Minimum Required permissions for GCP integration script

  • Updated

When running the script that creates the required project, roles, and service account for the GCP integration, the following permissions are required:

iam.roles.create
iam.roles.get
iam.roles.list
iam.roles.undelete
iam.roles.update
resourcemanager.projects.create
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy

You can create a role with these explicit permissions, or apply the Organization Administrator & Organization Role Administrator roles to the user that is running the script. Note that these two roles have a few more permissions than what is required by the script.

To create a role for a user to run the script via gcloud with the minimum permissions, save the following text as a .YAML file

title: vanta-integration-role
description: required permissions to run vanta integration script successfully
stage: alpha
includedPermissions:
- iam.roles.create
- iam.roles.get
- iam.roles.list
- iam.roles.undelete
- iam.roles.update
- resourcemanager.projects.create
- resourcemanager.folders.get
- resourcemanager.folders.getIamPolicy
- resourcemanager.folders.list
- resourcemanager.folders.setIamPolicy
- resourcemanager.organizations.get
- resourcemanager.organizations.getIamPolicy
- resourcemanager.organizations.setIamPolicy
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.list
- resourcemanager.projects.setIamPolicy

Then run the following:

gcloud iam roles create vantaintegrationrole --organization=ORGANIZATION_ID \
    --file=YAML_FILE_PATH

 

Was this article helpful?

Have more questions? Submit a request