Create a Service Account With a Custom Role
If you prefer to create a service account with more granular permissions to onboard your GCP Organization or oonboard your GCP Project, instead of using the Terraform template which grants the Viewer (primitive) role for read-only access to resources in your GCP account, follow the steps listed below.
- If you enable granular permissions, you must update the custom role and add additional permissions that maybe required to ingest data from any new service that is added on Prisma Cloud.
- To enable dataflow log compression using the Dataflow service, you must enable additional permissions. See Flow Logs Compression on GCP for details on ingesting network log data.
- Create a YAML file with the custom permissions.
- Create a YAML file and add the granular permissions for the custom role.Use this YAML format as an example. You must add the permissions for onboarding your GCP organization or project, from the link above, to this file:title: prisma-custom-role description: prisma-custom-role stage: beta includedPermissions: - compute.networks.list - compute.backendServices.list
- Create the custom role.When creating a service account, you must select a GCP project because GCP does not allow the service account to belong directly under the GCP Organization.
- Select the GCP project in which you want to create the custom role.
- Upload the YAML file to the Cloud Shell.
- Run the gcloud commandgcloud iam roles create <prisma customrole name> --project <project-ID> --file <YAML file name>
- Create a Service Account and attach the custom role to it.
- Select page in the Google Cloud Console.
- Create Service Accountand add the role you created earlier to it.
- Create a keyand download the private key.
- Continue to onboard your GCP project and use the private key for the service account to complete onboarding.
- (For onboardingGCP Organization only) Create the custom role in the GCP Organization level.
- Select your GCP organization.
- Verify that the YAML file you created earlier includes the additional permissions for GCP organization.Run the gcloud commandgcloud iam roles create <prisma customrole name> --organization <org ID> --file <YAML File name>
- (For onboardingGCP Organization only) Set up your Service Account to monitor all the GCP folders and projects within the GCP Organization.You must associate the Service account you created in the project to the GCP Organization-level and add the custom role you created in the previous step. Additionally, you must add the predefined role for Organization Viewer to the service account. All these tasks together enable the service account to monitor all the GCP projects that are within the GCP organizational hierarchy.
- Copy the service account member address.Select the project that you used to create the service account, and select to copy the service account member address.
- Select your Organization, select toAddmembers to the service account.
- Paste the service account member address you copied asNew membersandSelect a role.
- Select the custom role you created above and click+ ADD ANOTHER ROLE.
- Select andFolder Viewerrole, and clickSave.The Organization Viewer role enables permissions to view the Organization name without granting access to all resources in the Organization. The Folder Viewer roles is also required to onboard your GCP folders.
- (For onboardingGCP Organization only) Continue to Onboard Your GCP Organization and use the private key associated with your service account to complete onboarding.
