Google Cloud Platform (GCP) environments - Adaptive Applications - BlueCat Gateway - 25.3

The following sections describe Cloud Discovery & Visibility (CDV) features and configuration specific to GCP environments.

Before you begin, make sure that the GCP accounts that will be used to retrieve the GCP data have the following permissions:

Permissions for Discovery:

• GCP Private VPC/Subnets permissions:
  • compute.networks.get
  • compute.networks.list
  • compute.subnetworks.get
  • compute.subnetworks.list
• GCP VM Instance permissions:
  • compute.instances.get
  • compute.instances.list
• GCP DNS Zones (Private) permissions:
  • dns.managedZones.list
  • dns.managedZones.get
  • dns.resourceRecordSets.list
• GCP DNS Zones (Public) permissions:
  • dns.managedZones.list
  • dns.managedZones.get
  • dns.resourceRecordSets.list
• GCP Load Balancer permissions:
  • compute.backendBuckets.get
  • compute.backendBuckets.list
  • compute.backendServices.get
  • compute.backendServices.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.globalNetworkEndpointGroups.list
  • compute.instanceGroups.get
  • compute.instanceGroups.list
  • compute.networkEndpointGroups.get
  • compute.networkEndpointGroups.list
  • compute.regionBackendServices.get
  • compute.regionBackendServices.list
  • compute.regionNetworkEndpointGroups.get
  • compute.regionNetworkEndpointGroups.list
  • compute.regionTargetHttpProxies.get
  • compute.regionTargetHttpProxies.list
  • compute.regionTargetHttpsProxies.get
  • compute.regionTargetHttpsProxies.list
  • compute.regionTargetTcpProxies.get
  • compute.regionTargetTcpProxies.list
  • compute.regionUrlMaps.get
  • compute.regionUrlMaps.list
  • compute.targetHttpProxies.get
  • compute.targetHttpProxies.list
  • compute.targetHttpsProxies.get
  • compute.targetHttpsProxies.list
  • compute.targetPools.get
  • compute.targetPools.list
  • compute.targetSslProxies.get
  • compute.targetSslProxies.list
  • compute.targetTcpProxies.get
  • compute.targetTcpProxies.list
  • compute.urlMaps.get
  • compute.urlMaps.list
• GCP Private Endpoints permissions:
  • dns.managedZones.get
  • dns.managedZones.list
  • dns.resourceRecordSets.list
  • compute.globalForwardingRules.get
  • compute.globalForwardingRules.list
  • compute.forwardingRules.get
  • compute.forwardingRules.list
• GCP Kubernetes Engine permissions:
  • container.clusters.get
  • container.clusters.list
  • compute.instanceGroups.get
  • container.services.list
  • container.pods.list
  • dns.managedZones.list
  • dns.resourceRecordSets.list

Permissions for Visibility:

• GCP Cloud Logging permissions:
  • logging.sinks.create
  • logging.sinks.delete
  • logging.sinks.get
  • logging.sinks.update
  • logging.sinks.list
• GCP Pub/Sub permissions:
  • pubsub.subscriptions.create
  • pubsub.subscriptions.delete
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.subscriptions.update
  • pubsub.subscriptions.consume
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.get
  • pubsub.topics.list
  • pubsub.topics.getIamPolicy
  • pubsub.topics.setIamPolicy
  • pubsub.topics.attachSubscription
• GCP Operation permissions:
  • compute.globalOperations.get
  • compute.regionOperations.get
  • compute.zoneOperations.get

Permissions for manually configuring the Visibility system: If your GCP user account does not have the correct write permissions, in order to enable visibility, you must manually configure the GCP topic, sink, and subscription rules. For more details, see Manually configuring the GCP topic, sink, and subscription.

• GCP Cloud Logging permissions:
  • logging.sinks.get
• GCP Pub/Sub permissions:
  • pubsub.topics.getIamPolicy
  • pubsub.topics.get
  • pubsub.subscriptions.consume
  • pubsub.subscriptions.create