Minimum Required permissions for GCP integration script

  • Updated

When running the script that creates the required project, roles, and service account for the GCP integration, the following permissions are required at the organization level:

iam.roles.create
iam.roles.get
iam.roles.list
iam.roles.undelete
iam.roles.update
iam.serviceAccounts.create
iam.serviceAccounts.get
resourcemanager.projects.create
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
iam.serviceAccountKeys.create
iam.serviceAccountKeys.get
iam.serviceAccountKeys.list
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list

To create a role for a user to run the script via gcloud with the minimum permissions, save the following text as a .YAML file

title: vanta-integration-role
description: required permissions to run vanta integration script successfully
stage: alpha
includedPermissions:
- iam.roles.create
- iam.roles.get
- iam.roles.list
- iam.roles.undelete
- iam.roles.update
- iam.serviceAccounts.create
- iam.serviceAccounts.get
- resourcemanager.projects.create
- resourcemanager.folders.get
- resourcemanager.folders.getIamPolicy
- resourcemanager.folders.list
- resourcemanager.folders.setIamPolicy
- resourcemanager.organizations.get
- resourcemanager.organizations.getIamPolicy
- resourcemanager.organizations.setIamPolicy
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.list
- resourcemanager.projects.setIamPolicy
- iam.serviceAccountKeys.create
- iam.serviceAccountKeys.get
- iam.serviceAccountKeys.list
- serviceusage.services.enable
- serviceusage.services.get
- serviceusage.services.list

Then run the following:

gcloud iam roles create vantaintegrationrole --organization=ORGANIZATION_ID \
    --file=YAML_FILE_PATH