The following permissions are needed by the Service Account that CDV uses in order for CDV to perform Organization-level discoveries on a GCP infrastructure. These permissions should be assigned to roles, which can then be assigned to the Service Account that CDV uses.
General Discovery permissions
These permissions are necessary to perform general Discovery operations (not at the Organization level). This is a consolidated list of permissions for discovering specific resources, as listed on Google Cloud Platform (GCP) environments.
compute.networks.getcompute.networks.listcompute.subnetworks.getcompute.subnetworks.listcompute.instances.getcompute.instances.listdns.managedZones.listdns.managedZones.getdns.resourceRecordSets.listdns.managedZones.listdns.managedZones.getdns.resourceRecordSets.listcompute.backendBuckets.getcompute.backendBuckets.listcompute.backendServices.getcompute.backendServices.listcompute.forwardingRules.getcompute.forwardingRules.listcompute.globalForwardingRules.getcompute.globalForwardingRules.listcompute.globalNetworkEndpointGroups.listcompute.instanceGroups.getcompute.instanceGroups.listcompute.networkEndpointGroups.getcompute.networkEndpointGroups.listcompute.regionBackendServices.getcompute.regionBackendServices.listcompute.regionNetworkEndpointGroups.getcompute.regionNetworkEndpointGroups.listcompute.regionTargetHttpProxies.getcompute.regionTargetHttpProxies.listcompute.regionTargetHttpsProxies.getcompute.regionTargetHttpsProxies.listcompute.regionTargetTcpProxies.getcompute.regionTargetTcpProxies.listcompute.regionUrlMaps.getcompute.regionUrlMaps.listcompute.targetHttpProxies.getcompute.targetHttpProxies.listcompute.targetHttpsProxies.getcompute.targetHttpsProxies.listcompute.targetPools.getcompute.targetPools.listcompute.targetSslProxies.getcompute.targetSslProxies.listcompute.targetTcpProxies.getcompute.targetTcpProxies.listcompute.urlMaps.getcompute.urlMaps.listcompute.forwardingRules.getcompute.forwardingRules.listcompute.globalForwardingRules.listcompute.globalForwardingRules.getdns.managedZones.listdns.managedZones.getdns.resourceRecordSets.listcontainer.clusters.getcontainer.clusters.listcompute.instanceGroups.getcontainer.services.listcontainer.pods.listdns.managedZones.listdns.resourceRecordSets.list
General Visibility permissions
These permissions are necessary to perform general Visibility operations (not at the Organization level). The account must also have all General Discovery permissions. This is a consolidated list of additional permissions for visbility of specific resources, as listed on Google Cloud Platform (GCP) environments.
logging.sinks.createlogging.sinks.deletelogging.sinks.getlogging.sinks.updatelogging.sinks.listpubsub.subscriptions.createpubsub.subscriptions.deletepubsub.subscriptions.getpubsub.subscriptions.listpubsub.subscriptions.updatepubsub.subscriptions.consumepubsub.topics.createpubsub.topics.deletepubsub.topics.getpubsub.topics.listpubsub.topics.getIamPolicypubsub.topics.setIamPolicypubsub.topics.attachSubscriptioncompute.globalOperations.getcompute.regionOperations.getcompute.zoneOperations.get
Organization-level Discovery and Visibility permissions
These additional permissions are necessary to perform discovery and visibility at an Organization level. The account must also have all General Discovery/Visibility permissions.
-
resourcemanager.organizations.get -
resourcemanager.projects.get -
resourcemanager.projects.list