1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Connect Your Cloud Platform to Prisma Cloud
    6. Onboard Google Cloud Platform
    7. Prerequisites to Onboard GCP Organizations and Projects

    Prerequisites to Onboard GCP Organizations and Projects

    Learn about the Service account and APIs that enable Prisma Cloud to ingest, analyze, and monitor the resources deployed within a GCP organization or project.
    In order to analyze and monitor your GCP account, Prisma Cloud requires access to specific APIs and a service account which is an authorized identity that enables authentication between Prisma Cloud and GCP. A combination of custom, predefined, and primitive roles grant the service account the permissions it needs to complete specific actions on the resources in your GCP organization or project.
    To successfully onboard and monitor the resources within your GCP organization or project, make sure you have completed the following prerequisites:

    Service Account Permissions

    The permissions that the Prisma Cloud service account needs to monitor your GCP resources depends on your cloud protection needs.
    • If you are onboarding a GCP organization, you must assign the roles to the IAM policy for the organization.
    • If you are onboarding a GCP project, you must assign the roles to the IAM policy for each project.
    • If you are using a master service account (MSA), you have two options:
      • (Recommended) Add permissions to the IAM policy for the organization.
      • Assign the roles to the IAM policy for each project individually.
    The roles for read or read-write access permission that the service account requires are:
    • Viewer—Primitive role on GCP.
    • Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
    • Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
    • Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
    • Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow logs compression using the Dataflow service. See Flow Logs Compression on GCP for details.
    • Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders (include or exclude folders), and to automatically create account groups based on the folder hierarchy.

    Rate Limit Exception for GCP APIs

    The API calls from Prisma Cloud use quota from the GCP project that you’ve onboarded, which enables Prisma Cloud to ingest resource metadata across multiple projects without exceeding the GCP API rate limits.
    To ensure continuous insights in to all your GCP resources and to prevent rate limit exception errors from occurring for Prisma Cloud’s authorized API calls to GCP, make sure to:

    GCP APIs

    Prisma Cloud can ingest data from several GCP APIs.
    When you use the Terraform template that Prisma Cloud provides to automate the onboarding of your GCP organization or project, the required permissions are automatically enabled for you.
    • In the GCP project where you create the service account, you must enable the Stackdriver Logging API (logging.googleapis.com) to monitor audit logs, and any other GCP APIs for which you want Prisma Cloud to monitor resources.
    • If a cloud service API is not enabled on a GCP project, Prisma Cloud skips the ingestion for the respective service; you must, however, ensure that
      Service Usage
       API is enabled on each GCP project that you want Prisma Cloud to monitor under your GCP organization hierarchy.
      To skip ingestion for a cycle, Prisma cloud watches the response from the Service Usage API for the details on which cloud services are enabled in a GCP project. For example, if you have not enabled cloud functions in one or more GCP projects within the GCP organization, Prisma cloud can learn about it and skip the ingestion cycle for this cloud service.
    • Prisma Cloud recommends you create the service account in a dedicated GCP project.
      GCP enforces a limit on the API calls allowed to a GCP project/IAM service account. When you create the service account in a dedicated GCP project, you can ensure that the API calls that Prisma Cloud makes do not interfere with any quota limits against your production workloads and services hosted in the separate GCP project.
    • Verify that you have granted all the required permissions to the Prisma Cloud service account.
      If the service account does not have the IAM permissions required to retrieve data, Prisma Cloud skips ingestion of the respective cloud.service(s) for your onboarded account. When you use the Terraform template provide by Prisma Cloud to automate the onboarding of your GCP organization or project, the required permissions are automatically enabled for you.
      To enable the APIs that allow Prisma Cloud to monitor your GCP projects, use it as shown in this example (that uses some of the APIs listed in the table below):
      gcloud services enable serviceusage.googleapis.com appengine.googleapis.com bigquery.googleapis.com cloudfunctions.googleapis.com dataflow.googleapis.com dns.googleapis.com dataproc.googleapis.com cloudresourcemanager.googleapis.com cloudkms.googleapis.com sqladmin.googleapis.com compute.googleapis.com storage-component.googleapis.com recommender.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.com
      Verify the APIs that you have enabled with
      gcloud services list
      .
      The following table lists the APIs and associated granular permissions if you want to create a custom role to onboard your GCP account. When the APIs are enabled and the service account has the correct set of roles and associated permissions, Prisma Cloud can retrieve data about your GCP resources and identify potential security risks and compliance issues across your cloud accounts. To create a custom role for the service account, see Create a Service Account With a Custom Role before you continue to add your GCP Organization or GCP Project to Prisma Cloud.
      Service Name
      Description
      Role Name
      Permissions
      Enable this API on
      API Keys
      apikeys.googleapis.com
      Authenticates requests associated with your project for usage and billing purposes.
      API Keys Viewer
      apikeys.keys.list
      apikeys.keys.get
      App Engine API
      appengine.googleapis.com
      Allows you to access App Engine, which is a fully managed serverless platform on GCP.
      App Engine Viewer
      appengine.applications.get
      Project that hosts the service account
      Access Context Manager API
      accesscontextmanager.googleapis.com
      Read access to policies, access levels, and access zones.
      Access Context Manager Reader
      accesscontextmanager.accessPolicies.list
      accesscontextmanager.policies.list
      accesscontextmanager.accessLevels.list
      accesscontextmanager.servicePerimeters.list
      Project that hosts the service account
      Access Approval
      accessapproval.googleapis.com
      Allows you to access settings associated with a project, folder, or organization.
      Project Viewer
      accessapproval.settings.get
      Project that hosts the service account
      API Gateway
      apigateway.googleapis.com
      Enables you to create, secure, and monitor APIs for Google Cloud serverless back ends, including Cloud Functions, Cloud Run, and App Engine.
      API Gateway Viewer
      apigateway.gateways.getIamPolicy
      apigateway.gateways.list
      apigateway.gateways.get
      apigateway.locations.list
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      BigQuery API
      cloudasset.googleapis.com
      Allows you to create, manage, share, and query data.
      Cloud Asset Viewer
      bigquery.tables.get
      cloudasset.assets.searchAllResources
      cloudasset.assets.searchAllIamPolicies
      Project that hosts the service account
      Binary Authorization API
      binaryauthorization.googleapis.com
      Enables you to configure a policy that the service enforces when an attempt is made to deploy a container image on one of the supported container-based platforms.
      Project Viewer
      binaryauthorization.policy.get
      binaryauthorization.policy.getIamPolicy
      Project that hosts the service account
      Cloud Data Fusion
      datafusion.googleapis.com
      Cloud Data Fusion is a fully managed, cloud-native, enterprise data integration service for quickly building and managing data pipelines.
      Project Viewer
      datafusion.instances.list
      datafusion.instances.getIamPolicy
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Cloud Functions
      cloudfunctions.googleapis.com
      Cloud Functions is Google Cloud’s event-driven serverless compute platform.
      Project Viewer
      cloudfunctions.functions.getIamPolicy
      cloudfunctions.functions.list
      cloudfunctions.functions.get
      cloudfunctions.locations.list
      Project that hosts the service account
      Cloud DataFlow API
      dataflow.googleapis.com
      Manages Google Cloud Dataflow projects.
      Dataflow Admin
      iam.serviceAccounts.actAs
      resourcemanager.projects.get
      storage.buckets.get
      storage.objects.create
      storage.objects.get
      storage.objects.list
      See Flow Logs Compression
      Project that runs Data Flow
      Cloud DNS API
      dns.googleapis.com
      Cloud DNS translates requests for domain names into IP addresses and manages and publishes DNS zones and records.
      DNS Reader
      dns.dnsKeys.list
      dns.managedZones.list
      dns.projects.get
      dns.policies.list
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Cloud Pub/Sub
      pubsub.googleapis.com
      Real-time messaging service that allows you to send and receive messages between independent applications.
      Project Viewer and a custom role with granular privileges
      pubsub.topics.list
      pubsub.topics.get
      pubsub.topics.getIamPolicy
      pubsub.subscriptions.list
      pubsub.subscriptions.get
      pubsub.subscriptions.getIamPolicy
      pubsub.snapshots.list
      pubsub.snapshots.getIamPolicy
      cloudasset.assets.searchAllIamPolicies
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Container Analysis
      containeranalysis.googleapis.com
      Container Analysis provides vulnerability scanning and metadata storage for containers through Container Analysis.
      Project Viewer
      containeranalysis.occurrences.list
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Google Dataplex
      dataplex.googleapis.com
      Unifies distributed data and automates data management and governance across that data to power analytics at scale.
      Project Viewer
      dataplex.assets.list
      dataplex.assets.getIamPolicy
      dataplex.assetActions.list
      dataplex.content.list
      dataplex.content.getIamPolicy
      dataplex.entities.list
      dataplex.locations.list
      dataplex.lakes.list
      dataplex.lakes.getIamPolicy
      dataplex.tasks.list
      dataplex.tasks.getIamPolicy
      dataplex.zones.list
      Project that hosts the service account
      Google Cloud Resource Manager API
      cloudresourcemanager.googleapis.com
      Creates, reads, and updates metadata for Google Cloud Platform resource containers.
      Project Viewer
      resourcemanager.projects.getIamPolicy
      Project that hosts the service account
      resourcemanager.folders.getIamPolicy
      Only required for GCP Organization
      Project that hosts the service account
      And
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Google Cloud Data Loss Prevention
      dlp.googleapis.com
      Cloud Data Loss Prevention is a fully managed service designed to discover, classify, and protect the most sensitive data.
      Project Viewer
      dlp.inspectTemplates.list
      dlp.deidentifyTemplates.list
      dlp.jobTriggers.list
      dlp.deidentifyTemplates.list
      dlp.inspectTemplates.list
      dlp.storedInfoTypes.list
      Project that hosts the service account
      Google Cloud Deploy
      clouddeploy.googleapis.com
      Google Cloud Deploy is an opinionated, serverless, secure continuous delivery service for GKE to manage release progression from dev to staging to prod.
      Project Viewer
      clouddeploy.config.get
      clouddeploy.locations.list
      clouddeploy.deliveryPipelines.list
      clouddeploy.deliveryPipelines.getIamPolicy
      clouddeploy.targets.list
      clouddeploy.targets.getIamPolicy
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Google Firebase Remote Config
      firebaseremoteconfig.googleapis.com
      Firebase Remote Config gives visibility and fine-grained control over app’s behavior and appearance by simply updating its configuration.
      Project Viewer
      cloudconfig.configs.get
      Project that hosts the service account
      Cloud Key Management Service (KMS) API
      cloudasset.googleapis.com
      Google Cloud KMS allows customers to manage encryption keys and perform cryptographic operations with those keys.
      Cloud Asset Viewer
      cloudasset.assets.searchAllResources
      cloudasset.assets.searchAllIamPolicies
      cloudkms.keyRings.get
      cloudkms.keyRings.getIamPolicy
      cloudkms.cryptoKeys.get
      cloudkms.cryptoKeys.getIamPolicy
      Project that hosts the service account
      Cloud Service Usage API
      serviceusage.googleapis.com
      API that lists the available or enabled services, or disables services that service consumers no longer use on GCP.
      Project Viewer
      serviceusage.services.list
      Project that hosts the service account
      Google Binary Authorization
      binaryauthorization.googleapis.com
      A service that enables policy-based deployment validation and control for images deployed to Google Kubernetes Engine (GKE), Anthos Service Mesh, Anthos Clusters, and Cloud Run.
      Project Viewer
      binaryauthorization.policy.get
      binaryauthorization.policy.getIamPolicy
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
      Google Cloud Armor
      compute.googleapis.com
      Network security service that provides defenses against DDoS and application attacks, and offers WAF rules.
      Project Viewer
      compute.securityPolicies.list
      compute.securityPolicies.get
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
      Google Cloud Tasks
      cloudtasks.googleapis.com
      API to fetch task and queue information.
      Project Viewer
      cloudtasks.locations.list
      cloudtasks.tasks.list
      cloudtasks.queues.list
      run.locations.list
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
      Google AI Platform
      ml.googleapis.com
      A suite of services on Google Cloud specifically targeted at building, deploying, and managing machine learning models in the cloud.
      ml.models.list
      ml.models.getIamPolicy
      ml.jobs.getIamPolicy
      ml.jobs.list
      ml.jobs.get
      Google Analytics Hub
      analyticshub.googleapis.com
      Analytics Hub is a data exchange that allows to efficiently and securely exchange data assets across organizations to address challenges of data reliability and cost.
      Project Viewer
      analyticshub.dataExchanges.list
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Google Anthos GKE Fleet Management
      gkehub.googleapis.com
      Anthos offers capabilities built around the idea of the fleet: a logical grouping of Kubernetes clusters and other resources that can be managed together.
      Project Viewer
      gkehub.locations.list
      gkehub.memberships.list
      gkehub.memberships.getIamPolicy
      gkehub.features.list
      gkehub.features.getIamPolicy
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Google Apigee X
      apigee.googleapis.com
      Apigee X is a new version of Google Cloud’s API management platform that assists enterprises in making the transition to digital platforms.
      Project Viewer
      apigee.apiproducts.get
      apigee.apiproducts.list
      apigee.organizations.get
      apigee.organizations.list
      apigee.sharedflows.list
      apigee.sharedflows.get
      apigee.deployments.list
      apigee.datacollectors.list
      apigee.datastores.list
      apigee.instances.list
      apigee.instanceattachments.list
      apigee.envgroups.list
      apigee.environments.get
      apigee.environments.getIamPolicy
      apigee.hostsecurityreports.list
      apigee.proxies.get
      apigee.proxies.list
      apigee.reports.list
      apigee.securityProfiles.list
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Google Artifact Registry
      artifactregistry.googleapis.com
      Artifact Registry is a scalable and integrated service to store and manage build artifacts.
      Project Viewer
      artifactregistry.locations.list
      artifactregistry.repositories.list
      artifactregistry.repositories.getIamPolicy
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Google Essential Contacts
      essentialcontacts.googleapis.com
      Allows you to customize who receives notifications from Google Cloud services, such as Cloud Billing, by providing a list of contacts.
      Project Viewer
      essentialcontacts.contacts.list
      Project that hosts the service account
      Google Firebase Rules
      firebaserules.googleapis.com
      An application development software that enables developers to develop iOS, Android and Web apps.
      firebaserules.rulesets.get
      firebaserules.rulesets.list
      firebaserules.releases.list
      Google Cloud Composer
      composer.googleapis.com
      Project Viewer
      composer.environments.list
      composer.environments.get
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Google Cloud Source Repositories API
      sourcerepo.googleapis.com
      A private Git repository to design, develop, and securely manage your code.
      Source Repository Reader
      source.repos.list
      source.repos.getIamPolicy
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Google Cloud Spanner API
      spanner.googleapis.com
      A globally distributed NewSQL database service and storage solution designed to support global online transaction processing deployments.
      Cloud Spanner Viewer
      spanner.databases.list
      spanner.databases.getIamPolicy
      spanner.instances.list
      spanner.instanceConfigs.list
      spanner.instances.getIamPolicy
      spanner.backups.list
      spanner.backups.getIamPolicy
      Project that hosts the service account
      And
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Cloud SQL Admin API
      sqladmin.googleapis.com
      API for Cloud SQL database instance management.
      Custom Role
      cloudsql.instances.list
      Project that hosts the service account
      Compute Engine API
      compute.googleapis.com
      Creates and runs virtual machines on the Google Cloud Platform.
      Project Viewer
      cloudasset.assets.searchAllIamPolicies
      compute.addresses.list
      compute.backendServices.list
      compute.backendBuckets.list
      compute.sslCertificates.list
      compute.disks.get
      compute.disks.list
      compute.firewalls.list
      compute.forwardingRules.list
      compute.globalForwardingRules.list
      compute.images.get
      compute.images.list
      compute.images.getIamPolicy
      compute.instances.getIamPolicy
      compute.instances.list
      compute.instanceGroups.list
      compute.instanceTemplates.list
      compute.instanceTemplates.getIamPolicy
      compute.targetSslProxies.list
      compute.networks.get
      compute.networks.list
      compute.subnetworks.get
      compute.projects.get
      compute.regionBackendServices.list
      compute.routers.get
      compute.routers.list
      compute.routes.list
      compute.snapshots.list
      compute.snapshots.getIamPolicy
      compute.sslPolicies.get
      compute.sslPolicies.list
      compute.subnetworks.list
      compute.targetHttpProxies.list
      compute.targetHttpsProxies.list
      compute.targetPools.list
      compute.urlMaps.list
      compute.vpnTunnels.list
      compute.externalVpnGateways.list
      Project that hosts the service account
      Cloud Bigtable API
      bigtableadmin.googleapis.com
      Google Cloud Bigtable is a NoSQL Big Data database service.
      Custom Role
      bigtable.appProfiles.get
      bigtable.appProfiles.list
      bigtable.clusters.get
      bigtable.clusters.list
      bigtable.instances.get
      bigtable.instances.list
      bigtable.instances.getIamPolicy
      bigtable.tables.get
      bigtable.tables.list
      bigtable.tables.getIamPolicy
      bigtable.backups.list
      bigtable.backups.getIamPolicy
      Project that hosts the service account
      Google Cloud Storage API
      storage-component.googleapis.com
      Cloud Storage is a RESTful service for storing and accessing your data on Google’s infrastructure.
      Custom Role
      storage.buckets.get
      storage.buckets.getIamPolicy
      storage.buckets.list
      No specific requirement for Prisma Cloud
      Google Organization Policy
      orgpolicy.googleapis.com
      Organization Policy Service provides centralized and programmatic control over organization’s cloud resources through configurable constraints across the entire resource hierarchy.
      Project Viewer
      orgpolicy.constraints.list
      orgpolicy.policy.get
      Project that hosts the service account
      Google Dataproc Clusters API
      dataproc.googleapis.com
      Dataproc is a managed service for creating clusters of compute that can be used to run Hadoop and Spark applications.
      Project Viewer
      dataproc.clusters.list
      dataproc.clusters.get
      dataproc.clusters.getIamPolicy
      cloudasset.assets.searchAllIamPolicies
      dataproc.workflowTemplates.list
      dataproc.workflowTemplates.getIamPolicy
      dataproc.autoscalingPolicies.list
      dataproc.autoscalingPolicies.getIamPolicy
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Google Dataproc Metastore
      metastore.googleapis.com
      Dataproc is a managed service for creating clusters of compute that can be used to run Hadoop and Spark applications.
      Project Viewer
      metastore.locations.list
      metastore.services.list
      metastore.services.getIamPolicy
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Google Data Catalog
      datacatalog.googleapis.com
      Data Catalog is a fully managed, scalable metadata management service which helps in searching and tagging data entries.
      Project Viewer
      datacatalog.taxonomies.list
      datacatalog.taxonomies.getIamPolicy
      datacatalog.taxonomies.get
      datacatalog.entryGroups.list
      datacatalog.entryGroups.getIamPolicy
      datacatalog.entryGroups.get
      Project that hosts the service account.
      Google Datastore
      datastore.googleapis.com
      Datastore is a schemaless NoSQL database to provide fully managed, robust, scalable storage for any application.
      Project Viewer
      datastore.indexes.list
      Project that hosts the service account.
      Google Datastream
      datastream.googleapis.com
      Datastream is a serverless change data capture (CDC) and replication service to synchronize data across heterogeneous databases and applications.
      Project Viewer
      datastream.locations.list
      datastream.privateConnections.list
      datastream.connectionProfiles.list
      datastream.streams.list
      Google Recommendation APIs
      recommender.googleapis.com
      GCP IAM Recommender
      gcloud-recommender-organization-iam-policy-lateral-movement-insight
      Google Recommender provides usage recommendations for Google Cloud resources. Recommenders are specific to a single Google Cloud product and resource type.
      IAM Recommender Viewer
      recommender.iamPolicyRecommendations.list
      recommender.iamPolicyInsights.list
      recommender.iamServiceAccountInsights.list
      recommender.iamPolicyLateralMovementInsights.list
      Project that hosts the service account
      Google HealthCare
      healthcare.googleapis.com
      Manages solutions for storing and accessing healthcare data in Google Cloud.
      Project Viewer
      healthcare.locations.list
      healthcare.datasets.get
      healthcare.datasets.list
      healthcare.datasets.getIamPolicy
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Google Hybrid Connectivity
      networkconnectivity.googleapis.com
      Network Connectivity is Google’s suite of products that provide enterprise connectivity from your on-premises network or from another cloud provider to your Virtual Private Cloud (VPC) network.
      Project Viewer
      networkconnectivity.hubs.list
      networkconnectivity.hubs.getIamPolicy
      networkconnectivity.locations.list
      networkconnectivity.spokes.list
      networkconnectivity.spokes.getIamPolicy
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Google Cloud Run API
      run.googleapis.com
      Deploys and manages user provided container images.
      Project Viewer
      run.locations.list
      run.services.list
      cloudasset.assets.searchAllIamPolicies
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Google Secrets Manager
      secretmanager.googleapis.com
      Stores sensitive data such as API keys, passwords, and certificates.
      Secret Manager Viewer
      secretmanager.secrets.list
      secretmanager.secrets.getIamPolicy
      secretmanager.versions.list
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Google Security Command Center
      securitycenter.googleapis.com
      Security Command Center is centralized vulnerability and threat reporting service which helps to mitigate and remediate security risks.
      Project Viewer
      securitycenter.sources.list
      securitycenter.sources.getIamPolicy
      securitycenter.organizationsettings.get
      securitycenter.notificationconfig.list
      securitycenter.muteconfigs.list
      Project that hosts the service account.
      Google Serverless VPC Access
      vpcaccess.googleapis.com
      Serverless VPC Access allows Cloud Functions and App Engine apps to access resources in a VPC network using those resources’ private IPs.
      Project Viewer
      vpcaccess.locations.list
      vpcaccess.connectors.list
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
      Google Cloud Filestore
      file.instances.list
      Creates and manages cloud file servers.
      Cloud Filestore Viewer
      file.instances.list
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Google Cloud Firestore
      firestore.googleapis.com
      Cloud Firestore is a flexible, scalable NoSQL cloud database to store and sync data for client- and server-side development.
      Project Viewer
      datastore.databases.list
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Google Certificate Authority Service
      privateca.googleapis.com
      Enables you to simplify, automate, and customize the deployment, management, and security of private certificate authorities (CA).
      CA Service Auditor
      privateca.caPools.getIamPolicy
      privateca.caPools.list
      privateca.certificateAuthorities.list
      privateca.certificates.list
      privateca.certificateRevocationLists.list
      privateca.certificateRevocationLists.getIamPolicy
      privateca.locations.list
      Required on destination only.
      Google Identity Aware Proxy
      iap.googleapis.com
      Provides application-level access control model instead of relying on network-level firewalls by establishing a central authorization layer for applications.
      Custom Role
      clientauthconfig.brands.list
      clientauthconfig.clients.listWithSecrets
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
      Google Traffic Director
      networksecurity.googleapis.com
      Traffic Director is Google Cloud’s fully managed application networking platform and service mesh.
      Project Viewer
      networksecurity.authorizationPolicies.list
      networksecurity.authorizationPolicies.getIamPolicy
      networksecurity.clientTlsPolicies.list
      networksecurity.clientTlsPolicies.getIamPolicy
      networksecurity.serverTlsPolicies.list
      networksecurity.serverTlsPolicies.getIamPolicy
      networkservices.locations.list
      networkservices.gateways.list
      networkservices.meshes.list
      networkservices.meshes.getIamPolicy
      Project that hosts the service account
      Google Traffic Director Network Service
      networkservices.googleapis.com
      Traffic Director is Google Cloud’s fully managed application networking platform and service mesh.
      Project Viewer
      networkservices.httpRoutes.list
      networkservices.grpcRoutes.list
      networkservices.tcpRoutes.list
      networkservices.tlsRoutes.list
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
      Google VPC
      compute.googleapis.com
      Enables you to create and enforce a consistent firewall policy across your organization.This lets organization-wide admins manage critical firewall rules in one place.
      Project Viewer
      compute.firewallPolicies.list
      compute.regionfirewallPolicies.list
      Project that hosts the service account
      Google Vertex AI
      notebooks.googleapis.com
      Vertex AI is an artificial intelligence platform with pre-trained and custom tooling to build, deploy, and scale ML models.
      Project Viewer
      notebooks.locations.list
      notebooks.instances.list
      notebooks.instances.checkUpgradability
      notebooks.instances.getHealth
      notebooks.instances.getIamPolicy
      notebooks.runtimes.list
      Project that hosts the service account.
      Identity and Access Management (IAM) API
      iam.googleapis.com
      Manages identity and access control for GCP resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls.
      Project Viewer
      iam.roles.get
      iam.roles.list
      iam.serviceAccountKeys.list
      iam.serviceAccounts.list
      iam.workloadIdentityPools.list
      iam.workloadIdentityPoolProviders.list
      iam.denypolicies.get
      iam.denypolicies.list
      Project that hosts the service account
      Memorystore
      redis.googleapis.com
      Memorystore is a fully-managed database service that provides a managed version of two popular open source caching solutions: Redis and Memcached.
      Project Viewer
      redis.instances.get
      redis.instances.list
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
      Memorystore for Memcached
      memcache.googleapis.com
      Memorystore for Memcached is a fully managed Memcached service for Google Cloud, using which avoids the burden of managing complex Memcached deployments.
      Project Viewer
      memcache.locations.list
      memcache.instances.list
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
      Google Managed Microsoft AD
      managedidentities.googleapis.com
      Managed Service for Microsoft Active Directory offers high-availability, hardened Microsoft Active Directory domains hosted by Google Cloud.
      Project Viewer
      managedidentities.domains.list
      managedidentities.domains.get
      managedidentities.domains.getIamPolicy
      managedidentities.sqlintegrations.list
      No specific requirement for Prisma Cloud.
      Google Network Intelligence Center
      recommender.googleapis.com
      Network Intelligence Center provides a single console for managing Google Cloud network visibility, monitoring, and troubleshooting.
      Project Viewer
      recommender.computeFirewallInsights.list
      Project that hosts the service account.
      Kubernetes Engine API
      container.googleapis.com
      Builds and manages container-based applications, powered by the open source Kubernetes technology.
      Kubernetes Engine Cluster Viewer
      container.clusters.get
      container.clusters.list
      Project that hosts the service account
      Services Usage API
      serviceusage.googleapis.com
      API that lists the available or enabled services, or disables services that service consumers no longer use on GCP.
      Note
      : As a best practice, you must enable this API on all GCP projects that are onboarded to Prisma Cloud.
      Project Viewer
      serviceusage.services.list
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Stackdriver Monitoring API
      monitoring.googleapis.com
      Manages your Stackdriver Monitoring data and configurations.
      Helps to gain visibility into the performance, availability, and health of your applications and infrastructure.
      Monitoring Viewer
      monitoring.alertPolicies.list
      monitoring.metricDescriptors.get
      redis.instances.list
      monitoring.notificationChannels.list
      resourcemanager.folders.getIamPolicy
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      And
      Source project where the service account is created for enabling monitoring and protection using Prisma Cloud
      Stackdriver Logging API
      logging.googleapis.com
      Writes log entries and manages your Logging configuration.
      Logging Admin
      logging.buckets.list
      logging.logEntries.list
      logging.logMetrics.get
      logging.logMetrics.list
      logging.sinks.get
      logging.sinks.list
      logging.exclusions.list
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
      Google Web Security Scanner API
      websecurityscanner.googleapis.com
      Identifies security vulnerabilities in your App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications.
      Web Security Scanner Viewer
      cloudsecurityscanner.scans.list
      Project that hosts the service account
      Google Workflows
      workflows.googleapis.com
      Workflows is a fully-managed orchestration platform to execute services in a defined order.
      Project Viewer
      workflows.locations.list
      workflows.workflows.list
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
      Cloud Spanner backups
      spanner.googleapis.com
      A backup of a Cloud Spanner database.
      Project Viewer
      spanner.backups.list
      spanner.backups.getIamPolicy
      Source project and destination.
      Google Service Directory
      servicedirectory.googleapis.com
      A managed service that enhances service inventory management at scale and reduces the complexity of management and operations by providing a single place to publish, discover, and connect services.
      Project Viewer
      servicedirectory.namespaces.list
      servicedirectory.namespaces.getIamPolicy
      servicedirectory.services.list
      servicedirectory.services.getIamPolicy
      servicedirectory.endpoints.list
      Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
      GCP Organization - Additional permissions required to onboard
      Organization Role Viewer
      The Organization Role Viewer is required for onboarding a GCP Organization. If you only provide the individual permissions listed below, the permissions set is not sufficient.
      resourcemanager.organizations.get
      resourcemanager.projects.list
      resourcemanager.organizations.getIamPolicy
      N/A

    GCP Cloud Asset Inventory

    GCP Cloud Asset Inventory (CAI) service allows you to search asset metadata within a project, folder, or organization using a single API instead of separate individual API calls to get the metadata. Prisma Cloud has adopted the CAI service for a few GCP services. The CAI service reduces the number of API calls to GCP and helps speed the time to report on assets on Prisma Cloud. CAI is enabled by default on Prisma Cloud.
    The following GCP services (APIs) have CAI support on Prisma Cloud:
    • KMS (Get IAM policy, List Keyrings, and Cryptokeys)
    • Pub-Sub (Get IAM policy)
    • Dataproc (Get IAM policy)
    • Cloud Function (Get IAM policy)
    • Cloud Run (Get IAM policy)
    • BigQuery (Get IAM policy, List BigQuery Datasets, and Tables)
    • Compute Instance (GET IAM policy)

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo