View Categories

GCP OAuth Scopes for Saner CNAPP

Print Friendly, PDF & Email

Scopes define the specific permissions that Saner CNAPP requests from Google Cloud account during onboarding. These scopes are used exclusively to set up and manage user’s GCP infrastructure within Saner CNAPP and does not grant Saner CNAPP any access beyond what is necessary for cloud security scanning and posture management.

Saner CNAPP uses OAuth only during the initial onboarding process to create a least-privilege Service Account within the user’s GCP environment. Once onboarding completes, all scanning and security operations are carried out using the Service Account credentials, without accessing the user’s Google account.

How does Saner CNAPP Use OAuth Scopes?

When you click “Continue with Google” on the GCP OAuth Onboarding page, Saner CNAPP requests the following scopes. These are displayed on the Google authorization screen before you grant access. 

Available Scopes 

Scope Description 
auth/service.management Enable required GCP APIs 
auth/iam Create IAM roles, service accounts and keys 
auth/cloudplatformorganizations Bind service account at organization level 
auth/cloudplatformprojects Enable APIs and bind roles at project level 
auth/bigquery Create BigQuery dataset for billing export 
auth/cloud-billing.readonly Fetch billing account information 

Detailed Scope Descriptions

1. Enable Cloud APIs  

https://www.googleapis.com/auth/service.management

Grants Saner CNAPP the ability to enable required Google Cloud APIs on user project during the initial onboarding setup. 

APIs enabled include the following:

  • Cloud Resource Manager API 
  • Identity and Access Management (IAM) API 
  • BigQuery API 
  • Cloud Billing API 
  • And other required GCP service APIs 

Purpose

Without enabling the APIs, Saner CNAPP cannot perform security scanning, IAM role creation, or billing export setup on your GCP project.

2. IAM Role and Service Account Setup

https://www.googleapis.com/auth/iam

Grants Saner CNAPP the ability to: 

  • Create a custom least-privilege IAM role (`Saner_CNAPP_Remediation_Role) 
  • Create a dedicated Service Account (sa-cnapp-org-<timestamp>) in users GCP project 
  • Bind the IAM role to the Service Account 
  • Generate a Service Account key for secure scanning 

Purpose

Saner CNAPP follows the least-privilege principle by creating a dedicated service account with only the permissions required for security scanning and remediation. This is the Google-recommended approach for automated cloud security tools. 

3. Organization Level Access and Role Binding

https://www.googleapis.com/auth/cloudplatformorganizations

Grants Saner CNAPP the ability to: 

  • Access users GCP organization structure 
  • Bind the Service Account to organization-level IAM roles 
  • Perform organization-wide security posture assessment 

Purpose

For organization-level onboarding, Saner CNAPP must establish the required role bindings, at the organization level to make sure it has sufficient permissions to perform security scanning across all projects within that organization. 

4. Project Access and Role Binding 

https://www.googleapis.com/auth/cloudplatformprojects

Grants Saner CNAPP the ability to: 

  • List all projects under your GCP organization 
  • Enable required APIs on specific projects 
  • Bind the Service Account at the project level 

Purpose

Saner CNAPP needs access to individual GCP projects to enable APIs and bind IAM roles for project-level security scanning. 

5. Billing Export and Dataset Creation

https://www.googleapis.com/auth/bigquery

Grants Saner CNAPP the ability to:

  • Create a BigQuery dataset (sanercloud_export_<timestamp>) in your GCP project 
  • Store billing export data for cost and usage analysis 

Purpose

If you choose to retrieve billing configuration during onboarding, Saner CNAPP creates a dedicated BigQuery dataset in your project to store and analyze your GCP billing and cost data. 

6. Billing Account Information

https://www.googleapis.com/auth/cloud-billing.readonly

Grants Saner CNAPP read-only access to: 

  • Fetch your GCP billing account information 
  • Link the billing account to the BigQuery export dataset 

Purpose

To set up billing export correctly, Saner CNAPP needs to read users’ billing account ID and associate it with the BigQuery dataset.