topic Re: Previously needed permission when onboarding GCP project on Prisma Cloud in Prisma Cloud Discussions

Previously needed permission when onboarding GCP project on Prisma Cloud

AmyYoon — Fri, 02 Sep 2022 07:41:13 GMT

Hello everyone.

I have some queries about permission previously when onboarding GCP project on Prisma Cloud.

I have given 5 roles below to the user who is used to onboard the GCP project.

1) Role Administrator

2) Security Admin

3) Service Account Admin

4) Service Account Key Admin

5) Viewer

Is there any minimum permission needed to be able to onboard this cloud account?

Hope you please kindly check this.

Thank you:)

Re: Previously needed permission when onboarding GCP project on Prisma Cloud

MDavis29 — Tue, 06 Sep 2022 15:44:06 GMT

AmyYoon,

Please see below my comments on the minimum permissions needed to on-board a GCP cloud account.

Minimum permissions required:

Viewer—Primitive role on GCP.
Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-cloud-platform-to-prisma-cloud/onboard-your-gcp-account/set-up-gcp-account-for-prisma-cloud

Re: Previously needed permission when onboarding GCP project on Prisma Cloud

MDavis29 — Tue, 06 Sep 2022 16:32:49 GMT

Minimum permissions required:

Viewer—Primitive role on GCP.
Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-cloud-platform-to-prisma-cloud/onboard-your-gcp-account/set-up-gcp-account-for-prisma-cloud

Re: Previously needed permission when onboarding GCP project on Prisma Cloud

MDavis29 — Tue, 06 Sep 2022 16:38:32 GMT

Hello AmyYoon,

On-board the account and select monitor, this will provide the bare minimum permissions

Minimum permissions required:

Viewer—Primitive role on GCP.
Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-cloud-platform-to-prisma-cloud/onboard-your-gcp-account/set-up-gcp-account-for-prisma-cloud

Re: Previously needed permission when onboarding GCP project on Prisma Cloud

MDavis29 — Tue, 06 Sep 2022 19:06:24 GMT

Hello AmyYoon,

Minimum permissions required:

Viewer—Primitive role on GCP.
Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-cloud-platform-to-prisma-cloud/onboard-your-gcp-account/set-up-gcp-account-for-prisma-cloud

Re: Previously needed permission when onboarding GCP project on Prisma Cloud

MDavis29 — Tue, 06 Sep 2022 19:52:04 GMT

Hello AmyYoon,

Please see below the minimum requirements to onboard a GCP cloud account.

Minimum permissions required:
Viewer—Primitive role on GCP.
Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-cloud-platform-to-prisma-cloud/onboard-your-gcp-account/set-up-gcp-account-for-prisma-cloud