When running the script that creates the required project, roles, and service account for the GCP integration, the following permissions are required at the organization level:
iam.roles.create
iam.roles.get
iam.roles.list
iam.roles.undelete
iam.roles.update
iam.serviceAccounts.create
iam.serviceAccounts.get
resourcemanager.projects.create
resourcemanager.folders.get
resourcemanager.folders.getIamPolicy
resourcemanager.folders.list
resourcemanager.folders.setIamPolicy
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.organizations.setIamPolicy
resourcemanager.projects.get
resourcemanager.projects.getIamPolicy
resourcemanager.projects.list
resourcemanager.projects.setIamPolicy
iam.serviceAccountKeys.create
iam.serviceAccountKeys.get
iam.serviceAccountKeys.list
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
The following roles will need to be enabled at the organization level:
- Organization Administrator
- Organization Role Administrator
- Project Creator/Owner
- Service Usage Admin
- Service Account Key Admin
To create a custom role for a user that allows running the script via gcloud with the minimum permissions, save the following text as a .YAML file
title: vanta-integration-role
description: required permissions to run vanta integration script successfully
stage: alpha
includedPermissions:
- iam.roles.create
- iam.roles.get
- iam.roles.list
- iam.roles.undelete
- iam.roles.update
- iam.serviceAccounts.create
- iam.serviceAccounts.get
- resourcemanager.projects.create
- resourcemanager.folders.get
- resourcemanager.folders.getIamPolicy
- resourcemanager.folders.list
- resourcemanager.folders.setIamPolicy
- resourcemanager.organizations.get
- resourcemanager.organizations.getIamPolicy
- resourcemanager.organizations.setIamPolicy
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.list
- resourcemanager.projects.setIamPolicy
- iam.serviceAccountKeys.create
- iam.serviceAccountKeys.get
- iam.serviceAccountKeys.list
- serviceusage.services.enable
- serviceusage.services.get
- serviceusage.services.list
Then run the following:
gcloud iam roles create vantaintegrationrole --organization=ORGANIZATION_ID \ --file=YAML_FILE_PATH