Minimum Required permissions for GCP integration script

  • Updated

When running the script that creates the required project, roles, and service account for the GCP integration, the following permissions are required at the organization level:

iam.roles.create
iam.roles.get
iam.roles.list
iam.roles.undelete
iam.roles.update
iam.serviceAccounts.create
iam.serviceAccounts.get
resourcemanager.projects.create
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
iam.serviceAccountKeys.create
iam.serviceAccountKeys.get
iam.serviceAccountKeys.list
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list

 

The following roles will need to be enabled at the organization level:

To create a custom role for a user that allows running the script via gcloud with the minimum permissions, save the following text as a .YAML file

title: vanta-integration-role
description: required permissions to run vanta integration script successfully
stage: alpha
includedPermissions:
- iam.roles.create
- iam.roles.get
- iam.roles.list
- iam.roles.undelete
- iam.roles.update
- iam.serviceAccounts.create
- iam.serviceAccounts.get
- resourcemanager.projects.create
- resourcemanager.folders.get
- resourcemanager.folders.getIamPolicy
- resourcemanager.folders.list
- resourcemanager.folders.setIamPolicy
- resourcemanager.organizations.get
- resourcemanager.organizations.getIamPolicy
- resourcemanager.organizations.setIamPolicy
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.list
- resourcemanager.projects.setIamPolicy
- iam.serviceAccountKeys.create
- iam.serviceAccountKeys.get
- iam.serviceAccountKeys.list
- serviceusage.services.enable
- serviceusage.services.get
- serviceusage.services.list

Then run the following:

gcloud iam roles create vantaintegrationrole --organization=ORGANIZATION_ID \
    --file=YAML_FILE_PATH