Create a Service Account With a Custom Role for GCP

If you prefer to create a service account with more granular permissions to Add Your GCP Organization to Prisma Cloudor Add Your GCP Project to Prisma Cloud, instead of using the Terraform template which grants the Viewer (primitive) role for read-only access to resources in your GCP account, use the following instructions.
  • If you enable granular permissions, you must update the custom role and add additional permissions that maybe required to ingest data from any new service that is added on Prisma Cloud.
  • To enable dataflow log compression using the Dataflow service, you must enable additional permissions. See Flow Log Compression on GCP for details on ingesting network log data.
  1. Create a YAML file with the custom permissions.
    1. Create a YAML file and add the granular permissions for the custom role.
      Use this YAML format as an example. You must add the permissions for onboarding your GCP project or organization, from the link above, to this file:
      title: prisma-custom-role description: prisma-custom-role stage: beta includedPermissions: - compute.networks.list - compute.backendServices.list
  2. Create the custom role.
    When creating a service account, you must select a GCP project because GCP does not allow the service account to belong directly under the GCP Organization.
    1. Select the GCP project in which you want to create the custom role.
    2. Upload the YAML file to the Cloud Shell.
    3. Run the gcloud command
      gcloud iam roles create <prisma customrole name> --project <project-ID> --file <YAML file name>
      gcp-custom-role.png
  3. Create a Service Account and attach the custom role to it.
    1. Select
      IAM & Admin
      Service Accounts
      page in the Google Cloud Console.
    2. Create Service Account
      and add the role you created earlier to it.
    3. Create a key
      and download the private key.
  4. Continue to Add Your GCP Project to Prisma Cloud and use the private key for the service account to complete onboarding.
  5. (For onboarding
    GCP Organization only
    ) Create the custom role in the GCP Organization level.
    1. Select your GCP Organization.
    2. Verify that the YAML file you created in Step 1 includes the additional permissions for GCP Organization.
      Run the gcloud command
      gcloud iam roles create <prisma customrole name> --organization <org ID> --file <YAML File name>
  6. (For onboarding
    GCP Organization only
    ) Set up your Service Account to monitor all the GCP folders and projects within the GCP Organization.
    You must associate the Service account you created in the project in Step 3 to the GCP Organization-level and add the custom role you created in the previous step. Additionally, you must add the predefined role for Organization Viewer to the service account. All these tasks together enable the service account to monitor all the GCP projects that are within the GCP Organizational hierarchy.
    1. Copy the service account member address.
      Select the project that you used to create the service account, and select
      IAM & admin
      IAM
      to copy the service account member address.
      gcp-service-account-member.png
    2. Select your Organization, select
      IAM & Admin
      IAM
      to
      Add
      members to the service account.
    3. Paste the service account member address you copied as
      New members
      , and
      Select a role
      .
    4. Select the custom role you created in Step 4, and click
      + ADD ANOTHER ROLE
      .
    5. Select
      Resource Manager
      Organization Role Viewer
      , and
      Folder Viewer
      role, and
      Save
      .
      The Organization Viewer role enables permissions to view the Organization name without granting access to all resources in the Organization. The Folder Viewer roles is also required to onboard your GCP folders.
      gcp-service-account-organization-update.png
  7. (For onboarding
    GCP Organization only
    ) Continue to Add Your GCP Organization to Prisma Cloud and use the private key associated with your service account to complete onboarding.

Recommended For You