Google Cloud Platform (GCP) environments - Adaptive Applications - BlueCat Gateway - 23.3.2

Cloud Discovery & Visibility Administration Guide

Locale
English
Product name
BlueCat Gateway
Version
23.3.2

The following sections describe Cloud Discovery & Visibility (CDV) features and configuration specific to GCP environments.

Before you begin

Make sure that the GCP accounts that will be used to retrieve the GCP data have the following permissions:

Permissions for Discovery jobs:

  • GCP Private VPC/Subnets permissions:
    • compute.networks.get
    • compute.networks.list
    • compute.subnetworks.get
    • compute.subnetworks.list
  • GCP VM Instance permissions:
    • compute.instances.get
    • compute.instances.list
  • GCP DNS Zones (Private) permissions:
    • compute.zones.get
    • compute.zones.list
    • compute.regions.get
    • compute.regions.list
    • dns.managedZones.list
    • dns.resourceRecordSets.list
    • dns.resourceRecordSets.get
  • GCP DNS Zones (Public) permissions:
    • compute.zones.get
    • compute.zones.list
    • compute.regions.get
    • compute.regions.list
    • dns.managedZones.list
    • dns.resourceRecordSets.list
    • dns.resourceRecordSets.get
  • GCP Load Balancer permissions:
    • compute.instanceTemplates.get
    • compute.instanceTemplates.list
    • compute.instanceGroups.list
    • compute.instanceGroups.get
    • compute.instances.get
    • compute.instances.list
    • compute.backendServices.get
    • compute.backendServices.list
    • compute.regionBackendServices.get
    • compute.regionBackendServices.list
    • compute.globalForwardingRules.get
    • compute.globalForwardingRules.list
    • compute.forwardingRules.get
    • compute.forwardingRules.list
    • compute.targetPools.get
    • compute.targetPools.list
    • compute.targetHttpProxies.get
    • compute.targetHttpProxies.list
    • compute.targetHttpsProxies.get
    • compute.targetHttpsProxies.list
    • compute.regionTargetHttpProxies.get
    • compute.regionTargetHttpProxies.list
    • compute.regionTargetHttpsProxies.get
    • compute.regionTargetHttpsProxies.list
    • compute.targetSslProxies.get
    • compute.targetSslProxies.list
    • compute.targetTcpProxies.get
    • compute.targetTcpProxies.list
    • compute.urlMaps.get
    • compute.urlMaps.list
    • compute.regionUrlMaps.get
    • compute.regionUrlMaps.list
  • GCP Private Endpoints permissions:
    • dns.managedZones.get
    • dns.managedZones.list
    • dns.resourceRecordSets.get
    • dns.resourceRecordSets.list
    • compute.globalForwardingRules.get
    • compute.globalForwardingRules.list
    • compute.forwardingRules.get
    • compute.forwardingRules.get
  • GCP Kubernetes Engine permissions:
    • container.clusters.get
    • container.clusters.list
    • compute.instanceGroups.get

Permissions for Visibility jobs:

  • GCP Cloud Logging permissions:
    • logging.sinks.create
    • logging.sinks.delete
    • logging.sinks.get
  • GCP Pub/Sub permissions:
    • pubsub.topics.create
    • pubsub.topics.getIamPolicy
    • pubsub.topics.setIamPolicy
    • pubsub.topics.attachSubscription
    • pubsub.topics.get
    • pubsub.topics.delete
    • pubsub.subscriptions.consume
    • pubsub.subscriptions.create
    • pubsub.subscriptions.delete

Permissions for manually configuring the Visibility system: If your GCP user account does not have the correct write permissions, in order to enable visibility, you must manually configure the GCP topic, sink, and subscription rules. For more details, see Manually configuring GCP topic, sink, and subscription.

  • GCP Cloud Logging permissions:
    • logging.sinks.get
  • GCP Pub/Sub permissions:
    • pubsub.topics.getIamPolicy
    • pubsub.topics.get
    • pubsub.subscriptions.consume
    • pubsub.subscriptions.create