...
The following permissions are required in GCP for discovery and inbound cloud forwarding:
Folder Viewer (Role)Compute Viewer (Role)DNS Reader (Role)
The following permissions are required in GCP for discovery and outbound cloud forwarding:
Folder Viewer (Role)Compute Viewer (Role)DNS Reader (Role)dns.managedZones.create (Permission)dns.managedZones.delete (Permission)dns.managedZones.update (Permission)dns.networks
...
.bindPrivateDNSZone (Permission)
The Role and Permission mentioned in parentheses () are for information only and not part of the role or permission name.