Permissions and Roles for GCP Account on Prisma Cloud

Learn about the Service account and APIs that enable Prisma Cloud to ingest, analyze, and monitor the resources deployed within a GCP project or organization.
In order to analyze and monitor your Google Cloud Platform (GCP) account, Prisma Cloud requires access to specific APIs and a service account which is an authorized identity that enables authentication between Prisma Cloud and GCP. A combination of custom, predefined and primitive roles grant the service account the permissions it needs to complete specific actions on the resources in your GCP project or organization. Depending on your cloud protection needs, the service account requires the following roles for read or read-write access:
  • Viewer—Primitive role on GCP.
  • Prisma Cloud Viewer— Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
  • Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
  • Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
  • Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
  • Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you are onboarding Folders in the GCP resource hierarchy.
Prisma Cloud can ingest data from several GCP APIs. In the GCP project where you create the service account, you must enable the Stackdriver Logging API (logging.googleapis.com) to monitor audit logs, and any other APIs for which you want Prisma Cloud to monitor resources. When you use the Terraform template that Prisma Cloud provides to automate the onboarding of your GCP project or organization, the required permissions are automatically enabled for you.
The following table lists the APIs and associated granular permissions if you want to create a custom role to onboard your GCP account. When the APIs are enabled and the service account has the correct set of roles and associated permissions, Prisma Cloud can retrieve data about your GCP resources and identify potential security risks and compliance issues across your cloud accounts.To create a custom role for the service account, see Create a Service Account With a Custom Role for GCP before you continue to Add Your GCP Project to Prisma Cloud or Add Your GCP Organization to Prisma Cloud
To enable the APIs that enable Prisma Cloud to monitor your GCP projects, use it as shown in this example (that uses some of the APIs below):
gcloud services enable serviceusage.googleapis.com appengine.googleapis.com bigquery.googleapis.com cloudfunctions.googleapis.com dataflow.googleapis.com dns.googleapis.com dataproc.googleapis.com cloudresourcemanager.googleapis.com cloudkms.googleapis.com sqladmin.googleapis.com compute.googleapis.com storage-component.googleapis.com recommender.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.com
Verify the APIs that you have enabled with
gcloud services list
.
Service Name
Description
Role Name
Permissions
App Engine API
appengine.googleapis.com
Allows you to access App Engine, which is a fully managed serverless platform on GCP.
App Engine Viewer
appengine.applications.get
BigQuery API
bigquery.googleapis.com
Allows you to create, manage, share, and query data.
BigQuery Metadata Viewer
bigquery.datasets.get
bigquery.tables.get
bigquery.tables.list
Cloud Functions
cloudfunctions.googleapis.com
Cloud Functions is Google Cloud’s event-driven serverless compute platform
Cloud Functions Viewer
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.list
cloudfunctions.locations.list
Cloud DataFlow API
dataflow.googleapis.com
Manages Google Cloud Dataflow projects.
Dataflow Admin
resourcemanager.projects.get
storage.buckets.get
storage.objects.create
storage.objects.get
storage.objects.list
See Flow Log Compression on GCP
Cloud DNS API
dns.googleapis.com
Cloud DNS translates requests for domain names into IP addresses and manages and publishes DNS zones and records.
DNS Reader
dns.dnsKeys.list
dns.managedZones.get
dns.managedZones.list
dns.projects.get
Cloud Resource Manager API
cloudresourcemanager.googleapis.com
Creates, reads, and updates metadata for Google Cloud Platform resource containers.
Role Viewer
resourcemanager.projects.getIamPolicy
Cloud Key Management Service (KMS) API
cloudkms.googleapis.com
Google Cloud KMS allows customers to manage encryption keys and perform cryptographic operations with those keys.
Custom Role
cloudkms.cryptoKeys.list
cloudkms.keyRings.list
Cloud Service Usage
serviceusage.googleapis.com
API that lists the available or enabled services, or disables services that service consumers no longer use on GCP.
Role Viewer
serviceusage.services.list
Cloud SQL Admin API
sqladmin.googleapis.com
API for Cloud SQL database instance management.
Custom Role
cloudsql.instances.list
Compute Engine API
compute.googleapis.com
Creates and runs virtual machines on the Google Cloud Platform.
Compute Network Viewer
compute.backendServices.list
compute.disks.list
compute.firewalls.list
compute.forwardingRules.list
compute.globalForwardingRules.list
compute.instanceGroups.get
compute.instances.list
compute.instanceGroups.list
compute.networks.list
compute.projects.get
compute.regionBackendServices.list
compute.routers.list
compute.sslPolicies.get
compute.sslPolicies.list
compute.subnetworks.list
compute.targetHttpProxies.list
compute.targetHttpsProxies.list
compute.targetPools.list
compute.urlMaps.list
Google API Key
apikeys.googleapis.com
Google lets you manage your project's API keys.
This service is in Alpha.
serviceusage.apiKeys.list
Cloud Bigtable API
bigtableadmin.googleapis.com
Google Cloud Bigtable is a NoSQL Big Data database service.
Custom Role
bigtable.instances.list
bigtable.instances.getIamPolicy
bigtable.appProfiles.list
bigtable.clusters.list
Google Cloud Storage API
storage-component.googleapis.com
Cloud Storage is a RESTful service for storing and accessing your data on Google’s infrastructure.
Custom Role
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.list
Google Dataproc Clusters API
dataproc.googleapis.com
Dataproc is a managed service for creating clusters of compute that can be used to run Hadoop and Spark applications.
Project Viewer, or a custom role with granular privileges.
dataproc.clusters.listdataproc.clusters.getIamPolicy
Google Recommendations API
recommender.googleapis.com
GCP IAM Recommender
Google Recommender provides usage recommendations for Google Cloud resources. Recommenders are specific to a single Google Cloud product and resource type.
IAM Recommender Viewer
recommender.iamPolicyRecommendations.list
Google Cloud Run
run.googleapis.com
Cloud Run is a managed service for deploy and manage user provided container images
Role Viewer
run.locations.list
run.services.list
run.services.getIamPolicy
Identity and Access Management (IAM) API
iam.googleapis.com
Manages identity and access control for GCP resources, including the creation of service accounts, which you can use to authenticate to Google and make API calls.
Role Viewer
iam.roles.get
iam.roles.list
iam.serviceAccountKeys.list
iam.serviceAccounts.list
Kubernetes Engine API
container.googleapis.com
Builds and manages container-based applications, powered by the open source Kubernetes technology.
Kubernetes Engine Cluster Viewer
container.clusters.get
container.clusters.list
Services Usage API
serviceusage.googleapis.com
List all services available to the specified GCP project, and the current state of those services with respect to the project.
Prisma Cloud recommends that you enable this API on all GCP projects that are onboarded to Prisma Cloud.
N/A
ServiceUsage.Services.List
Stackdriver Monitoring API
monitoring.googleapis.com
Manages your Stackdriver Monitoring data and configurations.
Monitoring Viewer
monitoring.alertPolicies.list
monitoring.metricDescriptors.get
redis.instances.list
Stackdriver Logging API
logging.googleapis.com
Writes log entries and manages your Logging configuration.
Logging Admin
logging.logEntries.list
logging.logMetrics.list
logging.sinks.list
GCP Organization - Additional permissions required to onboard
Organization Role Viewer
The Organization Role Viewer is required for onboarding a GCP Organization. If you only provide the individual permissions listed below, the permissions set is not sufficient.
resourcemanager.organizations.get
resourcemanager.projects.list
resourcemanager.organizations.getIamPolicy

Recommended For You