Google Cloud Permissions

To let SecureCloud monitor your Google Cloud projects, you must set up the required permissions. The steps described below must be repeated for each project. For more information, see the official Google Cloud documentation.

One way to let SecureCloud monitor your Google Cloud projects is by allowing SecureCloud's own Google Cloud service account to 'impersonate' a service account in your project that has the appropriate permissions. Another is to provide SecureCloud with a private key that contains the appropriate credentials.

Complete the following steps:

  1. Enable the API for your Google Cloud project. In your browser, go to one of the following URLs:

    https://console.developers.google.com/apis/api/iam.googleapis.com/overview?project=<PROJNAME>, where <PROJNAME> is the name of your GCP project.

    https://console.developers.google.com/apis/api/sqladmin.googleapis.com/overview?project=<PROJID>, where <PROJID> is the ID of your GCP project.

    To disable the API, go again to the same URL.

  2. In the Google Cloud console, create a new service account.
  3. Assign the required roles to the new service account using one of the following two methods:

    1. Assign predefined roles compute viewer and security reviewer.

      If you want to be able to modify your Google Cloud security controls via SecureCloud, assign also the predefined roles Storage Admin and Compute Security Admin

    2. Create and assign a custom role with permissions:

      • cloudsql.instances.list

      • compute.addresses.list

      • compute.backendBuckets.list

      • compute.backendServices.list

      • compute.firewalls.list

      • compute.forwardingRules.list

      • compute.globalAddresses.list

      • compute.globalForwardingRules.list

      • compute.globalNetworkEndpointGroups.list

      • compute.instanceGroups.get

      • compute.instanceGroups.list

      • compute.instances.list

      • compute.networkEndpointGroups.list

      • compute.networkEndpointGroups.get

      • compute.networks.list

      • compute.regionBackendServices.list

      • compute.regionNetworkEndpointGroups.list

      • compute.regionTargetHttpProxies.list

      • compute.regionTargetHttpsProxies.list

      • compute.regionUrlMaps.list

      • compute.routes.list

      • compute.subnetworks.list

      • compute.targetGrpcProxies.list

      • compute.targetHttpProxies.list

      • compute.targetHttpsProxies.list

      • compute.targetInstances.list

      • compute.targetPools.list

      • compute.targetSslProxies.list

      • compute.targetTcpProxies.list

      • compute.urlMaps.list

      • container.clusters.list

      • iam.roles.get

      • iam.roles.list

      • iam.serviceAccounts.getIamPolicy

      • iam.serviceAccounts.list

      • osconfig.vulnerabilityReports.list

      • resourcemanager.projects.getIamPolicy

      • storage.buckets.getIamPolicy

      • storage.buckets.list

      • storage.objects.list

      If you want to be able to modify your Google Cloud security controls via SecureCloud, also give permissions:

      • compute.firewalls.delete

      • compute.firewalls.update

      • storage.buckets.setIamPolicy

  4. If you want SecureCloud to connect to your service account via SecureCloud’s own service account, give permission to access the service account you have just created to SecureCloud’s service account, named securecloud-client@tufin-securecloud-prod.iam.gserviceaccount.com, by assigning it the role of “Service Account Token Creator”.
  5. If you want SecureCloud to connect to your service account using a private key json file, make sure you have created a json key for your service account.