This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Previously needed permission when onboarding GCP project on Prisma Cloud

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Previously needed permission when onboarding GCP project on Prisma Cloud

AmyYoon
L1 Bithead

‎09-02-2022 12:41 AM

Hello everyone.

 

I have some queries about permission previously when onboarding GCP project on Prisma Cloud.

I have given 5 roles below to the user who is used to onboard the GCP project.

 1) Role Administrator
 2) Security Admin
 3) Service Account Admin
 4) Service Account Key Admin
 5) Viewer

Is there any minimum permission needed to be able to onboard this cloud account?

 

Hope you please kindly check this.

Thank you:)

0 Likes Likes
5 REPLIES 5

MDavis29
L3 Networker

‎09-06-2022 08:44 AM

AmyYoon,

Please see below my comments on the minimum permissions needed to on-board a GCP cloud account.

Minimum permissions required:
  • Viewer—Primitive role on GCP.
  • Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
  • Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
  • Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
  • Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
  • Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.

MDavis29
L3 Networker

‎09-06-2022 09:32 AM

Minimum permissions required:
  • Viewer—Primitive role on GCP.
  • Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
  • Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
  • Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
  • Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
  • Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.

MDavis29
L3 Networker

‎09-06-2022 09:38 AM

Hello AmyYoon,

 

On-board the account and select monitor, this will provide the bare minimum permissions

Minimum permissions required:
  • Viewer—Primitive role on GCP.
  • Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
  • Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
  • Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
  • Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
  • Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.

MDavis29
L3 Networker

‎09-06-2022 12:06 PM

Hello AmyYoon,

 

Minimum permissions required:
  • Viewer—Primitive role on GCP.
  • Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
  • Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
  • Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
  • Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
  • Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.
  •  
  •  
  •  
  •  
  •  

MDavis29
L3 Networker

‎09-06-2022 12:52 PM

Hello AmyYoon,

Please see below the minimum requirements to onboard a GCP cloud account.

 

Minimum permissions required:
Viewer—Primitive role on GCP.
Prisma Cloud Viewer—Custom role. Prisma Cloud needs this custom role to grant cloud storage bucket permission to read storage bucket metadata and update bucket IAM policies. This role requires storage.buckets.get to retrieve your list of storage buckets, and storage.buckets.getIampolicy to retrieve the IAM policy for the specified bucket.
Compute Security Admin—Predefined role on GCP. An optional privilege that is required only if you want to enable auto-remediation.
Organization Role Viewer—Predefined role on GCP. This role is required for onboarding a GCP Organization.
Dataflow Admin—Predefined role on GCP. An optional privilege that is required for dataflow log compression using the Dataflow service. See Flow Log Compression on GCP for details.
Folder Viewer—Predefined role on GCP. An optional privilege that is required only if you want to onboard GCP Folder metadata, select specific folders—include or exclude folders—, and to automatically create account groups based on the folder hierarchy.
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-cloud-platform...

  • 2445 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks