Permissions and Roles for GCP Account on Prisma Cloud
Learn about the Service account and APIs that enable
Prisma Cloud to ingest, analyze, and monitor the resources deployed within
a GCP project or organization.
In order to analyze and monitor your Google
Cloud Platform (GCP) account, Prisma Cloud requires access to specific
APIs and a service account which is an authorized identity that
enables authentication between Prisma Cloud and GCP. A combination
of custom, predefined and primitive roles grant the service account
the permissions it needs to complete specific actions on the resources
in your GCP project or organization. Depending on your cloud protection
needs, the service account requires the following roles for read or read-write
access:
- Viewer—Primitive role on GCP.
- Prisma Cloud Viewer— Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
- Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
- Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
- Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
- Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you are onboarding Folders in the GCP resource hierarchy.
Prisma Cloud can ingest data from several GCP APIs. In the GCP project
where you create the service account, you must enable the Stackdriver
Logging API (logging.googleapis.com) to monitor audit logs, and
any other APIs for which you want Prisma Cloud to monitor resources.
When you use the Terraform template that Prisma Cloud provides to
automate the onboarding of your GCP project or organization, the
required permissions are automatically enabled for you.
The
following table lists the APIs and associated granular permissions
if you want to create a custom role to onboard your GCP account.
When the APIs are enabled and the service account has the correct
set of roles and associated permissions, Prisma Cloud can retrieve
data about your GCP resources and identify potential security risks
and compliance issues across your cloud accounts.To create a custom
role for the service account, see Create a Service Account With a Custom Role for GCP before you
continue to Add Your GCP Project to Prisma Cloud or Add Your GCP Organization to Prisma Cloud
To enable the APIs that enable Prisma Cloud
to monitor your GCP projects, use it as shown in this example (that
uses some of the APIs below):
gcloud services enable serviceusage.googleapis.com appengine.googleapis.com bigquery.googleapis.com cloudfunctions.googleapis.com dataflow.googleapis.com dns.googleapis.com dataproc.googleapis.com cloudresourcemanager.googleapis.com cloudkms.googleapis.com sqladmin.googleapis.com compute.googleapis.com storage-component.googleapis.com recommender.googleapis.com iam.googleapis.com container.googleapis.com monitoring.googleapis.com logging.googleapis.com
Verify
the APIs that you have enabled with
gcloud services list
.App Engine API |
| Allows you to access App Engine, which is a fully managed serverless platform
on GCP. | App Engine Viewer |
|
Access Context Manager API |
| Read access to policies, access levels, and access zones. | Access Context Manager Reader |
|
BigQuery API |
| Allows you to create, manage, share, and query
data. | BigQuery Metadata Viewer |
|
Cloud Functions |
| Cloud Functions is Google Cloud’s event-driven
serverless compute platform | Cloud Functions Viewer |
|
Cloud DataFlow API |
| Manages Google Cloud Dataflow projects. | Dataflow Admin |
See Flow Log Compression on GCP |
Cloud DNS API |
| Cloud DNS translates requests for domain names
into IP addresses and manages and publishes DNS zones and records. | DNS Reader |
|
Cloud Pub/Sub |
| Real-time messaging service that allows
you to send and receive messages between independent applications. | Custom Role |
|
Cloud Spanner |
| Fully managed, mission-critical, relational database service | Cloud Spanner Viewer |
|
Cloud Resource Manager API |
| Creates, reads, and updates metadata for Google Cloud Platform resource containers. | Role Viewer |
|
Cloud Key Management Service (KMS) API |
| Google Cloud KMS allows customers to manage encryption keys
and perform cryptographic operations with those keys. | Custom Role |
|
Cloud Service Usage |
| API that lists the available or enabled services,
or disables services that service consumers no longer use on GCP. | Role Viewer |
|
Google Cloud Spanner |
| A globally distributed NewSQL database service
and storage solution designed to support global online transaction processing deployments | Cloud Spanner Viewer |
|
Cloud SQL Admin API |
| API for Cloud SQL database instance management. | Custom Role |
|
Compute Engine API |
| Creates and runs virtual machines on the Google Cloud Platform. | Compute Network Viewer |
|
Google API Key |
| Google lets you manage your project's API keys. This service
is in Alpha. |
| |
Cloud Bigtable API |
| Google Cloud Bigtable is a NoSQL Big Data database service. | Custom Role |
|
Google Cloud Storage API |
| Cloud Storage is a RESTful service for storing
and accessing your data on Google’s infrastructure. | Custom Role |
|
Google Dataproc Clusters API |
| Dataproc is a managed service for creating clusters
of compute that can be used to run Hadoop and Spark applications. | Project Viewer, or a custom role with granular privileges. |
|
Google Recommendations API |
GCP IAM Recommender | Google Recommender provides usage recommendations
for Google Cloud resources. Recommenders are specific to a single Google Cloud product
and resource type. | IAM Recommender Viewer |
|
Google Cloud Run |
| Cloud Run is a managed service for deploy and manage user provided container images | Role Viewer |
|
Identity and Access Management (IAM) API |
| Manages identity and access control for GCP resources, including the
creation of service accounts, which you can use to authenticate to
Google and make API calls. | Role Viewer |
|
Kubernetes Engine API |
| Builds and manages container-based applications, powered
by the open source Kubernetes technology. | Kubernetes Engine Cluster Viewer |
|
Services Usage API |
| List all services available to the specified GCP
project, and the current state of those services with respect to
the project. Prisma Cloud recommends
that you enable this API on all GCP projects that are onboarded to
Prisma Cloud. | N/A |
|
Stackdriver Monitoring API |
| Manages your Stackdriver Monitoring data
and configurations. | Monitoring Viewer |
|
Stackdriver Logging API |
| Writes log entries and manages your Logging configuration. | Logging Admin |
|
GCP Organization - Additional
permissions required to onboard | Organization Role Viewer | The Organization Role Viewer is required
for onboarding a GCP Organization. If you only provide the individual
permissions listed below, the permissions set is not sufficient.
| ||
Recommended For You
Recommended Videos
Recommended videos not found.
