Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Previously needed permission when onboarding GCP project on Prisma Cloud

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Previously needed permission when onboarding GCP project on Prisma Cloud

L1 Bithead

Hello everyone.

 

I have some queries about permission previously when onboarding GCP project on Prisma Cloud.

I have given 5 roles below to the user who is used to onboard the GCP project.

 1) Role Administrator
 2) Security Admin
 3) Service Account Admin
 4) Service Account Key Admin
 5) Viewer

Is there any minimum permission needed to be able to onboard this cloud account?

 

Hope you please kindly check this.

Thank you:)

5 REPLIES 5

L3 Networker

AmyYoon,

Please see below my comments on the minimum permissions needed to on-board a GCP cloud account.

Minimum permissions required:
  • Viewer—Primitive role on GCP.
  • Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
  • Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
  • Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
  • Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
  • Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.

L3 Networker
Minimum permissions required:
  • Viewer—Primitive role on GCP.
  • Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
  • Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
  • Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
  • Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
  • Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.

L3 Networker

Hello AmyYoon,

 

On-board the account and select monitor, this will provide the bare minimum permissions

Minimum permissions required:
  • Viewer—Primitive role on GCP.
  • Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
  • Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
  • Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
  • Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
  • Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.

L3 Networker

Hello AmyYoon,

 

Minimum permissions required:
  • Viewer—Primitive role on GCP.
  • Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
  • Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
  • Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
  • Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
  • Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.
  •  
  •  
  •  
  •  
  •  

L3 Networker

Hello AmyYoon,

Please see below the minimum requirements to onboard a GCP cloud account.

 

Minimum permissions required:
Viewer—Primitive role on GCP.
Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-cloud-platform...

  • 2444 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!