Permissions and APIs Required for GCP Account on Prisma Cloud

Learn about the Service account and APIs that enable Prisma Cloud to ingest, analyze, and monitor the resources deployed within a GCP project or organization.
In order to analyze and monitor your Google Cloud Platform (GCP) account, Prisma Cloud requires access to specific APIs and a service account which is an authorized identity that enables authentication between Prisma Cloud and GCP. A combination of custom, predefined and primitive roles grant the service account the permissions it needs to complete specific actions on the resources in your GCP project or organization.

Service Account Permissions

The permissions that the Prisma Cloud service account needs to monitor your GCP resources depends on your cloud protection needs.
  • If you are onboarding a GCP project, you must assign the roles to the IAM policy for each project.
  • If you are onboarding a GCP organization, you must assign the roles to the IAM policy for the organization.
  • If you are using a master service account (MSA), you have two options:
    • (Recommended) Add permissions to the IAM policy for the organization.
    • Assign the roles to the IAM policy for each project individually.
The roles for read or read-write access permission that the service account requires are the following:
  • Viewer—Primitive role on GCP.
  • Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
  • Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
  • Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
  • Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
  • Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.

GCP APIs

Prisma Cloud can ingest data from several GCP APIs. In the GCP project where you create the service account, you must enable the Stackdriver Logging API (logging.googleapis.com) to monitor audit logs, and any other APIs for which you want Prisma Cloud to monitor resources.
When you use the Terraform template that Prisma Cloud provides to automate the onboarding of your GCP project or organization, the required permissions are automatically enabled for you.
The following table lists the APIs and associated granular permissions if you want to create a custom role to onboard your GCP account. When the APIs are enabled and the service account has the correct set of roles and associated permissions, Prisma Cloud can retrieve data about your GCP resources and identify potential security risks and compliance issues across your cloud accounts. To create a custom role for the service account, see Create a Service Account With a Custom Role for GCP before you continue to Add Your GCP Project to Prisma Cloud or Add Your GCP Organization to Prisma Cloud.
To enable the APIs that allow Prisma Cloud to monitor your GCP projects, use it as shown in this example (that uses some of the APIs below):
gcloud services enable serviceusage.googleapis.com appengine.googleapis.com bigquery.googleapis.com cloudfunctions.googleapis.com dataflow.googleapis.com dns.googleapis.com dataproc.googleapis.com cloudresourcemanager.googleapis.com cloudkms.googleapis.com sqladmin.googleapis.com compute.googleapis.com storage-component.googleapis.com recommender.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.com
Verify the APIs that you have enabled with
gcloud services list
.
Service Name
Description
Role Name
Permissions
Enable this API on:
App Engine API
appengine.googleapis.com
Allows you to access App Engine, which is a fully managed serverless platform on GCP.
App Engine Viewer
appengine.applications.get
Project that hosts the service account
Access Context Manager API
accesscontextmanager.googleapis.com
Read access to policies, access levels, and access zones.
Access Context Manager Reader
accesscontextmanager.accessPolicies.list
accesscontextmanager.policies.list
accesscontextmanager.accessLevels.list
accesscontextmanager.servicePerimeters.list
Project that hosts the service account
Access Approval
accessapproval.googleapis.com
Allows you to access settings associated with a project, folder, or organization.
Viewer
accessapproval.settings.get
Project that hosts the service account
API Gateway
apigateway.googleapis.com
Enables you to create, secure, and monitor APIs for Google Cloud serverless back ends, including Cloud Functions, Cloud Run, and App Engine.
API Gateway Viewer
apigateway.gateways.getIamPolicy
apigateway.gateways.list
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
BigQuery API
bigquery.googleapis.com
Allows you to create, manage, share, and query data.
BigQuery Metadata Viewer
bigquery.datasets.get
bigquery.tables.get
bigquery.tables.list
Project that hosts the service account
And
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
Binary Authorization API
binaryauthorization.googleapis.com
Enables you to configure a policy that the service enforces when an attempt is made to deploy a container image on one of the supported container-based platforms.
Project Viewer
binaryauthorization.policy.get
binaryauthorization.policy.getIamPolicy
Project that hosts the service account
Cloud Data Fusion
datafusion.googleapis.com
Cloud Data Fusion is a fully managed, cloud-native, enterprise data integration service for quickly building and managing data pipelines.
Viewer
datafusion.instances.list
datafusion.instances.getIamPolicy
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
Cloud Functions
cloudfunctions.googleapis.com
Cloud Functions is Google Cloud’s event-driven serverless compute platform.
Cloud Functions Viewer
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.list
cloudfunctions.functions.get
Project that hosts the service account
Cloud DataFlow API
dataflow.googleapis.com
Manages Google Cloud Dataflow projects.
Dataflow Admin
iam.serviceAccounts.actAs
resourcemanager.projects.get
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
See Flow Log Compression on GCP
Project that runs Data Flow
Cloud DNS API
dns.googleapis.com
Cloud DNS translates requests for domain names into IP addresses and manages and publishes DNS zones and records.
DNS Reader
dns.dnsKeys.list
dns.managedZones.list
dns.projects.get
dns.policies.list
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
Cloud Pub/Sub
pubsub.googleapis.com
Real-time messaging service that allows you to send and receive messages between independent applications.
Project Viewer, or a custom role with granular privileges
pubsub.topics.list
pubsub.topics.get
pubsub.topics.getIamPolicy
pubsub.subscriptions.list
pubsub.subscriptions.get
pubsub.subscriptions.getIamPolicy
pubsub.snapshots.list
pubsub.snapshots.getIamPolicy
Project that hosts the service account
Container Analysis
containeranalysis.googleapis.com
Container Analysis provides vulnerability scanning and metadata storage for containers through Container Analysis.
Viewer
containeranalysis.occurrences.list
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
Google Cloud Resource Manager API
cloudresourcemanager.googleapis.com
Creates, reads, and updates metadata for Google Cloud Platform resource containers.
Viewer
resourcemanager.projects.getIamPolicy
Project that hosts the service account
resourcemanager.folders.getIamPolicy
Only required for GCP Organization
Project that hosts the service account
And
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
Cloud Key Management Service (KMS) API
cloudkms.googleapis.com
Google Cloud KMS allows customers to manage encryption keys and perform cryptographic operations with those keys.
Project Viewer
cloudkms.cryptoKeys.get
cloudkms.cryptoKeys.list
cloudkms.keyRings.get
cloudkms.keyRings.list
Project that hosts the service account
And
Every project that the service account accesses for enabling monitoring and/or protection using Prisma Cloud
Cloud Service Usage API
serviceusage.googleapis.com
API that lists the available or enabled services, or disables services that service consumers no longer use on GCP.
Role Viewer
serviceusage.services.list
Project that hosts the service account
Google Binary Authorization
binaryauthorization.googleapis.com
A service that enables policy-based deployment validation and control for images deployed to Google Kubernetes Engine (GKE), Anthos Service Mesh, Anthos Clusters, and Cloud Run.
Project Viewer
binaryauthorization.policy.get
binaryauthorization.policy.getIamPolicy
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
Google Cloud Armor
compute.googleapis.com
Network security service that provides defenses against DDoS and application attacks, and offers WAF rules.
Viewer
compute.securityPolicies.list
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
Google Cloud Tasks
cloudtasks.googleapis.com
API to fetch task and queue information.
Role Viewer
cloudtasks.locations.list
cloudtasks.tasks.list
cloudtasks.queues.list
run.locations.list
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
Google AI Platform
ml.googleapis.com
A suite of services on Google Cloud specifically targeted at building, deploying, and managing machine learning models in the cloud.
ml.models.list
ml.models.getIamPolicy
ml.jobs.getIamPolicy
ml.jobs.list
Google Essential Contacts
essentialcontacts.googleapis.com
Allows you to customize who receives notifications from Google Cloud services, such as Cloud Billing, by providing a list of contacts.
Viewer
essentialcontacts.contacts.list
Project that hosts the service account
Google Firebase Rules
firebaserules.googleapis.com
An application development software that enables developers to develop iOS, Android and Web apps.
firebaserules.rulesets.get
firebaserules.rulesets.list
firebaserules.releases.list
Google Cloud Composer
composer.googleapis.com
Viewer
composer.environments.list
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
Google Cloud Source Repositories API
sourcerepo.googleapis.com
A private Git repository to design, develop, and securely manage your code.
Source Repository Reader
source.repos.list
source.repos.getIamPolicy
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
Google Cloud Spanner API
spanner.googleapis.com
A globally distributed NewSQL database service and storage solution designed to support global online transaction processing deployments.
Cloud Spanner Viewer
spanner.databases.list
spanner.databases.getIamPolicy
spanner.instances.list
spanner.instanceConfigs.list
spanner.instances.getIamPolicy
spanner.backups.list
spanner.backups.getIamPolicy
Project that hosts the service account
And
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
Cloud SQL Admin API
sqladmin.googleapis.com
API for Cloud SQL database instance management.
Custom Role
cloudsql.instances.list
Project that hosts the service account
Compute Engine API
compute.googleapis.com
Creates and runs virtual machines on the Google Cloud Platform.
Compute Network Viewer
compute.addresses.list
compute.backendServices.list
compute.backendBuckets.list
compute.sslCertificates.list
compute.disks.get
compute.disks.list
compute.firewalls.list
compute.forwardingRules.list
compute.globalForwardingRules.list
compute.images.get
compute.images.list
compute.images.getIamPolicy
compute.instances.getIamPolicy
compute.instances.list
compute.instanceGroups.list
compute.instanceTemplates.list
compute.instanceTemplates.getIamPolicy
compute.targetSslProxies.list
compute.networks.get
compute.networks.list
compute.subnetworks.get
compute.projects.get
compute.regionBackendServices.list
compute.routers.get
compute.routers.list
compute.routes.list
compute.snapshots.list
compute.snapshots.getIamPolicy
compute.sslPolicies.get
compute.sslPolicies.list
compute.subnetworks.list
compute.targetHttpProxies.list
compute.targetHttpsProxies.list
compute.targetPools.list
compute.urlMaps.list
compute.vpnTunnels.list
Project that hosts the service account
Cloud Bigtable API
bigtableadmin.googleapis.com
Google Cloud Bigtable is a NoSQL Big Data database service.
Custom Role
bigtable.appProfiles.get
bigtable.appProfiles.list
bigtable.clusters.get
bigtable.clusters.list
bigtable.instances.get
bigtable.instances.list
bigtable.instances.getIamPolicy
bigtable.tables.get
bigtable.tables.list
bigtable.tables.getIamPolicy
bigtable.backups.list
bigtable.backups.getIamPolicy
Project that hosts the service account
Google Cloud Storage API
storage-component.googleapis.com
Cloud Storage is a RESTful service for storing and accessing your data on Google’s infrastructure.
Custom Role
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
No specific requirement for Prisma Cloud
Google Organization Policy
orgpolicy.googleapis.com
Organization Policy Service provides centralized and programmatic control over organization's cloud resources through configurable constraints across the entire resource hierarchy.
Project Viewer
orgpolicy.constraints.list
orgpolicy.policy.get
Project that hosts the service account
Google Dataproc Clusters API
dataproc.googleapis.com
Dataproc is a managed service for creating clusters of compute that can be used to run Hadoop and Spark applications.
Project Viewer, or a custom role with granular privileges.
dataproc.clusters.list
dataproc.clusters.get
dataproc.clusters.getIamPolicy
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
Google Data Catalog
datacatalog.googleapis.com
Data Catalog is a fully managed, scalable metadata management service which helps in searching and tagging data entries.
Viewer Role
datacatalog.taxonomies.list
datacatalog.taxonomies.getIamPolicy
datacatalog.taxonomies.get
datacatalog.entryGroups.list
datacatalog.entryGroups.getIamPolicy
datacatalog.entryGroups.get
Project that hosts the service account.
Google Recommendations API
recommender.googleapis.com
GCP IAM Recommender
Google Recommender provides usage recommendations for Google Cloud resources. Recommenders are specific to a single Google Cloud product and resource type.
IAM Recommender Viewer
recommender.iamPolicyRecommendations.list
recommender.iamPolicyInsights.list
recommender.iamServiceAccountInsights.list
Project that hosts the service account
Google HealthCare
healthcare.googleapis.com
Manages solutions for storing and accessing healthcare data in Google Cloud.
Viewer
healthcare.locations.list
healthcare.datasets.list
healthcare.datasets.getIamPolicy
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
Google Cloud Run API
run.googleapis.com
Deploys and manages user provided container images.
Role Viewer
run.locations.list
run.services.list
run.services.getIamPolicy
cloudtasks.locations.list
run.revisions.list
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
Google Secrets Manager
secretmanager.googleapis.com
Stores sensitive data such as API keys, passwords, and certificates.
Secret Manager Viewer
secretmanager.secrets.list
secretmanager.secrets.getIamPolicy
secretmanager.versions.list
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
Google Security Command Center
securitycenter.googleapis.com
Security Command Center is centralized vulnerability and threat reporting service which helps to mitigate and remediate security risks.
Viewer Role
securitycenter.sources.list
securitycenter.sources.getIamPolicy
Project that hosts the service account.
Google Cloud Filestore
file.instances.list
Creates and manages cloud file servers.
Cloud Filestore Viewer
file.instances.list
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
Google Certificate Authority Service
privateca.googleapis.com
Enables you to simplify, automate, and customize the deployment, management, and security of private certificate authorities (CA).
CA Service Auditor
privateca.caPools.getIamPolicy
privateca.caPools.list
privateca.certificateAuthorities.list
privateca.certificates.list
privateca.certificateRevocationLists.list
privateca.certificateRevocationLists.getIamPolicy
Required on destination only.
Google Identity Aware Proxy
iap.googleapis.com
Provides application-level access control model instead of relying on network-level firewalls by establishing a central authorization layer for applications.
Custom Role
clientauthconfig.brands.list
clientauthconfig.clients.listWithSecrets
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
Google VPC
compute.googleapis.com
Enables you to create and enforce a consistent firewall policy across your organization.This lets organization-wide admins manage critical firewall rules in one place.
Viewer
compute.firewallPolicies.list
Project that hosts the service account
Identity and Access Management (IAM) API
iam.googleapis.com
Manages identity and access control for GCP resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls.
Role Viewer
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.list
iam.workloadIdentityPools.list
iam.workloadIdentityPoolProviders.list
Project that hosts the service account
Memorystore
redis.googleapis.com
Memorystore is a fully-managed database service that provides a managed version of two popular open source caching solutions: Redis and Memcached.
Viewer
redis.instances.get
redis.instances.list
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
Google Managed Microsoft AD
managedidentities.googleapis.com
Managed Service for Microsoft Active Directory offers high-availability, hardened Microsoft Active Directory domains hosted by Google Cloud.
Viewer Role
managedidentities.domains.list
managedidentities.domains.get
managedidentities.domains.getIamPolicy
managedidentities.sqlintegrations.list
No specific requirement for Prisma Cloud.
Google Network Intelligence Center
recommender.googleapis.com
Network Intelligence Center provides a single console for managing Google Cloud network visibility, monitoring, and troubleshooting.
Viewer Role
recommender.computeFirewallInsights.list
Project that hosts the service account.
Kubernetes Engine API
container.googleapis.com
Builds and manages container-based applications, powered by the open source Kubernetes technology.
Kubernetes Engine Cluster Viewer
container.clusters.get
container.clusters.list
Project that hosts the service account
Services Usage API
serviceusage.googleapis.com
List all services available to the specified GCP project, and the current state of those services with respect to the project.
Note
: Prisma Cloud recommends that you enable this API on all GCP projects that are onboarded to Prisma Cloud.
N/A
ServiceUsage.Services.List
Project that hosts the service account
Stackdriver Monitoring API
monitoring.googleapis.com
Manages your Stackdriver Monitoring data and configurations.
Helps to gain visibility into the performance, availability, and health of your applications and infrastructure.
Monitoring Viewer
monitoring.alertPolicies.list
monitoring.metricDescriptors.get
redis.instances.list
monitoring.notificationChannels.list
Project that hosts the service account
And
Source project where the service account is created for enabling monitoring and protection using Prisma Cloud
Stackdriver Logging API
logging.googleapis.com
Writes log entries and manages your Logging configuration.
Logging Admin
logging.buckets.list
logging.logEntries.list
logging.logMetrics.get
logging.logMetrics.list
logging.sinks.get
logging.sinks.list
Project that hosts the service account
Google Web Security Scanner API
websecurityscanner.googleapis.com
Identifies security vulnerabilities in your App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications.
Web Security Scanner Viewer
cloudsecurityscanner.scans.list
Project that hosts the service account
Cloud Spanner backups
spanner.googleapis.com
A backup of a Cloud Spanner database.
Viewer
spanner.backups.list
spanner.backups.getIamPolicy
Source project and destination.
Google Service Directory
servicedirectory.googleapis.com
A managed service that enhances service inventory management at scale and reduces the complexity of management and operations by providing a single place to publish, discover, and connect services.
Viewer
servicedirectory.namespaces.list
servicedirectory.namespaces.getIamPolicy
servicedirectory.services.list
servicedirectory.services.getIamPolicy
servicedirectory.endpoints.list
Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
GCP Organization - Additional permissions required to onboard
Organization Role Viewer
The Organization Role Viewer is required for onboarding a GCP Organization. If you only provide the individual permissions listed below, the permissions set is not sufficient.
resourcemanager.organizations.get
resourcemanager.projects.list
resourcemanager.organizations.getIamPolicy
N/A
Google Access Approval
accessapproval.googleapis.com
Access Approval ensures that Cloud Customer Care and engineering require your explicit approval whenever they need to access your customer content. Access Approval lets you select the Google Cloud services you want to enroll in.
Viewer Role
accessapproval.settings.get
Project that hosts the service account

Recommended For You