Prerequisites to Onboard GCP Organizations and Projects
Learn about the Service account and APIs that enable Prisma Cloud to ingest, analyze, and monitor the resources deployed within a GCP organization or project.
In order to analyze and monitor your GCP account, Prisma Cloud requires access to specific APIs and a service account which is an authorized identity that enables authentication between Prisma Cloud and GCP. A combination of custom, predefined, and primitive roles grant the service account the permissions it needs to complete specific actions on the resources in your GCP organization or project.
To successfully onboard and monitor the resources within your GCP organization or project, make sure you have completed the following prerequisites:
Service Account Permissions
The permissions that the Prisma Cloud service account needs to monitor your GCP resources depends on your cloud protection needs.
- If you are onboarding a GCP organization, you must assign the roles to the IAM policy for the organization.
- If you are onboarding a GCP project, you must assign the roles to the IAM policy for each project.
- If you are using a master service account (MSA), you have two options:
- (Recommended) Add permissions to the IAM policy for the organization.
- Assign the roles to the IAM policy for each project individually.
The roles for read or read-write access permission that the service account requires are:
- Viewer—Primitive role on GCP.
- Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
- Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
- Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
- Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow logs compression using the Dataflow service. See Flow Logs Compression on GCP for details.
- Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders (include or exclude folders), and to automatically create account groups based on the folder hierarchy.
Rate Limit Exception for GCP APIs
The API calls from Prisma Cloud use quota from the GCP project that you’ve onboarded, which enables Prisma Cloud to ingest resource metadata across multiple projects without exceeding the GCP API rate limits.
To ensure continuous insights in to all your GCP resources and to prevent rate limit exception errors from occurring for Prisma Cloud’s authorized API calls to GCP, make sure to:
- Grant either a new permission serviceusage.services.use or add a new roleService Usage Consumer(roles/serviceusage.serviceUsageConsumer) to the service account that Prisma Cloud uses to access GCP APIs.
- [Optional] For the GCP services (appengine.googleapis.com, recommender.googleapis.com, sqladmin.googleapis.com, apikeys.googleapis.com, iam.googleapis.com,cloudresourcemanager.googleapis.com, orgpolicy.googleapis.com, cloudasset.googleapis.com, accessapproval.googleapis.com, essentialcontacts.googleapis.com):
- Disable them on the source project where the service account is created, and
- Enable them on the target project from which Prisma Cloud gets resource metadata.
GCP APIs
Prisma Cloud can ingest data from several GCP APIs.
When you use the Terraform template that Prisma Cloud provides to automate the onboarding of your GCP organization or project, the required permissions are automatically enabled for you.
- In the GCP project where you create the service account, you must enable the Stackdriver Logging API (logging.googleapis.com) to monitor audit logs, and any other GCP APIs for which you want Prisma Cloud to monitor resources.
- If a cloud service API is not enabled on a GCP project, Prisma Cloud skips the ingestion for the respective service; you must, however, ensure thatService UsageAPI is enabled on each GCP project that you want Prisma Cloud to monitor under your GCP organization hierarchy.To skip ingestion for a cycle, Prisma cloud watches the response from the Service Usage API for the details on which cloud services are enabled in a GCP project. For example, if you have not enabled cloud functions in one or more GCP projects within the GCP organization, Prisma cloud can learn about it and skip the ingestion cycle for this cloud service.
- Prisma Cloud recommends you create the service account in a dedicated GCP project.GCP enforces a limit on the API calls allowed to a GCP project/IAM service account. When you create the service account in a dedicated GCP project, you can ensure that the API calls that Prisma Cloud makes do not interfere with any quota limits against your production workloads and services hosted in the separate GCP project.
- Verify that you have granted all the required permissions to the Prisma Cloud service account.If the service account does not have the IAM permissions required to retrieve data, Prisma Cloud skips ingestion of the respective cloud.service(s) for your onboarded account. When you use the Terraform template provide by Prisma Cloud to automate the onboarding of your GCP organization or project, the required permissions are automatically enabled for you.To enable the APIs that allow Prisma Cloud to monitor your GCP projects, use it as shown in this example (that uses some of the APIs listed in the table below):gcloud services enable serviceusage.googleapis.com appengine.googleapis.com bigquery.googleapis.com cloudfunctions.googleapis.com dataflow.googleapis.com dns.googleapis.com dataproc.googleapis.com cloudresourcemanager.googleapis.com cloudkms.googleapis.com sqladmin.googleapis.com compute.googleapis.com storage-component.googleapis.com recommender.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.comVerify the APIs that you have enabled withgcloud services list.The following table lists the APIs and associated granular permissions if you want to create a custom role to onboard your GCP account. When the APIs are enabled and the service account has the correct set of roles and associated permissions, Prisma Cloud can retrieve data about your GCP resources and identify potential security risks and compliance issues across your cloud accounts. To create a custom role for the service account, see Create a Service Account With a Custom Role before you continue to add your GCP Organization or GCP Project to Prisma Cloud.API Keysapikeys.googleapis.comAuthenticates requests associated with your project for usage and billing purposes.API Keys Viewerapikeys.keys.listapikeys.keys.getApp Engine APIappengine.googleapis.comAllows you to access App Engine, which is a fully managed serverless platform on GCP.App Engine Viewerappengine.applications.getProject that hosts the service accountAccess Context Manager APIaccesscontextmanager.googleapis.comRead access to policies, access levels, and access zones.Access Context Manager Readeraccesscontextmanager.accessPolicies.listaccesscontextmanager.policies.listaccesscontextmanager.accessLevels.listaccesscontextmanager.servicePerimeters.listProject that hosts the service accountAccess Approvalaccessapproval.googleapis.comAllows you to access settings associated with a project, folder, or organization.Project Vieweraccessapproval.settings.getProject that hosts the service accountAPI Gatewayapigateway.googleapis.comEnables you to create, secure, and monitor APIs for Google Cloud serverless back ends, including Cloud Functions, Cloud Run, and App Engine.API Gateway Viewerapigateway.gateways.getIamPolicyapigateway.gateways.listapigateway.gateways.getapigateway.locations.listEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudBigQuery APIcloudasset.googleapis.comAllows you to create, manage, share, and query data.Cloud Asset Viewerbigquery.tables.getcloudasset.assets.searchAllResourcescloudasset.assets.searchAllIamPoliciesProject that hosts the service accountBinary Authorization APIbinaryauthorization.googleapis.comEnables you to configure a policy that the service enforces when an attempt is made to deploy a container image on one of the supported container-based platforms.Project Viewerbinaryauthorization.policy.getbinaryauthorization.policy.getIamPolicyProject that hosts the service accountCloud Data Fusiondatafusion.googleapis.comCloud Data Fusion is a fully managed, cloud-native, enterprise data integration service for quickly building and managing data pipelines.Project Viewerdatafusion.instances.listdatafusion.instances.getIamPolicyEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudCloud Functionscloudfunctions.googleapis.comCloud Functions is Google Cloud’s event-driven serverless compute platform.Project Viewercloudfunctions.functions.getIamPolicycloudfunctions.functions.listcloudfunctions.functions.getcloudfunctions.locations.listProject that hosts the service accountCloud DataFlow APIdataflow.googleapis.comManages Google Cloud Dataflow projects.Dataflow Adminiam.serviceAccounts.actAsresourcemanager.projects.getstorage.buckets.getstorage.objects.createstorage.objects.get
See Flow Logs Compressionstorage.objects.listProject that runs Data FlowCloud DNS APIdns.googleapis.comCloud DNS translates requests for domain names into IP addresses and manages and publishes DNS zones and records.DNS Readerdns.dnsKeys.listdns.managedZones.listdns.projects.getdns.policies.listEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudCloud Pub/Subpubsub.googleapis.comReal-time messaging service that allows you to send and receive messages between independent applications.Project Viewer and a custom role with granular privilegespubsub.topics.listpubsub.topics.getpubsub.topics.getIamPolicypubsub.subscriptions.listpubsub.subscriptions.getpubsub.subscriptions.getIamPolicypubsub.snapshots.listpubsub.snapshots.getIamPolicycloudasset.assets.searchAllIamPoliciesEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudContainer Analysiscontaineranalysis.googleapis.comContainer Analysis provides vulnerability scanning and metadata storage for containers through Container Analysis.Project Viewercontaineranalysis.occurrences.listEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudGoogle Dataplexdataplex.googleapis.comUnifies distributed data and automates data management and governance across that data to power analytics at scale.Project Viewerdataplex.assets.listdataplex.assets.getIamPolicydataplex.assetActions.listdataplex.content.listdataplex.content.getIamPolicydataplex.entities.listdataplex.locations.listdataplex.lakes.listdataplex.lakes.getIamPolicydataplex.tasks.listdataplex.tasks.getIamPolicydataplex.zones.listProject that hosts the service accountGoogle Cloud Resource Manager APIcloudresourcemanager.googleapis.comCreates, reads, and updates metadata for Google Cloud Platform resource containers.Project Viewerresourcemanager.projects.getIamPolicyProject that hosts the service accountresourcemanager.folders.getIamPolicyOnly required for GCP OrganizationProject that hosts the service accountAndEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudGoogle Cloud Data Loss Preventiondlp.googleapis.comCloud Data Loss Prevention is a fully managed service designed to discover, classify, and protect the most sensitive data.Project Viewerdlp.inspectTemplates.listdlp.deidentifyTemplates.listdlp.jobTriggers.listdlp.deidentifyTemplates.listdlp.inspectTemplates.listdlp.storedInfoTypes.listProject that hosts the service accountGoogle Cloud Deployclouddeploy.googleapis.comGoogle Cloud Deploy is an opinionated, serverless, secure continuous delivery service for GKE to manage release progression from dev to staging to prod.Project Viewerclouddeploy.config.getclouddeploy.locations.listclouddeploy.deliveryPipelines.listclouddeploy.deliveryPipelines.getIamPolicyclouddeploy.targets.listclouddeploy.targets.getIamPolicyEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudGoogle Firebase Remote Configfirebaseremoteconfig.googleapis.comFirebase Remote Config gives visibility and fine-grained control over app’s behavior and appearance by simply updating its configuration.Project Viewercloudconfig.configs.getProject that hosts the service accountCloud Key Management Service (KMS) APIcloudasset.googleapis.comGoogle Cloud KMS allows customers to manage encryption keys and perform cryptographic operations with those keys.Cloud Asset Viewercloudasset.assets.searchAllResourcescloudasset.assets.searchAllIamPoliciescloudkms.keyRings.getcloudkms.keyRings.getIamPolicycloudkms.cryptoKeys.getcloudkms.cryptoKeys.getIamPolicyProject that hosts the service accountCloud Service Usage APIserviceusage.googleapis.comAPI that lists the available or enabled services, or disables services that service consumers no longer use on GCP.Project Viewerserviceusage.services.listProject that hosts the service accountGoogle Binary Authorizationbinaryauthorization.googleapis.comA service that enables policy-based deployment validation and control for images deployed to Google Kubernetes Engine (GKE), Anthos Service Mesh, Anthos Clusters, and Cloud Run.Project Viewerbinaryauthorization.policy.getbinaryauthorization.policy.getIamPolicyEvery project that the service account accesses for enabling monitoring and protection using Prisma Cloud.Google Cloud Armorcompute.googleapis.comNetwork security service that provides defenses against DDoS and application attacks, and offers WAF rules.Project Viewercompute.securityPolicies.listcompute.securityPolicies.getEvery project that the service account accesses for enabling monitoring and protection using Prisma Cloud.Google Cloud Taskscloudtasks.googleapis.comAPI to fetch task and queue information.Project Viewercloudtasks.locations.listcloudtasks.tasks.listcloudtasks.queues.listrun.locations.listEvery project that the service account accesses for enabling monitoring and protection using Prisma Cloud.Google AI Platformml.googleapis.comA suite of services on Google Cloud specifically targeted at building, deploying, and managing machine learning models in the cloud.ml.models.listml.models.getIamPolicyml.jobs.getIamPolicyml.jobs.listml.jobs.getGoogle Analytics Hubanalyticshub.googleapis.comAnalytics Hub is a data exchange that allows to efficiently and securely exchange data assets across organizations to address challenges of data reliability and cost.Project Vieweranalyticshub.dataExchanges.listEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudGoogle Anthos GKE Fleet Managementgkehub.googleapis.comAnthos offers capabilities built around the idea of the fleet: a logical grouping of Kubernetes clusters and other resources that can be managed together.Project Viewergkehub.locations.listgkehub.memberships.listgkehub.memberships.getIamPolicygkehub.features.listgkehub.features.getIamPolicyEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudGoogle Apigee Xapigee.googleapis.comApigee X is a new version of Google Cloud’s API management platform that assists enterprises in making the transition to digital platforms.Project Viewerapigee.apiproducts.getapigee.apiproducts.listapigee.organizations.getapigee.organizations.listapigee.sharedflows.listapigee.sharedflows.getapigee.deployments.listapigee.datacollectors.listapigee.datastores.listapigee.instances.listapigee.instanceattachments.listapigee.envgroups.listapigee.environments.getapigee.environments.getIamPolicyapigee.hostsecurityreports.listapigee.proxies.getapigee.proxies.listapigee.reports.listapigee.securityProfiles.listEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudGoogle Artifact Registryartifactregistry.googleapis.comArtifact Registry is a scalable and integrated service to store and manage build artifacts.Project Viewerartifactregistry.locations.listartifactregistry.repositories.listartifactregistry.repositories.getIamPolicyEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudGoogle Essential Contactsessentialcontacts.googleapis.comAllows you to customize who receives notifications from Google Cloud services, such as Cloud Billing, by providing a list of contacts.Project Vieweressentialcontacts.contacts.listProject that hosts the service accountGoogle Firebase Rulesfirebaserules.googleapis.comAn application development software that enables developers to develop iOS, Android and Web apps.firebaserules.rulesets.getfirebaserules.rulesets.listfirebaserules.releases.listGoogle Cloud Composercomposer.googleapis.comProject Viewercomposer.environments.listcomposer.environments.getEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudGoogle Cloud Source Repositories APIsourcerepo.googleapis.comA private Git repository to design, develop, and securely manage your code.Source Repository Readersource.repos.listsource.repos.getIamPolicyEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudGoogle Cloud Spanner APIspanner.googleapis.comA globally distributed NewSQL database service and storage solution designed to support global online transaction processing deployments.Cloud Spanner Viewerspanner.databases.listspanner.databases.getIamPolicyspanner.instances.listspanner.instanceConfigs.listspanner.instances.getIamPolicyspanner.backups.listspanner.backups.getIamPolicyProject that hosts the service accountAndEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudCloud SQL Admin APIsqladmin.googleapis.comAPI for Cloud SQL database instance management.Custom Rolecloudsql.instances.listProject that hosts the service accountCompute Engine APIcompute.googleapis.comCreates and runs virtual machines on the Google Cloud Platform.Project Viewercloudasset.assets.searchAllIamPoliciescompute.addresses.listcompute.backendServices.listcompute.backendBuckets.listcompute.sslCertificates.listcompute.disks.getcompute.disks.listcompute.firewalls.listcompute.forwardingRules.listcompute.globalForwardingRules.listcompute.images.getcompute.images.listcompute.images.getIamPolicycompute.instances.getIamPolicycompute.instances.listcompute.instanceGroups.listcompute.instanceTemplates.listcompute.instanceTemplates.getIamPolicycompute.targetSslProxies.listcompute.networks.getcompute.networks.listcompute.subnetworks.getcompute.projects.getcompute.regionBackendServices.listcompute.routers.getcompute.routers.listcompute.routes.listcompute.snapshots.listcompute.snapshots.getIamPolicycompute.sslPolicies.getcompute.sslPolicies.listcompute.subnetworks.listcompute.targetHttpProxies.listcompute.targetHttpsProxies.listcompute.targetPools.listcompute.urlMaps.listcompute.vpnTunnels.listcompute.externalVpnGateways.listProject that hosts the service accountCloud Bigtable APIbigtableadmin.googleapis.comGoogle Cloud Bigtable is a NoSQL Big Data database service.Custom Rolebigtable.appProfiles.getbigtable.appProfiles.listbigtable.clusters.getbigtable.clusters.listbigtable.instances.getbigtable.instances.listbigtable.instances.getIamPolicybigtable.tables.getbigtable.tables.listbigtable.tables.getIamPolicybigtable.backups.listbigtable.backups.getIamPolicyProject that hosts the service accountGoogle Cloud Storage APIstorage-component.googleapis.comCloud Storage is a RESTful service for storing and accessing your data on Google’s infrastructure.Custom Rolestorage.buckets.getstorage.buckets.getIamPolicystorage.buckets.listNo specific requirement for Prisma CloudGoogle Organization Policyorgpolicy.googleapis.comOrganization Policy Service provides centralized and programmatic control over organization’s cloud resources through configurable constraints across the entire resource hierarchy.Project Viewerorgpolicy.constraints.listorgpolicy.policy.getProject that hosts the service accountGoogle Dataproc Clusters APIdataproc.googleapis.comDataproc is a managed service for creating clusters of compute that can be used to run Hadoop and Spark applications.Project Viewerdataproc.clusters.listdataproc.clusters.getdataproc.clusters.getIamPolicycloudasset.assets.searchAllIamPoliciesdataproc.workflowTemplates.listdataproc.workflowTemplates.getIamPolicydataproc.autoscalingPolicies.listdataproc.autoscalingPolicies.getIamPolicyEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudGoogle Dataproc Metastoremetastore.googleapis.comDataproc is a managed service for creating clusters of compute that can be used to run Hadoop and Spark applications.Project Viewermetastore.locations.listmetastore.services.listmetastore.services.getIamPolicyEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudGoogle Data Catalogdatacatalog.googleapis.comData Catalog is a fully managed, scalable metadata management service which helps in searching and tagging data entries.Project Viewerdatacatalog.taxonomies.listdatacatalog.taxonomies.getIamPolicydatacatalog.taxonomies.getdatacatalog.entryGroups.listdatacatalog.entryGroups.getIamPolicydatacatalog.entryGroups.getProject that hosts the service account.Google Datastoredatastore.googleapis.comDatastore is a schemaless NoSQL database to provide fully managed, robust, scalable storage for any application.Project Viewerdatastore.indexes.listProject that hosts the service account.Google Datastreamdatastream.googleapis.comDatastream is a serverless change data capture (CDC) and replication service to synchronize data across heterogeneous databases and applications.Project Viewerdatastream.locations.listdatastream.privateConnections.listdatastream.connectionProfiles.listdatastream.streams.listGoogle Recommendation APIs
GCP IAM Recommenderrecommender.googleapis.comgcloud-recommender-organization-iam-policy-lateral-movement-insightGoogle Recommender provides usage recommendations for Google Cloud resources. Recommenders are specific to a single Google Cloud product and resource type.IAM Recommender Viewerrecommender.iamPolicyRecommendations.listrecommender.iamPolicyInsights.listrecommender.iamServiceAccountInsights.listrecommender.iamPolicyLateralMovementInsights.listProject that hosts the service accountGoogle HealthCarehealthcare.googleapis.comManages solutions for storing and accessing healthcare data in Google Cloud.Project Viewerhealthcare.locations.listhealthcare.datasets.gethealthcare.datasets.listhealthcare.datasets.getIamPolicyEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudGoogle Hybrid Connectivitynetworkconnectivity.googleapis.comNetwork Connectivity is Google’s suite of products that provide enterprise connectivity from your on-premises network or from another cloud provider to your Virtual Private Cloud (VPC) network.Project Viewernetworkconnectivity.hubs.listnetworkconnectivity.hubs.getIamPolicynetworkconnectivity.locations.listnetworkconnectivity.spokes.listnetworkconnectivity.spokes.getIamPolicyEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudGoogle Cloud Run APIrun.googleapis.comDeploys and manages user provided container images.Project Viewerrun.locations.listrun.services.listcloudasset.assets.searchAllIamPoliciesEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudGoogle Secrets Managersecretmanager.googleapis.comStores sensitive data such as API keys, passwords, and certificates.Secret Manager Viewersecretmanager.secrets.listsecretmanager.secrets.getIamPolicysecretmanager.versions.listEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudGoogle Security Command Centersecuritycenter.googleapis.comSecurity Command Center is centralized vulnerability and threat reporting service which helps to mitigate and remediate security risks.Project Viewersecuritycenter.sources.listsecuritycenter.sources.getIamPolicysecuritycenter.organizationsettings.getsecuritycenter.notificationconfig.listsecuritycenter.muteconfigs.listProject that hosts the service account.Google Serverless VPC Accessvpcaccess.googleapis.comServerless VPC Access allows Cloud Functions and App Engine apps to access resources in a VPC network using those resources’ private IPs.Project Viewervpcaccess.locations.listvpcaccess.connectors.listEvery project that the service account accesses for enabling monitoring and protection using Prisma Cloud.Google Cloud Filestorefile.instances.listCreates and manages cloud file servers.Cloud Filestore Viewerfile.instances.listEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudGoogle Cloud Firestorefirestore.googleapis.comCloud Firestore is a flexible, scalable NoSQL cloud database to store and sync data for client- and server-side development.Project Viewerdatastore.databases.listEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudGoogle Certificate Authority Serviceprivateca.googleapis.comEnables you to simplify, automate, and customize the deployment, management, and security of private certificate authorities (CA).CA Service Auditorprivateca.caPools.getIamPolicyprivateca.caPools.listprivateca.certificateAuthorities.listprivateca.certificates.listprivateca.certificateRevocationLists.listprivateca.certificateRevocationLists.getIamPolicyprivateca.locations.listRequired on destination only.Google Identity Aware Proxyiap.googleapis.comProvides application-level access control model instead of relying on network-level firewalls by establishing a central authorization layer for applications.Custom Roleclientauthconfig.brands.listclientauthconfig.clients.listWithSecretsEvery project that the service account accesses for enabling monitoring and protection using Prisma Cloud.Google Traffic Directornetworksecurity.googleapis.comTraffic Director is Google Cloud’s fully managed application networking platform and service mesh.Project Viewernetworksecurity.authorizationPolicies.listnetworksecurity.authorizationPolicies.getIamPolicynetworksecurity.clientTlsPolicies.listnetworksecurity.clientTlsPolicies.getIamPolicynetworksecurity.serverTlsPolicies.listnetworksecurity.serverTlsPolicies.getIamPolicynetworkservices.locations.listnetworkservices.gateways.listnetworkservices.meshes.listnetworkservices.meshes.getIamPolicyProject that hosts the service accountGoogle Traffic Director Network Servicenetworkservices.googleapis.comTraffic Director is Google Cloud’s fully managed application networking platform and service mesh.Project Viewernetworkservices.httpRoutes.listnetworkservices.grpcRoutes.listnetworkservices.tcpRoutes.listnetworkservices.tlsRoutes.listEvery project that the service account accesses for enabling monitoring and protection using Prisma Cloud.Google VPCcompute.googleapis.comEnables you to create and enforce a consistent firewall policy across your organization.This lets organization-wide admins manage critical firewall rules in one place.Project Viewercompute.firewallPolicies.listcompute.regionfirewallPolicies.listProject that hosts the service accountGoogle Vertex AInotebooks.googleapis.comVertex AI is an artificial intelligence platform with pre-trained and custom tooling to build, deploy, and scale ML models.Project Viewernotebooks.locations.listnotebooks.instances.listnotebooks.instances.checkUpgradabilitynotebooks.instances.getHealthnotebooks.instances.getIamPolicynotebooks.runtimes.listProject that hosts the service account.Identity and Access Management (IAM) APIiam.googleapis.comManages identity and access control for GCP resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls.Project Vieweriam.roles.getiam.roles.listiam.serviceAccountKeys.listiam.serviceAccounts.listiam.workloadIdentityPools.listiam.workloadIdentityPoolProviders.listiam.denypolicies.getiam.denypolicies.listProject that hosts the service accountMemorystoreredis.googleapis.comMemorystore is a fully-managed database service that provides a managed version of two popular open source caching solutions: Redis and Memcached.Project Viewerredis.instances.getredis.instances.listEvery project that the service account accesses for enabling monitoring and protection using Prisma Cloud.Memorystore for Memcachedmemcache.googleapis.comMemorystore for Memcached is a fully managed Memcached service for Google Cloud, using which avoids the burden of managing complex Memcached deployments.Project Viewermemcache.locations.listmemcache.instances.listEvery project that the service account accesses for enabling monitoring and protection using Prisma Cloud.Google Managed Microsoft ADmanagedidentities.googleapis.comManaged Service for Microsoft Active Directory offers high-availability, hardened Microsoft Active Directory domains hosted by Google Cloud.Project Viewermanagedidentities.domains.listmanagedidentities.domains.getmanagedidentities.domains.getIamPolicymanagedidentities.sqlintegrations.listNo specific requirement for Prisma Cloud.Google Network Intelligence Centerrecommender.googleapis.comNetwork Intelligence Center provides a single console for managing Google Cloud network visibility, monitoring, and troubleshooting.Project Viewerrecommender.computeFirewallInsights.listProject that hosts the service account.Kubernetes Engine APIcontainer.googleapis.comBuilds and manages container-based applications, powered by the open source Kubernetes technology.Kubernetes Engine Cluster Viewercontainer.clusters.getcontainer.clusters.listProject that hosts the service accountServices Usage APIserviceusage.googleapis.comAPI that lists the available or enabled services, or disables services that service consumers no longer use on GCP.Note: As a best practice, you must enable this API on all GCP projects that are onboarded to Prisma Cloud.Project Viewerserviceusage.services.listEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudStackdriver Monitoring APImonitoring.googleapis.comManages your Stackdriver Monitoring data and configurations.Helps to gain visibility into the performance, availability, and health of your applications and infrastructure.Monitoring Viewermonitoring.alertPolicies.listmonitoring.metricDescriptors.getredis.instances.listmonitoring.notificationChannels.listresourcemanager.folders.getIamPolicyEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudAndSource project where the service account is created for enabling monitoring and protection using Prisma CloudStackdriver Logging APIlogging.googleapis.comWrites log entries and manages your Logging configuration.Logging Adminlogging.buckets.listlogging.logEntries.listlogging.logMetrics.getlogging.logMetrics.listlogging.sinks.getlogging.sinks.listlogging.exclusions.listEvery project that the service account accesses for enabling monitoring and protection using Prisma Cloud.Google Web Security Scanner APIwebsecurityscanner.googleapis.comIdentifies security vulnerabilities in your App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications.Web Security Scanner Viewercloudsecurityscanner.scans.listProject that hosts the service accountGoogle Workflowsworkflows.googleapis.comWorkflows is a fully-managed orchestration platform to execute services in a defined order.Project Viewerworkflows.locations.listworkflows.workflows.listEvery project that the service account accesses for enabling monitoring and protection using Prisma CloudCloud Spanner backupsspanner.googleapis.comA backup of a Cloud Spanner database.Project Viewerspanner.backups.listspanner.backups.getIamPolicySource project and destination.Google Service Directoryservicedirectory.googleapis.comA managed service that enhances service inventory management at scale and reduces the complexity of management and operations by providing a single place to publish, discover, and connect services.Project Viewerservicedirectory.namespaces.listservicedirectory.namespaces.getIamPolicyservicedirectory.services.listservicedirectory.services.getIamPolicyservicedirectory.endpoints.listEvery project that the service account accesses for enabling monitoring and protection using Prisma Cloud.GCP Organization - Additional permissions required to onboardOrganization Role ViewerThe Organization Role Viewer is required for onboarding a GCP Organization. If you only provide the individual permissions listed below, the permissions set is not sufficient.resourcemanager.organizations.getresourcemanager.projects.listresourcemanager.organizations.getIamPolicyN/A
GCP Cloud Asset Inventory
GCP Cloud Asset Inventory (CAI) service allows you to search asset metadata within a project, folder, or organization using a single API instead of separate individual API calls to get the metadata. Prisma Cloud has adopted the CAI service for a few GCP services. The CAI service reduces the number of API calls to GCP and helps speed the time to report on assets on Prisma Cloud. CAI is enabled by default on Prisma Cloud.
The following GCP services (APIs) have CAI support on Prisma Cloud:
- KMS (Get IAM policy, List Keyrings, and Cryptokeys)
- Pub-Sub (Get IAM policy)
- Dataproc (Get IAM policy)
- Cloud Function (Get IAM policy)
- Cloud Run (Get IAM policy)
- BigQuery (Get IAM policy, List BigQuery Datasets, and Tables)
- Compute Instance (GET IAM policy)
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.