Custom role permissions for GCP CSA

Custom role permissions for GCP CSA

When setting up GCP for CSA, Netskope requires certain permissions. To set these permissions, Netskope provides you the following two options:

  • Select the following inbuild roles,
    • Project > Browser
    • IAM > Security Reviewer
    • BigQuery > BigQuery Metadata Viewer
    • Organization Policy > Organization Policy Viewer

    Or,

  • Select the two inbuilt roles, Project > Browser and Organization Policy > Organization Policy Viewer. Then create a custom role with the permissions, compute.projects.get and compute.regions.list. Depending on the GCP service, you can provide additional permissions to the custom role.

    The following table provides a mapping of GCP service to custom role permissions.

GCP servicePermission requiredPurpose
Compute Image compute.images.listRetrieves the list of custom images available to the specified project.
DNS Managed zonedns.managedZoneOperations.listEnumerates Operations for a given ManagedZone.
dns.managedZones.listView the list of all your managed zones.
dns.resourceRecordSets.listEnumerates ResourceRecordSets that you have created but not yet deleted.
Kubernetes Clustercontainer.clusterRoleBindings.listList the role bindings of a kubernetes cluster.
container.clusterRoles.listList the roles of a kubernetes cluster
container.clusters.listList existing clusters for running containers.
Service Accountiam.serviceAccounts.getGet a service account.
iam.serviceAccounts.getIamPolicyGet the IAM policy for a service account.
iam.serviceAccountKeys.listLists every ServiceAccountKey for a service account.
iam.serviceAccounts.listList every service account.
PCcompute.networks.listList Google Compute Engine networks.
Compute Instancecompute.zones.listList Google Compute Engine zones.
compute.instances.listList Google Compute Engine instances.
Firewallcompute.firewalls.listRetrieves the list of firewall rules available to the specified project.
IAM PolicyNANA
Log Metriclogging.logMetrics.listLists logs-based metrics.
monitoring.alertPolicies.listLists the existing alerting policies for the workspace.
Rolesiam.roles.listList the roles defined at a parent organization or a project.
SQL Instancecloudsql.instances.listLists Cloud SQL instances in a given project.
cloudsql.users.listLists Cloud SQL users in a given instance.
Access Policyaccesscontextmanager.accessLevels.list (custom role at org level)List all access levels.
accesscontextmanager.accessPolicies.list (custom role at org level)List all AccessPolicies under a container.
accesscontextmanager.servicePerimeters.list (custom role at org level)List all Service Perimeters for an access policy.
Storagestorage.buckets.getIamPolicyReturns an Identity and Access Management (IAM) policy for the specified bucket.
storage.buckets.listRetrieves a list of buckets for a given project.
ForwardingRulescompute.regions.getReturns the specified Region resource.
compute.globalAddresses.getReturns the specified address resource.
compute.addresses.getReturns the specified address resource.
compute.forwardingRules.listList Google Compute Engine forwarding rules.
IAM Policy UserNANA
Logging Sinkslogging.sinks.listLists the defined sinks.
Routecompute.routes.listList non-dynamic Google Compute Engine routes.
Subnetworkcompute.subnetworks.listRetrieves a list of subnetworks available to the specified project.
Alert Policymonitoring.alertPolicies.listLists the existing alerting policies for the workspace.
Diskscompute.disks.listList Google Compute Engine disks.
compute.zones.listRetrieves the list of Zone resources available to the specified project.
DataprocClusterdataproc.clusters.listView a list of clusters in a project.
CloudFunctioncloudfunctions.functions.listList the CloudFunctions of a specified project.
cloudfunctions.locations.listList the location of a specified CloudFunction.
KMScloudkms.cryptoKeyVersions.listLists CryptoKeyVersions.
cloudkms.cryptoKeys.listLists CryptoKeys.
cloudkms.keyRings.listLists KeyRings.
OrganizationNANA
API Servicesserviceusage.services.listList all services available to the specified project, and the current state of those services with respect to the project.
Bigquery Datasetsbigquery.datasets.getReturns the dataset specified by datasetID.
Share this Doc

Custom role permissions for GCP CSA

Or copy link

In this topic ...