The following sections describe Cloud Discovery & Visibility (CDV) features and configuration specific to GCP environments.
Before you begin
Make sure that the GCP accounts that will be used to retrieve the GCP data have the following permissions:
Permissions for Discovery jobs:
- GCP Private VPC/Subnets permissions:
compute.networks.get
compute.networks.list
compute.subnetworks.get
compute.subnetworks.list
- GCP VM Instance permissions:
compute.instances.get
compute.instances.list
- GCP DNS Zones (Private) permissions:
compute.zones.get
compute.zones.list
compute.regions.get
compute.regions.list
dns.managedZones.list
dns.resourceRecordSets.list
dns.resourceRecordSets.get
- GCP DNS Zones (Public) permissions:
compute.zones.get
compute.zones.list
compute.regions.get
compute.regions.list
dns.managedZones.list
dns.resourceRecordSets.list
dns.resourceRecordSets.get
- GCP Load Balancer permissions:
compute.instanceTemplates.get
compute.instanceTemplates.list
compute.instanceGroups.list
compute.instanceGroups.get
compute.instances.get
compute.instances.list
compute.backendServices.get
compute.backendServices.list
compute.regionBackendServices.get
compute.regionBackendServices.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.forwardingRules.get
compute.forwardingRules.list
compute.targetPools.get
compute.targetPools.list
compute.targetHttpProxies.get
compute.targetHttpProxies.list
compute.targetHttpsProxies.get
compute.targetHttpsProxies.list
compute.regionTargetHttpProxies.get
compute.regionTargetHttpProxies.list
compute.regionTargetHttpsProxies.get
compute.regionTargetHttpsProxies.list
compute.targetSslProxies.get
compute.targetSslProxies.list
compute.targetTcpProxies.get
compute.targetTcpProxies.list
compute.urlMaps.get
compute.urlMaps.list
compute.regionUrlMaps.get
compute.regionUrlMaps.list
- GCP Private Endpoints permissions:
dns.managedZones.get
dns.managedZones.list
dns.resourceRecordSets.get
dns.resourceRecordSets.list
compute.globalForwardingRules.get
compute.globalForwardingRules.list
compute.forwardingRules.get
compute.forwardingRules.get
- GCP Kubernetes Engine permissions:
container.clusters.get
container.clusters.list
compute.instanceGroups.get
Permissions for Visibility jobs:
- GCP Cloud Logging permissions:
logging.sinks.create
logging.sinks.delete
logging.sinks.get
- GCP Pub/Sub permissions:
pubsub.topics.create
pubsub.topics.getIamPolicy
pubsub.topics.setIamPolicy
pubsub.topics.attachSubscription
pubsub.topics.get
pubsub.topics.delete
pubsub.subscriptions.consume
pubsub.subscriptions.create
pubsub.subscriptions.delete
Permissions for manually configuring the Visibility system: If your GCP user account does not have the correct write permissions, in order to enable visibility, you must manually configure the GCP topic, sink, and subscription rules. For more details, see Manually configuring GCP topic, sink, and subscription.
- GCP Cloud Logging permissions:
logging.sinks.get
- GCP Pub/Sub permissions:
pubsub.topics.getIamPolicy
pubsub.topics.get
pubsub.subscriptions.consume
pubsub.subscriptions.create