Permissions and Resources
Review GCP Roles and Permissions
Security Principals
There are two security principals in the onboarding process:
- Installer: The primary security principal, either a User or a Service Account. This security principal will be used to perform the onboarding. Sysdig does not have access to this security principal.
- Sysdig: A Service Account (robot user) created during onboarding with specific, less permissive roles. Sysdig will be given access to this service account.
GCP Roles
GCP IAM has a single control plane that applies to either at the organization or project level:
- GCP Roles: Applied to the entire organization or project.
Base GCP Integration - Cloud Security Posture Management (CSPM)
Agentless Cloud Security Posture Management (CSPM) assesses and manages the security posture of your cloud resources without requiring agents.
Permissions Required to Install
The Installer must have at least the following roles assigned:
Single Project Install
If you are installing CSPM, the user/service account must have the following roles assigned on the Project you are onboarding:
roles/iam.serviceAccountAdmin
roles/iam.roleAdmin
roles/resourcemanager.projectIamAdmin
roles/iam.serviceAccountKeyAdmin
roles/serviceusage.serviceUsageAdmin
Organizational Install
Note: Certain roles are required at the organization level. Other roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.
If you are installing CSPM, the user/service account must have the following roles assigned:
roles/iam.serviceAccountAdmin
(On the project where shared resources will be created)roles/iam.organizationRoleAdmin
(At the Organization level)roles/resourcemanager.organizationAdmin
(At the Organization level)roles/iam.serviceAccountKeyAdmin
(On the project where shared resources will be created)roles/serviceusage.serviceUsageAdmin
(At the Organization level)
Permissions Granted to Sysdig
The installation creates a Service Account that Sysdig can access. This Service Account is granted the following roles and permissions:
For CSPM:
roles/iam.browser
roles/cloudasset.viewer
roles/iam.workloadIdentityUser
roles/logging.viewer
roles/cloudfunctions.viewer
roles/cloudbuild.builds.viewer
roles/orgpolicy.policyViewer
Resources Created
The following resources will be created in your GCP Environment:
Resource | Description |
---|---|
google_service_account | Service account used by Sysdig for secure posture management |
google_iam_workload_identity_pool | Creates a Workload Identity Pool Federation for Authentication |
google_iam_workload_identity_pool_provider | Creates a Workload Identity Pool Provider ID for config posture management |
google_project_iam_member | Creates the custom role with permissions needed for config posture management |
google_service_account_iam_member | Attaches WIF as a member to the service account for auth |
google_organization_iam_member | Assigns the custom role to the Sysdig Service Account at the organization level |
Cloud Detection and Response (CDR)
Agentless Cloud Detection and Response (CDR) performs threat detection using Falco rules and policies on platform logs.
Permissions Required to Install
Single Project Install
If you are installing CDR and CIEM, you must have the following additional roles assigned on the Project you are onboarding:
roles/pubsub.admin
roles/logging.configWriter
roles/iam.serviceAccountUser
Organizational Install
Note: Certain roles are required at the organization level. Other roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.
If you are installing CDR & CIEM, you must have the following additional roles assigned:
roles/pubsub.admin
(On the project where shared resources will be created)roles/logging.configWriter
(At the Organization level)roles/iam.serviceAccountUser
(On the project where shared resources will be created)
Permissions Granted to Sysdig
The installation creates a Service Account that Sysdig can access. This Service Account is granted the following roles and permissions:
For CDR & CIEM:
roles/iam.workloadIdentityUser
pubsub.topics.get
pubsub.topics.list
pubsub.subscriptions.get
pubsub.subscriptions.list
logging.sinks.get
logging.sinks.list
Resources Created
The following resources will be created in your GCP Environment:
Resource | Description |
---|---|
google_project_iam_audit_config | Audit Log Config enabled at the Project level |
google_pubsub_topic | Ingestion Pub Sub topic created for CDR |
google_logging_project_sink | Sysdig sink to direct the Audit Logs to the PubSub topic used for data gathering |
google_pubsub_topic_iam_member | Attaches roles & permissions needed for the pub sub topic |
google_service_account | Service account used by Sysdig for threat detection |
google_service_account_iam_member | Creates the custom role with permissions needed for threat detection |
google_pubsub_subscription | Creates the pub sub subscription with topic name and custom role |
google_iam_workload_identity_pool | Creates a Workload Identity Pool Federation for Auth |
google_iam_workload_identity_pool_provider | Creates a Workload Identity Pool Provider ID for threat detection |
google_project_iam_custom_role | Creates custom role with project-level permissions to access data ingestion resources |
google_project_iam_member | Adds custom role with project-level permissions to the service account for auth |
google_service_account_iam_member | Attaches WIF as a member to the service account for auth |
google_organization_iam_audit_config | Enables Audit Log Configuration at the Organizational level |
google_logging_organization_sink | Sysdig organizational sink to direct the AuditLogs to the PubSub topic used for data gathering |
google_organization_iam_custom_role | Creates a custom role with organization-level permissions to access data ingestion resources |
google_organization_iam_member | Adds a custom role with organization-level permissions to the service account for authentication |
Vulnerability Management Agentless Host Scanning
Vulnerability Management Agentless Host Scanning performs vulnerability scanning using disk snapshots for accurate risk assessment and management.
Permissions Required to Install
Single Project Install
If you are installing Vulnerability Host Scanning, you must have the following roles assigned:
roles/iam.serviceAccountAdmin
roles/iam.roleAdmin
roles/resourcemanager.projectIamAdmin
roles/iam.serviceAccountKeyAdmin
roles/serviceusage.serviceUsageAdmin
Organizational Install
Note: Certain roles are required at the organization level. Other roles are required on a single project in which you will deploy shared resources. Ensure you have the correct roles assigned at the correct scope.
If you are installing Vulnerability Host Scanning, you must have the following roles assigned:
roles/iam.serviceAccountAdmin
(On the project where shared resources will be created)roles/iam.organizationRoleAdmin
(At the Organization level)roles/resourcemanager.organizationAdmin
(At the Organization level)roles/iam.serviceAccountKeyAdmin
(On the project where shared resources will be created)roles/serviceusage.serviceUsageAdmin
(At the Organization level)
Permissions Granted to Sysdig
The installation creates a Service Account that Sysdig can access. This Service Account is granted the following roles and permissions:
For Vulnerability Host Scanning:
roles/iam.workloadIdentityUser
compute.networks.list
compute.networks.get
compute.instances.list
compute.instances.get
compute.disks.list
compute.disks.get
iam.serviceAccounts.getAccessToken
compute.zoneOperations.get
compute.disks.get
compute.disks.useReadOnly
Resources Created
The following resources will be created in your GCP Environment:
Resource | Description |
---|---|
google_service_account | Service account used by Sysdig for vulnerability management |
google_iam_workload_identity_pool | Creates a Workload Identity Pool Federation for Auth |
google_iam_workload_identity_pool_provider | Creates a Workload Identity Pool Provider ID for vulnerability management |
google_project_iam_member | Creates the custom role with permissions needed for vulnerability management |
google_service_account_iam_member | Attaches WIF as a member to the service account for auth |
google_organization_iam_member | Assigns the custom role to the Sysdig Service Account at the organization level |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.