it.
    1. Select
      IAM & Admin
      Service Accounts
      page in the Google Cloud Console.
    2. Create Service Account
      and add the role you created earlier to it.
    3. Create a key
      and download the private key.
  4. Continue to onboard your GCP project and use the private key for the service account to complete onboarding.
  5. (For onboarding
    GCP Organization only
    ) Create the custom role in the GCP Organization level.
    1. Select your GCP organization.
    2. Verify that the YAML file you created earlier includes the additional permissions for GCP organization.
      Run the gcloud command
      gcloud iam roles create <prisma customrole name> --organization <org ID> --file <YAML File name>
  6. (For onboarding
    GCP Organization only
    ) Set up your Service Account to monitor all the GCP folders and projects within the GCP Organization.
    You must associate the Service account you created in the project to the GCP Organization-level and add the custom role you created in the previous step. Additionally, you must add the predefined role for Organization Viewer to the service account. All these tasks together enable the service account to monitor all the GCP projects that are within the GCP organizational hierarchy.
    1. Copy the service account member address.
      Select the project that you used to create the service account, and select
      IAM & admin
      to copy the service account member address.
    2. Select your Organization, select
      IAM & Admin
      members to the service account.
    3. Paste the service account member address you copied as
      New members
      Select a role
    4. Select the custom role you created above and click
    5. Select
      Resource Manager
      Organization Role Viewer
      Folder Viewer
      role, and click
      The Organization Viewer role enables permissions to view the Organization name without granting access to all resources in the Organization. The Folder Viewer roles is also required to onboard your GCP folders.
  7. (For onboarding
    GCP Organization only
    ) Continue to Onboard Your GCP Organization and use the private key associated with your service account to complete onboarding.

Recommended For You