Custom role permissions for GCP CSA
Custom role permissions for GCP CSA
When setting up GCP for CSA, Netskope requires certain permissions. To set these permissions, Netskope provides you the following two options.
- Select the following inbuild roles,
- Project > Browser
- IAM > Security Reviewer
- BigQuery > BigQuery Metadata Viewer
- Organization Policy > Organization Policy Viewer
Or,
- Select the two inbuilt roles, Project > Browser and Organization Policy > Organization Policy Viewer. Then create a custom role with the permissions, compute.projects.get and compute.regions.list. Depending on the GCP service, you can provide additional permissions to the custom role.
The following table provides a mapping of GCP service to custom role permissions.
GCP service Permission required Purpose Compute Image compute.images.list Retrieves the list of custom images available to the specified project.
DNS Managed zone dns.managedZoneOperations.list Enumerates Operations for a given ManagedZone. dns.managedZones.list View the list of all your managed zones dns.resourceRecordSets.list Enumerates ResourceRecordSets that you have created but not yet deleted. Kubernetes Cluster container.clusterRoleBindings.list List the role bindings of a kubernetes cluster. container.clusterRoles.list List the roles of a kubernetes cluster container.clusters.list List existing clusters for running containers Service Account iam.serviceAccounts.get Get a service account iam.serviceAccounts.getIamPolicy Get the IAM policy for a service account iam.serviceAccountKeys.list Lists every ServiceAccountKey for a service account. iam.serviceAccounts.list List every service account VPC compute.networks.list List Google Compute Engine networks Compute Instance compute.zones.list List Google Compute Engine zones compute.instances.list List Google Compute Engine instances Firewall compute.firewalls.list Retrieves the list of firewall rules available to the specified project IAM Policy NA NA Log Metric logging.logMetrics.list Lists logs-based metrics. monitoring.alertPolicies.list Lists the existing alerting policies for the workspace. Roles iam.roles.list List the roles defined at a parent organization or a project SQL Instance cloudsql.instances.list Lists Cloud SQL instances in a given project cloudsql.users.list Lists Cloud SQL users in a given instance Access Policy accesscontextmanager.accessLevels.list (custom role at org level) List all access levels accesscontextmanager.accessPolicies.list (custom role at org level) List all AccessPolicies under a container. accesscontextmanager.servicePerimeters.list (custom role at org level) List all Service Perimeters for an access policy. Storage storage.buckets.getIamPolicy Returns an Identity and Access Management (IAM) policy for the specified bucket. storage.buckets.list Retrieves a list of buckets for a given project ForwardingRules compute.regions.get Returns the specified Region resource compute.globalAddresses.get Returns the specified address resource compute.addresses.get Returns the specified address resource compute.forwardingRules.list List Google Compute Engine forwarding rules IAM Policy User NA NA Logging Sinks logging.sinks.list Lists the defined sinks Route compute.routes.list List non-dynamic Google Compute Engine routes Subnetwork compute.subnetworks.list Retrieves a list of subnetworks available to the specified project. Alert Policy monitoring.alertPolicies.list Lists the existing alerting policies for the workspace. Disks compute.disks.list List Google Compute Engine disks compute.zones.list Retrieves the list of Zone resources available to the specified project. DataprocCluster dataproc.clusters.list View a list of clusters in a project CloudFunction cloudfunctions.functions.list List the CloudFunctions of a specified project cloudfunctions.locations.list List the location of a specified CloudFunction KMS cloudkms.cryptoKeyVersions.list Lists CryptoKeyVersions. cloudkms.cryptoKeys.list Lists CryptoKeys. cloudkms.keyRings.list Lists KeyRings. Organization NA NA API Services serviceusage.services.list List all services available to the specified project, and the current state of those services with respect to the project Bigquery Datasets bigquery.datasets.get Returns the dataset specified by datasetID.