1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma™ Cloud Administrator's Guide
    5. Connect Your Cloud Platform to Prisma Cloud
    6. Onboard Your Google Cloud Platform (GCP) Account
    7. Permissions and APIs Required for GCP Account on Prisma Cloud

    Permissions and APIs Required for GCP Account on Prisma Cloud

    Learn about the Service account and APIs that enable Prisma Cloud to ingest, analyze, and monitor the resources deployed within a GCP project or organization.
    In order to analyze and monitor your Google Cloud Platform (GCP) account, Prisma Cloud requires access to specific APIs and a service account which is an authorized identity that enables authentication between Prisma Cloud and GCP. A combination of custom, predefined and primitive roles grant the service account the permissions it needs to complete specific actions on the resources in your GCP project or organization.

    Service Account Permissions

    The permissions that the Prisma Cloud service account needs to monitor your GCP resources depends on your cloud protection needs.
    • If you are onboarding a GCP project, you must assign the roles to the IAM policy for each project.
    • If you are onboarding a GCP organization, you must assign the roles to the IAM policy for the organization.
    • If you are using a master service account (MSA), you have two options:
      • (Recommended) Add permissions to the IAM policy for the organization.
      • Assign the roles to the IAM policy for each project individually.
    The roles for read or read-write access permission that the service account requires are the following:
    • Viewer—Primitive role on GCP.
    • Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
    • Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
    • Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
    • Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
    • Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.

    GCP APIs

    Prisma Cloud can ingest data from several GCP APIs. In the GCP project where you create the service account, you must enable the Stackdriver Logging API (logging.googleapis.com) to monitor audit logs, and any other APIs for which you want Prisma Cloud to monitor resources. When you use the Terraform template that Prisma Cloud provides to automate the onboarding of your GCP project or organization, the required permissions are automatically enabled for you.
    The following table lists the APIs and associated granular permissions if you want to create a custom role to onboard your GCP account. When the APIs are enabled and the service account has the correct set of roles and associated permissions, Prisma Cloud can retrieve data about your GCP resources and identify potential security risks and compliance issues across your cloud accounts. To create a custom role for the service account, see Create a Service Account With a Custom Role for GCP before you continue to Add Your GCP Project to Prisma Cloud or Add Your GCP Organization to Prisma Cloud.
    To enable the APIs that allow Prisma Cloud to monitor your GCP projects, use it as shown in this example (that uses some of the APIs below):
    gcloud services enable serviceusage.googleapis.com appengine.googleapis.com bigquery.googleapis.com cloudfunctions.googleapis.com dataflow.googleapis.com dns.googleapis.com dataproc.googleapis.com cloudresourcemanager.googleapis.com cloudkms.googleapis.com sqladmin.googleapis.com compute.googleapis.com storage-component.googleapis.com recommender.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.com
    Verify the APIs that you have enabled with
    gcloud services list
    .
    Service Name
    Description
    Role Name
    Permissions
    Enable this API on:
    App Engine API
    appengine.googleapis.com
    Allows you to access App Engine, which is a fully managed serverless platform on GCP.
    App Engine Viewer
    appengine.applications.get
    Project that hosts the service account
    Access Context Manager API
    accesscontextmanager.googleapis.com
    Read access to policies, access levels, and access zones.
    Access Context Manager Reader
    accesscontextmanager.accessPolicies.list
    accesscontextmanager.policies.list
     accesscontextmanager.accessLevels.list
    accesscontextmanager.servicePerimeters.list
    Project that hosts the service account
    BigQuery API
    bigquery.googleapis.com
    Allows you to create, manage, share, and query data.
    BigQuery Metadata Viewer
    bigquery.datasets.get
    bigquery.tables.get
    bigquery.tables.list
    Project that hosts the service account
    And
    Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
    Binary Authorization API
    Enables you to configure a policy that the service enforces when an attempt is made to deploy a container image on one of the supported container-based platforms.
    Project Viewer
    binaryauthorization.policy.get
     binaryauthorization.policy.getIamPolicy
    Project that hosts the service account
    Cloud Functions
    cloudfunctions.googleapis.com
    Cloud Functions is Google Cloud’s event-driven serverless compute platform.
    Cloud Functions Viewer
    cloudfunctions.functions.getIamPolicy
    cloudfunctions.functions.list
    cloudfunctions.locations.list permission
    Project that hosts the service account
    Cloud DataFlow API
    dataflow.googleapis.com
    Manages Google Cloud Dataflow projects.
    Dataflow Admin
    iam.serviceAccounts.actAs
    resourcemanager.projects.get
    storage.buckets.get
    storage.objects.create
    storage.objects.get
    storage.objects.list
    See Flow Log Compression on GCP
    Project that runs Data Flow
    Cloud DNS API
    dns.googleapis.com
    Cloud DNS translates requests for domain names into IP addresses and manages and publishes DNS zones and records.
    DNS Reader
    dns.dnsKeys.list
    dns.managedZones.list
    dns.projects.get
    Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
    Cloud Pub/Sub
    pubsub.googleapis.com
    Real-time messaging service that allows you to send and receive messages between independent applications.
    Custom Role
    pubsub.topics.list
    pubsub.topics.getIamPolicy
    pubsub.subscriptions.list
    pubsub.subscriptions.getIamPolicy
    pubsub.snapshots.list
    pubsub.snapshots.getIamPolicy
    Project that hosts the service account
    Google Cloud Resource Manager API
    cloudresourcemanager.googleapis.com
    Creates, reads, and updates metadata for Google Cloud Platform resource containers.
    Role Viewer
    resourcemanager.projects.getIamPolicy
    Project that hosts the service account
    resourcemanager.folders.getIamPolicy
    Only required for GCP Organization
    Project that hosts the service account
    And
    Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
    Cloud Key Management Service (KMS) API
    cloudkms.googleapis.com
    Google Cloud KMS allows customers to manage encryption keys and perform cryptographic operations with those keys.
    Custom Role
    cloudkms.cryptoKeys.list
    cloudkms.keyRings.list
    Project that hosts the service account
    And
    Every project that the service account accesses for enabling monitoring and/or protection using Prisma Cloud
    Cloud Service Usage API
    serviceusage.googleapis.com
    API that lists the available or enabled services, or disables services that service consumers no longer use on GCP.
    Role Viewer
    serviceusage.services.list
    Project that hosts the service account
    Google Binary Authorization
    binaryauthorization.googleapis.com
    A service that enables policy-based deployment validation and control for images deployed to Google Kubernetes Engine (GKE), Anthos Service Mesh, Anthos Clusters, and Cloud Run.
    Project Viewer
    binaryauthorization.policy.get
     binaryauthorization.policy.getIamPolicy
    Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
    Google Cloud Tasks
    cloudtasks.googleapis.com
    API to fetch task and queue information.
    Role Viewer
    cloudtasks.locations.list
    cloudtasks.tasks.list
    cloudtasks.queues.list
    run.locations.list
    Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud.
    Google AI Platform
    ml.googleapis.com
    A suite of services on Google Cloud specifically targeted at building, deploying, and managing machine learning models in the cloud.
    ml.models.list
    ml.models.getIamPolicy
    ml.jobs.getIamPolicy
    ml.jobs.list
    Google Firebase Rules
    firebaserules.googleapis.com
    An application development software that enables developers to develop iOS, Android and Web apps.
    firebaserules.rulesets.get 
    firebaserules.rulesets.list
    firebaserules.releases.list
    Google Cloud Composer
    composer.googleapis.com
    Viewer
    composer.environments.list
    Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
    Google Cloud Source Repositories API
    sourcerepo.googleapis.com
    A private Git repository to design, develop, and securely manage your code.
    Source Repository Reader
    source.repos.list
    source.repos.getIamPolicy
    Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
    Google Cloud Spanner API
    spanner.googleapis.com
    A globally distributed NewSQL database service and storage solution designed to support global online transaction processing deployments.
    Cloud Spanner Viewer
    spanner.databases.list
    spanner.databases.getIamPolicy
    spanner.instances.list
    spanner.instanceConfigs.list
    spanner.instances.getIamPolicy
    Project that hosts the service account
    And
    Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
    Cloud SQL Admin API
    sqladmin.googleapis.com
    API for Cloud SQL database instance management.
    Custom Role
    cloudsql.instances.list
    Project that hosts the service account
    Compute Engine API 
    compute.googleapis.com
    Creates and runs virtual machines on the Google Cloud Platform.
    Compute Network Viewer
    compute.addresses.list
    compute.backendServices.list
    compute.disks.list
    compute.firewalls.list
    compute.forwardingRules.list
    compute.globalForwardingRules.list
    compute.images.list
    compute.images.getIamPolicy
    compute.instances.list
    compute.instanceGroups.list
    compute.instanceTemplates.list
    compute.instanceTemplates.getIamPolicy
    compute.targetSslProxies.list
    compute.networks.list
    compute.projects.get
    compute.regionBackendServices.list
    compute.routers.list
    compute.routes.list
    compute.snapshots.list
    compute.snapshots.getIamPolicy
    compute.sslPolicies.get
    compute.sslPolicies.list
    compute.subnetworks.list
    compute.targetHttpProxies.list
    compute.targetHttpsProxies.list
    compute.targetPools.list
    compute.urlMaps.list
    compute.vpnTunnels.list
    Project that hosts the service account
    Cloud Bigtable API
    bigtableadmin.googleapis.com
    Google Cloud Bigtable is a NoSQL Big Data database service.
    Custom Role
    bigtable.appProfiles.list
    bigtable.clusters.list
    bigtable.instances.list
    bigtable.instances.getIamPolicy
    bigtable.tables.list
    bigtable.tables.getIamPolicy
    Project that hosts the service account
    Google Cloud Storage API
    storage-component.googleapis.com
    Cloud Storage is a RESTful service for storing and accessing your data on Google’s infrastructure.
    Custom Role
    storage.buckets.get
    storage.buckets.getIamPolicy
    storage.buckets.list
    No specific requirement for Prisma Cloud
    Google Dataproc Clusters API
    dataproc.googleapis.com
    Dataproc is a managed service for creating clusters of compute that can be used to run Hadoop and Spark applications.
    Project Viewer, or a custom role with granular privileges.
    dataproc.clusters.list
    dataproc.clusters.getIamPolicy
    Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
    Google Recommendations API
    recommender.googleapis.com
    GCP IAM Recommender
    Google Recommender provides usage recommendations for Google Cloud resources. Recommenders are specific to a single Google Cloud product and resource type.
    IAM Recommender Viewer
    recommender.iamPolicyRecommendations.list
    Project that hosts the service account
    Google HealthCare
    	healthcare.googleapis.com
    Manages solutions for storing and accessing healthcare data in Google Cloud.
    Viewer
    healthcare.locations.list
    healthcare.datasets.list
    healthcare.datasets.getIamPolicy
    Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
    Google Cloud Run API
    run.googleapis.com
    Deploys and manages user provided container images.
    Role Viewer
    run.locations.list
    run.services.list
    run.services.getIamPolicy
    cloudtasks.locations.list
    Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
    Google Secrets Manager
    secretmanager.googleapis.com
    Stores sensitive data such as API keys, passwords, and certificates.
    Secret Manager Viewer
    secretmanager.secrets.list
    secretmanager.secrets.getIamPolicy
    Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
    Google Cloud Filestore 
    file.instances.list
    Creates and manages cloud file servers.
    Cloud Filestore Viewer
    file.instances.list
    Every project that the service account accesses for enabling monitoring and protection using Prisma Cloud
    Identity and Access Management (IAM) API 
    iam.googleapis.com
    Manages identity and access control for GCP resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls.
    Role Viewer
    iam.roles.get
    iam.roles.list
    iam.serviceAccountKeys.list
    iam.serviceAccounts.list
    Project that hosts the service account
    Kubernetes Engine API
    container.googleapis.com
    Builds and manages container-based applications, powered by the open source Kubernetes technology.
    Kubernetes Engine Cluster Viewer
    container.clusters.get
    container.clusters.list
    Project that hosts the service account
    Services Usage API
    serviceusage.googleapis.com
    List all services available to the specified GCP project, and the current state of those services with respect to the project.
    Prisma Cloud recommends that you enable this API on all GCP projects that are onboarded to Prisma Cloud.
    N/A
    ServiceUsage.Services.List
    Project that hosts the service account
    Stackdriver Monitoring API
    monitoring.googleapis.com
    Manages your Stackdriver Monitoring data and configurations.
    Monitoring Viewer
    monitoring.alertPolicies.list
    monitoring.metricDescriptors.get
    redis.instances.list
    Project that hosts the service account
    Stackdriver Logging API
    logging.googleapis.com
    Writes log entries and manages your Logging configuration.
    Logging Admin
    logging.logEntries.list
    logging.logMetrics.list
    logging.sinks.list
    Project that hosts the service account
    Google Web Security Scanner API
    websecurityscanner.googleapis.com
    Identifies security vulnerabilities in your App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications.
    Web Security Scanner Viewer
    cloudsecurityscanner.scans.list
    Project that hosts the service account
    GCP Organization - Additional permissions required to onboard
    Organization Role Viewer
    The Organization Role Viewer is required for onboarding a GCP Organization. If you only provide the individual permissions listed below, the permissions set is not sufficient. 
    resourcemanager.organizations.get
    resourcemanager.projects.list
    resourcemanager.organizations.getIamPolicy
    N/A

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo