GCP Organization Level Onboarding
1. Onboarding Permissions Required for A User
| Sl.No | Permissions | Level | Scope |
|---|---|---|---|
| 1 | Orgnaization Administrator | Organization | User |
| 2 | Organization Role Administrator | Organization | User |
| 3 | Editor | Project | User |
| 4 | Super Admin (Google Workspace Admin Console) | Google Workspace(Domain wide Delegation) | User |
2. Permissions Attached to a Service Account at Org Level
| Sl.No | Permissions | Level | Action | Scope |
|---|---|---|---|---|
| 1 | Folder Viewer | Organization | Read | Service Account |
| 2 | Organization Viewer | Organization | Read | Service Account |
| 3 | Viewer | Organization | Read | Service Account |
| 4 | Saner_CNAPP_Remediation_Role | Organization | Write | Service Account |
3. Permissions Attached to a Service Account at Project Level Without GCP Billing Feature Enabled
| Sl.No | Permissions | Level | Action | Scope |
| 1 | Viewer | Project | Read | Service Account |
| 2 | Saner_CNAPP_Remediation_Role | Project | Write | Service Account |
Permissions Attached to a Service Account at Project Level With GCP Billing Feature Enabled
| Sl.No | Permissions | Level | Action | Scope |
|---|---|---|---|---|
| 1 | Viewer | Project | Read | Service Account |
| 2 | Saner_CNAPP_Remediation_Role | Project | Write | Service Account |
| 3 | BigQuery Data Viewer | Project | Read | Service Account |
| 4 | BigQuery Job User | Project | Write | Service Account |
Saner_CNAPP_Remediation_Role
The following list of permissions includes all the necessary permissions for remediation
| Sl.No | Service | Action | Permission | Description |
|---|---|---|---|---|
| 1 | Access Approval | Approve | accessapproval.requests.approve | Approve permission for Access Approval. |
| 2 | Access Approval | List | accessapproval.requests.list | List permission for Access Approval. |
| 3 | Access Approval | Update | accessapproval.settings.update | Update permission for Access Approval. |
| 4 | API Keys | Create | apikeys.keys.create | Create permission for API Keys. |
| 5 | API Keys | Delete | apikeys.keys.delete | Delete permission for API Keys. |
| 6 | API Keys | List | apikeys.keys.list | List permission for API Keys. |
| 7 | API Keys | Update | apikeys.keys.update | Update permission for API Keys. |
| 8 | BigQuery | Create | bigquery.datasets.create | Create permission for BigQuery. |
| 9 | BigQuery | Delete | bigquery.datasets.delete | Delete permission for BigQuery. |
| 10 | BigQuery | Update | bigquery.datasets.update | Update permission for BigQuery. |
| 11 | BigQuery | Create | bigquery.jobs.create | Create permission for BigQuery. |
| 12 | BigQuery | Create Global Query | bigquery.jobs.createGlobalQuery | Create Global Query permission for BigQuery. |
| 13 | BigQuery | Update | bigquery.jobs.update | Update permission for BigQuery. |
| 14 | BigQuery | Create Read Session | bigquery.readsessions.create | Create Read Session permission for BigQuery. |
| 15 | BigQuery | Create | bigquery.tables.create | Create permission for BigQuery. |
| 16 | BigQuery | Delete | bigquery.tables.delete | Delete permission for BigQuery. |
| 17 | BigQuery | Update | bigquery.tables.update | Update permission for BigQuery. |
| 18 | Cloud Functions | Create | cloudfunctions.functions.create | Create permission for Cloud Functions. |
| 19 | Cloud Functions | Update | cloudfunctions.functions.generateUploadUrl | Generate Upload URL permission for Cloud Functions. |
| 20 | Cloud Functions | Update | cloudfunctions.functions.setIamPolicy | Set IAM Policy permission for Cloud Functions. |
| 21 | Cloud Functions | Update | cloudfunctions.functions.update | Update permission for Cloud Functions. |
| 22 | Cloud KMS | Update | cloudkms.cryptoKeys.setIamPolicy | Set IAM Policy permission for Cloud KMS. |
| 23 | Cloud KMS | Update | cloudkms.cryptoKeys.update | Update permission for Cloud KMS. |
| 24 | Cloud SQL | Create | cloudsql.databases.create | Create permission for Cloud SQL. |
| 25 | Cloud SQL | Delete | cloudsql.databases.delete | Delete permission for Cloud SQL. |
| 26 | Cloud SQL | Update | cloudsql.databases.update | Update permission for Cloud SQL. |
| 27 | Cloud SQL | Create | cloudsql.instances.clone | Clone permission for Cloud SQL. |
| 28 | Cloud SQL | Create | cloudsql.instances.create | Create permission for Cloud SQL. |
| 29 | Cloud SQL | Delete | cloudsql.instances.delete | Delete permission for Cloud SQL. |
| 30 | Cloud SQL | Update | cloudsql.instances.export | Export permission for Cloud SQL. |
| 31 | Cloud SQL | Update | cloudsql.instances.restart | Restart permission for Cloud SQL. |
| 32 | Cloud SQL | Update | cloudsql.instances.update | Update permission for Cloud SQL. |
| 33 | Compute Engine | Create | compute.disks.create | Create permission for Compute Engine. |
| 34 | Compute Engine | Create | compute.disks.createSnapshot | Create Snapshot permission for Compute Engine. |
| 35 | Compute Engine | Delete | compute.disks.delete | Delete permission for Compute Engine. |
| 36 | Compute Engine | Update | compute.disks.update | Update permission for Compute Engine. |
| 37 | Compute Engine | Get | compute.firewalls.get | Get permission for Compute Engine. |
| 38 | Compute Engine | List | compute.firewalls.list | List permission for Compute Engine. |
| 39 | Compute Engine | Update | compute.firewalls.update | Update permission for Compute Engine. |
| 40 | Compute Engine | Update | compute.instances.attachDisk | Attach Disk permission for Compute Engine. |
| 41 | Compute Engine | Create | compute.instances.create | Create permission for Compute Engine. |
| 42 | Compute Engine | Update | compute.instances.detachDisk | Detach Disk permission for Compute Engine. |
| 43 | Compute Engine | Update | compute.instances.resume | Resume permission for Compute Engine. |
| 44 | Compute Engine | Update | compute.instances.setDeletionProtection | Set Deletion Protection permission for Compute Engine. |
| 45 | Compute Engine | Set Disk | compute.instances.setDiskAutoDelete | Set Disk Auto Delete permission for Compute Engine. |
| 46 | Compute Engine | Set Labels | compute.instances.setLabels | Set Labels permission for Compute Engine. |
| 47 | Compute Engine | Set Machine Type | compute.instances.setMachineType | Set Machine Type permission for Compute Engine. |
| 48 | Compute Engine | Set Metadata | compute.instances.setMetadata | Set Metadata permission for Compute Engine. |
| 49 | Compute Engine | Set Scheduling | compute.instances.setScheduling | Set Scheduling permission for Compute Engine. |
| 50 | Compute Engine | Set Service Account | compute.instances.setServiceAccount | Set Service Account permission for Compute Engine. |
| 51 | Compute Engine | Start | compute.instances.start | Start permission for Compute Engine. |
| 52 | Compute Engine | Stop | compute.instances.stop | Stop permission for Compute Engine. |
| 53 | Compute Engine | Update | compute.instances.update | Update permission for Compute Engine. |
| 54 | Compute Engine | updatePolicy | compute.networks.updatePolicy | updatePolicy permission for Compute Engine. |
| 55 | Compute Engine | setCommonInstanceMetadata | compute.projects.setCommonInstanceMetadata | setCommonInstanceMetadata permission for Compute Engine. |
| 56 | Compute Engine | Create | compute.snapshots.create | Create permission for Compute Engine. |
| 57 | Compute Engine | Delete | compute.snapshots.delete | Delete permission for Compute Engine. |
| 58 | Compute Engine | Enable Private Google Access | compute.subnetworks.setPrivateIpGoogleAccess | Enable Private Google Access permission for Compute Engine. |
| 59 | Compute Engine | Use | compute.subnetworks.use | Use permission for Compute Engine. |
| 60 | Compute Engine | Use External IP | compute.subnetworks.useExternalIp | Use External IP permission for Compute Engine. |
| 61 | GKE | Create | container.clusters.create | Create permission for GKE. |
| 62 | GKE | Delete | container.clusters.delete | Delete permission for GKE. |
| 63 | GKE | Update | container.clusters.update | Update permission for GKE. |
| 64 | GKE | Delete | container.nodes.delete | Delete permission for GKE. |
| 65 | Dataproc | Create | dataproc.clusters.create | Create permission for Dataproc. |
| 66 | Dataproc | Delete | dataproc.clusters.delete | Delete permission for Dataproc. |
| 67 | Dataproc | Start | dataproc.clusters.start | Start permission for Dataproc. |
| 68 | Dataproc | Stop | dataproc.clusters.stop | Stop permission for Dataproc. |
| 69 | Dataproc | Update | dataproc.clusters.update | Update permission for Dataproc. |
| 70 | Essential Contacts | Create | essentialcontacts.contacts.create | Create permission for Essential Contacts. |
| 71 | Essential Contacts | Update | essentialcontacts.contacts.update | Update permission for Essential Contacts. |
| 72 | Eventarc | Create | eventarc.triggers.create | Create permission for Eventarc. |
| 73 | Filestore | Create | file.instances.create | Create permission for Filestore. |
| 74 | IAM | Create | iam.roles.create | Create permission for IAM. |
| 75 | IAM | Delete | iam.roles.delete | Delete permission for IAM. |
| 76 | IAM | Undelete | iam.roles.undelete | Undelete permission for IAM. |
| 77 | IAM | Update | iam.roles.update | Update permission for IAM. |
| 78 | IAM | Create | iam.serviceAccountKeys.create | Create permission for IAM. |
| 79 | IAM | Delete | iam.serviceAccountKeys.delete | Delete permission for IAM. |
| 80 | IAM | List | iam.serviceAccountKeys.list | List permission for IAM. |
| 81 | IAM | Act As | iam.serviceAccounts.actAs | Act As permission for IAM. |
| 82 | IAM | Delete | iam.serviceAccounts.delete | Delete permission for IAM. |
| 83 | Cloud Logging | Create | logging.logMetrics.create | Create permission for Cloud Logging. |
| 84 | Cloud Logging | Delete | logging.logMetrics.delete | Delete permission for Cloud Logging. |
| 85 | Cloud Logging | Create | logging.sinks.create | Create permission for Cloud Logging. |
| 86 | Cloud Logging | Delete | logging.sinks.delete | Delete permission for Cloud Logging. |
| 87 | Memorystore | Update | memorystore.instances.update | Update permission for Memorystore. |
| 88 | Cloud Monitoring | Create | monitoring.alertPolicies.create | Create permission for Cloud Monitoring. |
| 89 | Cloud Monitoring | Delete | monitoring.alertPolicies.delete | Delete permission for Cloud Monitoring. |
| 90 | Pub/Sub | Create | pubsub.subscriptions.create | Create permission for Pub/Sub. |
| 91 | Pub/Sub | Delete | pubsub.subscriptions.delete | Delete permission for Pub/Sub. |
| 92 | Pub/Sub | Create | pubsub.topics.create | Create permission for Pub/Sub. |
| 93 | Pub/Sub | Delete | pubsub.topics.delete | Delete permission for Pub/Sub. |
| 94 | Pub/Sub | Publish | pubsub.topics.publish | Publish permission for Pub/Sub. |
| 95 | Pub/Sub | Set IAM Policy | pubsub.topics.setIamPolicy | Set IAM Policy permission for Pub/Sub. |
| 96 | Resource Manager | Delete | resourcemanager.folders.delete | Delete permission for Resource Manager. |
| 97 | Resource Manager | getIamPolicy | resourcemanager.folders.getIamPolicy | getIamPolicy permission for Resource Manager. |
| 98 | Resource Manager | Set IAM Policy | resourcemanager.folders.setIamPolicy | Set IAM Policy permission for Resource Manager. |
| 99 | Resource Manager | getIamPolicy | resourcemanager.organizations.getIamPolicy | getIamPolicy permission for Resource Manager. |
| 100 | Resource Manager | Set IAM Policy | resourcemanager.organizations.setIamPolicy | Set IAM Policy permission for Resource Manager. |
| 101 | Resource Manager | Set IAM Policy | resourcemanager.projects.setIamPolicy | Set IAM Policy permission for Resource Manager. |
| 102 | Resource Settings | List | resourcesettings.settings.list | List permission for Resource Settings. |
| 103 | Cloud Run | Create | run.services.create | Create permission for Cloud Run. |
| 104 | Cloud Run | Delete | run.services.delete | Delete permission for Cloud Run. |
| 105 | Cloud Run | Update | run.services.update | Update permission for Cloud Run. |
| 106 | Service Usage | enable | serviceusage.services.enable | enable permission for Service Usage. |
| 107 | Cloud Storage | getIamPolicy | storage.buckets.getIamPolicy | getIamPolicy permission for Cloud Storage. |
| 108 | Cloud Storage | Set IAM Policy | storage.buckets.setIamPolicy | Set IAM Policy permission for Cloud Storage. |
| 109 | Cloud Storage | Update | storage.buckets.update | Update permission for Cloud Storage. |
