Create a Service Account With a Custom Role for GCP
If you prefer to create a service account
with more granular permissions to Add Your GCP Organization to Prisma Cloudor Add Your GCP Project to Prisma Cloud, instead of
using the Terraform template which grants the Viewer (primitive)
role for read-only access to resources in your GCP account, use
the following instructions.
- If you enable granular permissions, you must update the custom role and add additional permissions that maybe required to ingest data from any new service that is added on Prisma Cloud.
- To enable dataflow log compression using the Dataflow service, you must enable additional permissions. See Flow Log Compression on GCP for details on ingesting network log data.
- Create a YAML file with the custom permissions.
- Create a YAML file and add the granular permissions for the custom role.Use this YAML format as an example. You must add the permissions for onboarding your GCP project or organization, from the link above, to this file:title: prisma-custom-role description: prisma-custom-role stage: beta includedPermissions: - compute.networks.list - compute.backendServices.list
- Create the custom role.When creating a service account, you must select a GCP project because GCP does not allow the service account to belong directly under the GCP Organization.
- Select the GCP project in which you want to create the custom role.
- Upload the YAML file to the Cloud Shell.
- Run the gcloud commandgcloud iam roles create <prisma customrole name> --project <project-ID> --file <YAML file name>
- Create a Service Account and attach the custom role to it.
- Select page in the Google Cloud Console.
- Create Service Accountand add the role you created earlier to it.
- Create a keyand download the private key.
- Continue to Add Your GCP Project to Prisma Cloud and use the private key for the service account to complete onboarding.
- (For onboardingGCP Organization only) Create the custom role in the GCP Organization level.
- Select your GCP Organization.
- Verify that the YAML file you created in Step 1 includes the additional permissions for GCP Organization.Run the gcloud commandgcloud iam roles create <prisma customrole name> --organization <org ID> --file <YAML File name>
- (For onboardingGCP Organization only) Set up your Service Account to monitor all the GCP folders and projects within the GCP Organization.You must associate the Service account you created in the project in Step 3 to the GCP Organization-level and add the custom role you created in the previous step. Additionally, you must add the predefined role for Organization Viewer to the service account. All these tasks together enable the service account to monitor all the GCP projects that are within the GCP Organizational hierarchy.
- Copy the service account member address.Select the project that you used to create the service account, and select to copy the service account member address.
- Select your Organization, select toAddmembers to the service account.
- Paste the service account member address you copied asNew members, andSelect a role.
- Select the custom role you created in Step 4, and click+ ADD ANOTHER ROLE.
- Select , andFolder Viewerrole, andSave.The Organization Viewer role enables permissions to view the Organization name without granting access to all resources in the Organization. The Folder Viewer roles is also required to onboard your GCP folders.
- (For onboardingGCP Organization only) Continue to Add Your GCP Organization to Prisma Cloud and use the private key associated with your service account to complete onboarding.
