/
Permissions required in GCP
Document toolboxDocument toolbox

Permissions required in GCP

Owned by Sri Raghu
Last updated: yesterday at 7:41 pm
2 min read

  • The following permissions are required in GCP for discovery and inbound cloud forwarding:

    • Folder Viewer (Role)

    • Compute Viewer (Role)

    • DNS Reader (Role)

  • The following permissions are required in GCP for Inbound Discovery:

    • dns.projects.get

    • compute.networks.get

    • compute.networks.list

    • dns.policies.get

    • dns.policies.list

  • The following permissions are required in GCP for Outbound Discovery:

    • dns.projects.get

    • compute.networks.get

    • compute.networks.list

    • dns.managedZones.get

    • dns.managedZones.list

    • dns.resourceRecordSets.get

    • dns.resourceRecordSets.list

  • The following permissions are required in GCP for Inbound Cloud Forwarding:

    • dns.projects.get

    • compute.networks.get

    • compute.networks.list

    • compute.addresses.list

    • dns.networks.bindPrivateDNSPolicy

    • dns.policies.get

    • dns.policies.list

    • dns.policies.create

    • dns.policies.update

    • dns.policies.delete

  • The following permissions are required in GCP for Outbound Cloud Forwarding:

    • dns.projects.get

    • compute.networks.get

    • compute.networks.list

    • dns.managedZones.get

    • dns.managedZones.list

    • dns.networks.bindPrivateDNSZone

    • dns.managedZones.create

    • dns.managedZones.update

    • dns.managedZones.delete

    • dns.resourceRecordSets.get

    • dns.resourceRecordSets.list

    • dns.resourceRecordSets.create

    • dns.resourceRecordSets.update

    • dns.resourceRecordSets.delete

The following permissions are required in GCP for syncing Storage Tables. Create a Custom Role and add the following two permissions:

  • storage.buckets.list

  • storage.buckets.getIamPolicy

The two entries must be added to the default permissions.

The following permissions are required in GCP to sync Kubernetes cluster. Add the following role:

  • Kubernetes Engine Cluster Viewer

  • Kubernetes Engine API

  • Compute Engine API

  • Cloud Resource Manager API

The Role and Permission mentioned in parentheses () are for information only and not part of the role or permission name.

The following permissions are required in GCP to sync internal ranges. Create a Custom Role and add the following permissions:

  • networkconnectivity.internalRanges.create

  • networkconnectivity.internalRanges.delete

  • networkconnectivity.internalRanges.get

  • networkconnectivity.internalRanges.getIamPolicy

  • networkconnectivity.internalRanges.list

  • networkconnectivity.internalRanges.setIamPolicy

  • networkconnectivity.internalRanges.update

  • networkconnectivity.locations.get

  • networkconnectivity.locations.list

  • networkconnectivity.operations.cancel

  • networkconnectivity.operations.delete

  • networkconnectivity.operations.get

  • networkconnectivity.operations.list

When setting up the provider, ensure that tables related to Internal Ranges or Kubernetes Cluster permissions are excluded if not granted.

The following permissions are required in GCP to sync GCP metrics.

  • monitoring.viewer