Custom role permissions for GCP CSA
Custom role permissions for GCP CSA
When setting up GCP for CSA, Netskope requires certain permissions. To set these permissions, Netskope provides you the following two options:
- Select the following inbuild roles,
- Project > Browser
- IAM > Security Reviewer
- BigQuery > BigQuery Metadata Viewer
- Organization Policy > Organization Policy Viewer
Or,
- Select the two inbuilt roles, Project > Browser and Organization Policy > Organization Policy Viewer. Then create a custom role with the permissions, compute.projects.get and compute.regions.list. Depending on the GCP service, you can provide additional permissions to the custom role.
The following table provides a mapping of GCP service to custom role permissions.
GCP service | Permission required | Purpose |
---|---|---|
Compute Image | compute.images.list | Retrieves the list of custom images available to the specified project. |
DNS Managed zone | dns.managedZoneOperations.list | Enumerates Operations for a given ManagedZone. |
dns.managedZones.list | View the list of all your managed zones. | |
dns.resourceRecordSets.list | Enumerates ResourceRecordSets that you have created but not yet deleted. | |
Kubernetes Cluster | container.clusterRoleBindings.list | List the role bindings of a kubernetes cluster. |
container.clusterRoles.list | List the roles of a kubernetes cluster | |
container.clusters.list | List existing clusters for running containers. | |
Service Account | iam.serviceAccounts.get | Get a service account. |
iam.serviceAccounts.getIamPolicy | Get the IAM policy for a service account. | |
iam.serviceAccountKeys.list | Lists every ServiceAccountKey for a service account. | |
iam.serviceAccounts.list | List every service account. | |
PC | compute.networks.list | List Google Compute Engine networks. |
Compute Instance | compute.zones.list | List Google Compute Engine zones. |
compute.instances.list | List Google Compute Engine instances. | |
Firewall | compute.firewalls.list | Retrieves the list of firewall rules available to the specified project. |
IAM Policy | NA | NA |
Log Metric | logging.logMetrics.list | Lists logs-based metrics. |
monitoring.alertPolicies.list | Lists the existing alerting policies for the workspace. | |
Roles | iam.roles.list | List the roles defined at a parent organization or a project. |
SQL Instance | cloudsql.instances.list | Lists Cloud SQL instances in a given project. |
cloudsql.users.list | Lists Cloud SQL users in a given instance. | |
Access Policy | accesscontextmanager.accessLevels.list (custom role at org level) | List all access levels. |
accesscontextmanager.accessPolicies.list (custom role at org level) | List all AccessPolicies under a container. | |
accesscontextmanager.servicePerimeters.list (custom role at org level) | List all Service Perimeters for an access policy. | |
Storage | storage.buckets.getIamPolicy | Returns an Identity and Access Management (IAM) policy for the specified bucket. |
storage.buckets.list | Retrieves a list of buckets for a given project. | |
ForwardingRules | compute.regions.get | Returns the specified Region resource. |
compute.globalAddresses.get | Returns the specified address resource. | |
compute.addresses.get | Returns the specified address resource. | |
compute.forwardingRules.list | List Google Compute Engine forwarding rules. | |
IAM Policy User | NA | NA |
Logging Sinks | logging.sinks.list | Lists the defined sinks. |
Route | compute.routes.list | List non-dynamic Google Compute Engine routes. |
Subnetwork | compute.subnetworks.list | Retrieves a list of subnetworks available to the specified project. |
Alert Policy | monitoring.alertPolicies.list | Lists the existing alerting policies for the workspace. |
Disks | compute.disks.list | List Google Compute Engine disks. |
compute.zones.list | Retrieves the list of Zone resources available to the specified project. | |
DataprocCluster | dataproc.clusters.list | View a list of clusters in a project. |
CloudFunction | cloudfunctions.functions.list | List the CloudFunctions of a specified project. |
cloudfunctions.locations.list | List the location of a specified CloudFunction. | |
KMS | cloudkms.cryptoKeyVersions.list | Lists CryptoKeyVersions. |
cloudkms.cryptoKeys.list | Lists CryptoKeys. | |
cloudkms.keyRings.list | Lists KeyRings. | |
Organization | NA | NA |
API Services | serviceusage.services.list | List all services available to the specified project, and the current state of those services with respect to the project. |
Bigquery Datasets | bigquery.datasets.get | Returns the dataset specified by datasetID. |